import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Access Approval enables you to require your explicit approval whenever Google support and engineering need to access your customer content. * * To get more information about OrganizationSettings, see: * * * [API documentation](https://cloud.google.com/access-approval/docs/reference/rest/v1/organizations) * * ## Example Usage * * ### Organization Access Approval Full * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const organizationAccessApproval = new gcp.organizations.AccessApprovalSettings("organization_access_approval", { * organizationId: "123456789", * notificationEmails: [ * "testuser@example.com", * "example.user@example.com", * ], * enrolledServices: [ * { * cloudProduct: "appengine.googleapis.com", * }, * { * cloudProduct: "dataflow.googleapis.com", * enrollmentLevel: "BLOCK_ALL", * }, * ], * }); * ``` * ### Organization Access Approval Active Key Version * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const myProject = new gcp.organizations.Project("my_project", { * name: "My Project", * projectId: "your-project-id", * orgId: "123456789", * deletionPolicy: "DELETE", * }); * const keyRing = new gcp.kms.KeyRing("key_ring", { * name: "key-ring", * location: "global", * project: myProject.projectId, * }); * const cryptoKey = new gcp.kms.CryptoKey("crypto_key", { * name: "crypto-key", * keyRing: keyRing.id, * purpose: "ASYMMETRIC_SIGN", * versionTemplate: { * algorithm: "EC_SIGN_P384_SHA384", * }, * }); * const serviceAccount = gcp.accessapproval.getOrganizationServiceAccount({ * organizationId: "123456789", * }); * const iam = new gcp.kms.CryptoKeyIAMMember("iam", { * cryptoKeyId: cryptoKey.id, * role: "roles/cloudkms.signerVerifier", * member: serviceAccount.then(serviceAccount => `serviceAccount:${serviceAccount.accountEmail}`), * }); * const cryptoKeyVersion = gcp.kms.getKMSCryptoKeyVersionOutput({ * cryptoKey: cryptoKey.id, * }); * const organizationAccessApproval = new gcp.organizations.AccessApprovalSettings("organization_access_approval", { * organizationId: "123456789", * activeKeyVersion: cryptoKeyVersion.apply(cryptoKeyVersion => cryptoKeyVersion.name), * enrolledServices: [{ * cloudProduct: "all", * }], * }, { * dependsOn: [iam], * }); * ``` * * ## Import * * OrganizationSettings can be imported using any of these accepted formats: * * * `organizations/{{organization_id}}/accessApprovalSettings` * * `{{organization_id}}` * * When using the `pulumi import` command, OrganizationSettings can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:organizations/accessApprovalSettings:AccessApprovalSettings default organizations/{{organization_id}}/accessApprovalSettings * $ pulumi import gcp:organizations/accessApprovalSettings:AccessApprovalSettings default {{organization_id}} * ``` */ export declare class AccessApprovalSettings extends pulumi.CustomResource { /** * Get an existing AccessApprovalSettings resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: AccessApprovalSettingsState, opts?: pulumi.CustomResourceOptions): AccessApprovalSettings; /** * Returns true if the given object is an instance of AccessApprovalSettings. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is AccessApprovalSettings; /** * The asymmetric crypto key version to use for signing approval requests. * Empty activeKeyVersion indicates that a Google-managed key should be used for signing. */ readonly activeKeyVersion: pulumi.Output; /** * This field will always be unset for the organization since organizations do not have ancestors. */ readonly ancestorHasActiveKeyVersion: pulumi.Output; /** * This field will always be unset for the organization since organizations do not have ancestors. */ readonly enrolledAncestor: pulumi.Output; /** * A list of Google Cloud Services for which the given resource has Access Approval enrolled. * Access requests for the resource given by name against any of these services contained here will be required * to have explicit approval. Enrollment can be done for individual services. * A maximum of 10 enrolled services will be enforced, to be expanded as the set of supported services is expanded. * Structure is documented below. */ readonly enrolledServices: pulumi.Output; /** * If the field is true, that indicates that there is some configuration issue with the activeKeyVersion * configured on this Organization (e.g. it doesn't exist or the Access Approval service account doesn't have the * correct permissions on it, etc.). */ readonly invalidKeyVersion: pulumi.Output; /** * The resource name of the settings. Format is "organizations/{organization_id}/accessApprovalSettings" */ readonly name: pulumi.Output; /** * A list of email addresses to which notifications relating to approval requests should be sent. * Notifications relating to a resource will be sent to all emails in the settings of ancestor * resources of that resource. A maximum of 50 email addresses are allowed. */ readonly notificationEmails: pulumi.Output; /** * ID of the organization of the access approval settings. */ readonly organizationId: pulumi.Output; /** * Create a AccessApprovalSettings resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: AccessApprovalSettingsArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering AccessApprovalSettings resources. */ export interface AccessApprovalSettingsState { /** * The asymmetric crypto key version to use for signing approval requests. * Empty activeKeyVersion indicates that a Google-managed key should be used for signing. */ activeKeyVersion?: pulumi.Input; /** * This field will always be unset for the organization since organizations do not have ancestors. */ ancestorHasActiveKeyVersion?: pulumi.Input; /** * This field will always be unset for the organization since organizations do not have ancestors. */ enrolledAncestor?: pulumi.Input; /** * A list of Google Cloud Services for which the given resource has Access Approval enrolled. * Access requests for the resource given by name against any of these services contained here will be required * to have explicit approval. Enrollment can be done for individual services. * A maximum of 10 enrolled services will be enforced, to be expanded as the set of supported services is expanded. * Structure is documented below. */ enrolledServices?: pulumi.Input[]>; /** * If the field is true, that indicates that there is some configuration issue with the activeKeyVersion * configured on this Organization (e.g. it doesn't exist or the Access Approval service account doesn't have the * correct permissions on it, etc.). */ invalidKeyVersion?: pulumi.Input; /** * The resource name of the settings. Format is "organizations/{organization_id}/accessApprovalSettings" */ name?: pulumi.Input; /** * A list of email addresses to which notifications relating to approval requests should be sent. * Notifications relating to a resource will be sent to all emails in the settings of ancestor * resources of that resource. A maximum of 50 email addresses are allowed. */ notificationEmails?: pulumi.Input[]>; /** * ID of the organization of the access approval settings. */ organizationId?: pulumi.Input; } /** * The set of arguments for constructing a AccessApprovalSettings resource. */ export interface AccessApprovalSettingsArgs { /** * The asymmetric crypto key version to use for signing approval requests. * Empty activeKeyVersion indicates that a Google-managed key should be used for signing. */ activeKeyVersion?: pulumi.Input; /** * A list of Google Cloud Services for which the given resource has Access Approval enrolled. * Access requests for the resource given by name against any of these services contained here will be required * to have explicit approval. Enrollment can be done for individual services. * A maximum of 10 enrolled services will be enforced, to be expanded as the set of supported services is expanded. * Structure is documented below. */ enrolledServices: pulumi.Input[]>; /** * A list of email addresses to which notifications relating to approval requests should be sent. * Notifications relating to a resource will be sent to all emails in the settings of ancestor * resources of that resource. A maximum of 50 email addresses are allowed. */ notificationEmails?: pulumi.Input[]>; /** * ID of the organization of the access approval settings. */ organizationId: pulumi.Input; }