import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Four different resources help you manage your IAM policy for a organization. Each of these resources serves a different use case: * * * `gcp.organizations.IAMPolicy`: Authoritative. Sets the IAM policy for the organization and replaces any existing policy already attached. * * `gcp.organizations.IAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the organization are preserved. * * `gcp.organizations.IAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the organization are preserved. * * `gcp.organizations.IamAuditConfig`: Authoritative for a given service. Updates the IAM policy to enable audit logging for the given service. * * > **Note:** `gcp.organizations.IAMPolicy` **cannot** be used in conjunction with `gcp.organizations.IAMBinding`, `gcp.organizations.IAMMember`, or `gcp.organizations.IamAuditConfig` or they will fight over what your policy should be. * * > **Note:** `gcp.organizations.IAMBinding` resources **can be** used in conjunction with `gcp.organizations.IAMMember` resources **only if** they do not grant privilege to the same role. * * ## gcp.organizations.IAMPolicy * * !> **Warning:** New organizations have several default policies which will, * without extreme caution, be **overwritten** by use of this resource. * The safest alternative is to use multiple `gcp.organizations.IAMBinding` * resources. This resource makes it easy to remove your own access to * an organization, which will require a call to Google Support to have * fixed, and can take multiple days to resolve. * * In general, this resource should only be used with organizations * fully managed by this provider.I f you do use this resource, * the best way to be sure that you are not making dangerous changes is to start * by **importing** your existing policy, and examining the diff very closely. * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const admin = gcp.organizations.getIAMPolicy({ * bindings: [{ * role: "roles/editor", * members: ["user:jane@example.com"], * }], * }); * const organization = new gcp.organizations.IAMPolicy("organization", { * orgId: "1234567890", * policyData: admin.then(admin => admin.policyData), * }); * ``` * * With IAM Conditions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const admin = gcp.organizations.getIAMPolicy({ * bindings: [{ * role: "roles/editor", * members: ["user:jane@example.com"], * condition: { * title: "expires_after_2019_12_31", * description: "Expiring at midnight of 2019-12-31", * expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")", * }, * }], * }); * const organization = new gcp.organizations.IAMPolicy("organization", { * orgId: "1234567890", * policyData: admin.then(admin => admin.policyData), * }); * ``` * * ## gcp.organizations.IAMBinding * * > **Note:** If `role` is set to `roles/owner` and you don't specify a user or service account you have access to in `members`, you can lock yourself out of your organization. * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const organization = new gcp.organizations.IAMBinding("organization", { * orgId: "1234567890", * role: "roles/editor", * members: ["user:jane@example.com"], * }); * ``` * * With IAM Conditions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const organization = new gcp.organizations.IAMBinding("organization", { * orgId: "1234567890", * role: "roles/editor", * members: ["user:jane@example.com"], * condition: { * title: "expires_after_2019_12_31", * description: "Expiring at midnight of 2019-12-31", * expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")", * }, * }); * ``` * * ## gcp.organizations.IAMMember * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const organization = new gcp.organizations.IAMMember("organization", { * orgId: "1234567890", * role: "roles/editor", * member: "user:jane@example.com", * }); * ``` * * With IAM Conditions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const organization = new gcp.organizations.IAMMember("organization", { * orgId: "1234567890", * role: "roles/editor", * member: "user:jane@example.com", * condition: { * title: "expires_after_2019_12_31", * description: "Expiring at midnight of 2019-12-31", * expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")", * }, * }); * ``` * * ## gcp.organizations.IamAuditConfig * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const organization = new gcp.organizations.IamAuditConfig("organization", { * orgId: "1234567890", * service: "allServices", * auditLogConfigs: [ * { * logType: "ADMIN_READ", * }, * { * logType: "DATA_READ", * exemptedMembers: ["user:joebloggs@example.com"], * }, * ], * }); * ``` * * ## gcp.organizations.IAMBinding * * > **Note:** If `role` is set to `roles/owner` and you don't specify a user or service account you have access to in `members`, you can lock yourself out of your organization. * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const organization = new gcp.organizations.IAMBinding("organization", { * orgId: "1234567890", * role: "roles/editor", * members: ["user:jane@example.com"], * }); * ``` * * With IAM Conditions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const organization = new gcp.organizations.IAMBinding("organization", { * orgId: "1234567890", * role: "roles/editor", * members: ["user:jane@example.com"], * condition: { * title: "expires_after_2019_12_31", * description: "Expiring at midnight of 2019-12-31", * expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")", * }, * }); * ``` * * ## gcp.organizations.IAMMember * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const organization = new gcp.organizations.IAMMember("organization", { * orgId: "1234567890", * role: "roles/editor", * member: "user:jane@example.com", * }); * ``` * * With IAM Conditions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const organization = new gcp.organizations.IAMMember("organization", { * orgId: "1234567890", * role: "roles/editor", * member: "user:jane@example.com", * condition: { * title: "expires_after_2019_12_31", * description: "Expiring at midnight of 2019-12-31", * expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")", * }, * }); * ``` * * ## gcp.organizations.IamAuditConfig * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const organization = new gcp.organizations.IamAuditConfig("organization", { * orgId: "1234567890", * service: "allServices", * auditLogConfigs: [ * { * logType: "ADMIN_READ", * }, * { * logType: "DATA_READ", * exemptedMembers: ["user:joebloggs@example.com"], * }, * ], * }); * ``` * * ## Import * * > **Custom Roles** If you're importing a IAM resource with a custom role, make sure to use the * full name of the custom role, e.g. `organizations/{{org_id}}/roles/{{role_id}}`. * * > **Conditional IAM Bindings**: If you're importing a IAM binding with a condition block, make sure * to include the title of condition, e.g. `terraform import google_organization_iam_binding.my_organization "your-org-id roles/{{role_id}} condition-title"` */ export declare class IAMMember extends pulumi.CustomResource { /** * Get an existing IAMMember resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: IAMMemberState, opts?: pulumi.CustomResourceOptions): IAMMember; /** * Returns true if the given object is an instance of IAMMember. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is IAMMember; /** * An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. * Structure is documented below. */ readonly condition: pulumi.Output; /** * (Computed) The etag of the organization's IAM policy. */ readonly etag: pulumi.Output; /** * Identities that will be granted the privilege in `role`. * Each entry can have one of the following values: * * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. */ readonly member: pulumi.Output; /** * The organization id of the target organization. */ readonly orgId: pulumi.Output; /** * The role that should be applied. Only one * `gcp.organizations.IAMBinding` can be used per role. Note that custom roles must be of the format * `organizations/{{org_id}}/roles/{{role_id}}`. */ readonly role: pulumi.Output; /** * Create a IAMMember resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: IAMMemberArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering IAMMember resources. */ export interface IAMMemberState { /** * An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. * Structure is documented below. */ condition?: pulumi.Input; /** * (Computed) The etag of the organization's IAM policy. */ etag?: pulumi.Input; /** * Identities that will be granted the privilege in `role`. * Each entry can have one of the following values: * * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. */ member?: pulumi.Input; /** * The organization id of the target organization. */ orgId?: pulumi.Input; /** * The role that should be applied. Only one * `gcp.organizations.IAMBinding` can be used per role. Note that custom roles must be of the format * `organizations/{{org_id}}/roles/{{role_id}}`. */ role?: pulumi.Input; } /** * The set of arguments for constructing a IAMMember resource. */ export interface IAMMemberArgs { /** * An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. * Structure is documented below. */ condition?: pulumi.Input; /** * Identities that will be granted the privilege in `role`. * Each entry can have one of the following values: * * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. */ member: pulumi.Input; /** * The organization id of the target organization. */ orgId: pulumi.Input; /** * The role that should be applied. Only one * `gcp.organizations.IAMBinding` can be used per role. Note that custom roles must be of the format * `organizations/{{org_id}}/roles/{{role_id}}`. */ role: pulumi.Input; }