import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Three different resources help you manage your IAM policy for Cloud (Stackdriver) Logging LogView. Each of these resources serves a different use case: * * * `gcp.logging.LogViewIamPolicy`: Authoritative. Sets the IAM policy for the logview and replaces any existing policy already attached. * * `gcp.logging.LogViewIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the logview are preserved. * * `gcp.logging.LogViewIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the logview are preserved. * * A data source can be used to retrieve policy data in advent you do not need creation * * * `gcp.logging.LogViewIamPolicy`: Retrieves the IAM policy for the logview * * > **Note:** `gcp.logging.LogViewIamPolicy` **cannot** be used in conjunction with `gcp.logging.LogViewIamBinding` and `gcp.logging.LogViewIamMember` or they will fight over what your policy should be. * * > **Note:** `gcp.logging.LogViewIamBinding` resources **can be** used in conjunction with `gcp.logging.LogViewIamMember` resources **only if** they do not grant privilege to the same role. * * > **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions. * * ## gcp.logging.LogViewIamPolicy * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const admin = gcp.organizations.getIAMPolicy({ * bindings: [{ * role: "roles/logging.admin", * members: ["user:jane@example.com"], * }], * }); * const policy = new gcp.logging.LogViewIamPolicy("policy", { * parent: loggingLogView.parent, * location: loggingLogView.location, * bucket: loggingLogView.bucket, * name: loggingLogView.name, * policyData: admin.then(admin => admin.policyData), * }); * ``` * * With IAM Conditions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const admin = gcp.organizations.getIAMPolicy({ * bindings: [{ * role: "roles/logging.admin", * members: ["user:jane@example.com"], * condition: { * title: "expires_after_2019_12_31", * description: "Expiring at midnight of 2019-12-31", * expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")", * }, * }], * }); * const policy = new gcp.logging.LogViewIamPolicy("policy", { * parent: loggingLogView.parent, * location: loggingLogView.location, * bucket: loggingLogView.bucket, * name: loggingLogView.name, * policyData: admin.then(admin => admin.policyData), * }); * ``` * ## gcp.logging.LogViewIamBinding * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const binding = new gcp.logging.LogViewIamBinding("binding", { * parent: loggingLogView.parent, * location: loggingLogView.location, * bucket: loggingLogView.bucket, * name: loggingLogView.name, * role: "roles/logging.admin", * members: ["user:jane@example.com"], * }); * ``` * * With IAM Conditions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const binding = new gcp.logging.LogViewIamBinding("binding", { * parent: loggingLogView.parent, * location: loggingLogView.location, * bucket: loggingLogView.bucket, * name: loggingLogView.name, * role: "roles/logging.admin", * members: ["user:jane@example.com"], * condition: { * title: "expires_after_2019_12_31", * description: "Expiring at midnight of 2019-12-31", * expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")", * }, * }); * ``` * ## gcp.logging.LogViewIamMember * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const member = new gcp.logging.LogViewIamMember("member", { * parent: loggingLogView.parent, * location: loggingLogView.location, * bucket: loggingLogView.bucket, * name: loggingLogView.name, * role: "roles/logging.admin", * member: "user:jane@example.com", * }); * ``` * * With IAM Conditions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const member = new gcp.logging.LogViewIamMember("member", { * parent: loggingLogView.parent, * location: loggingLogView.location, * bucket: loggingLogView.bucket, * name: loggingLogView.name, * role: "roles/logging.admin", * member: "user:jane@example.com", * condition: { * title: "expires_after_2019_12_31", * description: "Expiring at midnight of 2019-12-31", * expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")", * }, * }); * ``` * * ## > **Custom Roles** If you're importing a IAM resource with a custom role, make sure to use the * * full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`. * --- * * # IAM policy for Cloud (Stackdriver) Logging LogView * * Three different resources help you manage your IAM policy for Cloud (Stackdriver) Logging LogView. Each of these resources serves a different use case: * * * `gcp.logging.LogViewIamPolicy`: Authoritative. Sets the IAM policy for the logview and replaces any existing policy already attached. * * `gcp.logging.LogViewIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the logview are preserved. * * `gcp.logging.LogViewIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the logview are preserved. * * A data source can be used to retrieve policy data in advent you do not need creation * * * `gcp.logging.LogViewIamPolicy`: Retrieves the IAM policy for the logview * * > **Note:** `gcp.logging.LogViewIamPolicy` **cannot** be used in conjunction with `gcp.logging.LogViewIamBinding` and `gcp.logging.LogViewIamMember` or they will fight over what your policy should be. * * > **Note:** `gcp.logging.LogViewIamBinding` resources **can be** used in conjunction with `gcp.logging.LogViewIamMember` resources **only if** they do not grant privilege to the same role. * * > **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions. * * ## gcp.logging.LogViewIamPolicy * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const admin = gcp.organizations.getIAMPolicy({ * bindings: [{ * role: "roles/logging.admin", * members: ["user:jane@example.com"], * }], * }); * const policy = new gcp.logging.LogViewIamPolicy("policy", { * parent: loggingLogView.parent, * location: loggingLogView.location, * bucket: loggingLogView.bucket, * name: loggingLogView.name, * policyData: admin.then(admin => admin.policyData), * }); * ``` * * With IAM Conditions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const admin = gcp.organizations.getIAMPolicy({ * bindings: [{ * role: "roles/logging.admin", * members: ["user:jane@example.com"], * condition: { * title: "expires_after_2019_12_31", * description: "Expiring at midnight of 2019-12-31", * expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")", * }, * }], * }); * const policy = new gcp.logging.LogViewIamPolicy("policy", { * parent: loggingLogView.parent, * location: loggingLogView.location, * bucket: loggingLogView.bucket, * name: loggingLogView.name, * policyData: admin.then(admin => admin.policyData), * }); * ``` * ## gcp.logging.LogViewIamBinding * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const binding = new gcp.logging.LogViewIamBinding("binding", { * parent: loggingLogView.parent, * location: loggingLogView.location, * bucket: loggingLogView.bucket, * name: loggingLogView.name, * role: "roles/logging.admin", * members: ["user:jane@example.com"], * }); * ``` * * With IAM Conditions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const binding = new gcp.logging.LogViewIamBinding("binding", { * parent: loggingLogView.parent, * location: loggingLogView.location, * bucket: loggingLogView.bucket, * name: loggingLogView.name, * role: "roles/logging.admin", * members: ["user:jane@example.com"], * condition: { * title: "expires_after_2019_12_31", * description: "Expiring at midnight of 2019-12-31", * expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")", * }, * }); * ``` * ## gcp.logging.LogViewIamMember * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const member = new gcp.logging.LogViewIamMember("member", { * parent: loggingLogView.parent, * location: loggingLogView.location, * bucket: loggingLogView.bucket, * name: loggingLogView.name, * role: "roles/logging.admin", * member: "user:jane@example.com", * }); * ``` * * With IAM Conditions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const member = new gcp.logging.LogViewIamMember("member", { * parent: loggingLogView.parent, * location: loggingLogView.location, * bucket: loggingLogView.bucket, * name: loggingLogView.name, * role: "roles/logging.admin", * member: "user:jane@example.com", * condition: { * title: "expires_after_2019_12_31", * description: "Expiring at midnight of 2019-12-31", * expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")", * }, * }); * ``` * * ## Import * * For all import syntaxes, the "resource in question" can take any of the following forms: * * * {{parent}}/locations/{{location}}/buckets/{{bucket}}/views/{{name}} * * * {{name}} * * Any variables not passed in the import command will be taken from the provider configuration. * * Cloud (Stackdriver) Logging logview IAM resources can be imported using the resource identifiers, role, and member. * * IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g. * * ```sh * $ pulumi import gcp:logging/logViewIamMember:LogViewIamMember editor "{{parent}}/locations/{{location}}/buckets/{{bucket}}/views/{{log_view}} roles/logging.admin user:jane@example.com" * ``` * * IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g. * * ```sh * $ pulumi import gcp:logging/logViewIamMember:LogViewIamMember editor "{{parent}}/locations/{{location}}/buckets/{{bucket}}/views/{{log_view}} roles/logging.admin" * ``` * * IAM policy imports use the identifier of the resource in question, e.g. * * ```sh * $ pulumi import gcp:logging/logViewIamMember:LogViewIamMember editor {{parent}}/locations/{{location}}/buckets/{{bucket}}/views/{{log_view}} * ``` * * -> **Custom Roles** If you're importing a IAM resource with a custom role, make sure to use the * * full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`. */ export declare class LogViewIamMember extends pulumi.CustomResource { /** * Get an existing LogViewIamMember resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: LogViewIamMemberState, opts?: pulumi.CustomResourceOptions): LogViewIamMember; /** * Returns true if the given object is an instance of LogViewIamMember. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is LogViewIamMember; /** * The bucket of the resource Used to find the parent resource to bind the IAM policy to */ readonly bucket: pulumi.Output; /** * An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. * Structure is documented below. */ readonly condition: pulumi.Output; /** * (Computed) The etag of the IAM policy. */ readonly etag: pulumi.Output; /** * The location of the resource. The supported locations are: global, us-central1, us-east1, us-west1, asia-east1, europe-west1. Used to find the parent resource to bind the IAM policy to. If not specified, * the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no * location is specified, it is taken from the provider configuration. */ readonly location: pulumi.Output; /** * Identities that will be granted the privilege in `role`. * Each entry can have one of the following values: * * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project" * * **Federated identities**: One or more federated identities in a workload or workforce identity pool, workload running on GKE, etc. Refer to the [Principal identifiers documentation](https://cloud.google.com/iam/docs/principal-identifiers#allow) for examples of targets and valid configuration. For example, "principal://iam.googleapis.com/locations/global/workforcePools/example-contractors/subject/joe@example.com" */ readonly member: pulumi.Output; /** * Used to find the parent resource to bind the IAM policy to */ readonly name: pulumi.Output; /** * The parent of the resource. Used to find the parent resource to bind the IAM policy to */ readonly parent: pulumi.Output; /** * The role that should be applied. Only one * `gcp.logging.LogViewIamBinding` can be used per role. Note that custom roles must be of the format * `[projects|organizations]/{parent-name}/roles/{role-name}`. */ readonly role: pulumi.Output; /** * Create a LogViewIamMember resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: LogViewIamMemberArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering LogViewIamMember resources. */ export interface LogViewIamMemberState { /** * The bucket of the resource Used to find the parent resource to bind the IAM policy to */ bucket?: pulumi.Input; /** * An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. * Structure is documented below. */ condition?: pulumi.Input; /** * (Computed) The etag of the IAM policy. */ etag?: pulumi.Input; /** * The location of the resource. The supported locations are: global, us-central1, us-east1, us-west1, asia-east1, europe-west1. Used to find the parent resource to bind the IAM policy to. If not specified, * the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no * location is specified, it is taken from the provider configuration. */ location?: pulumi.Input; /** * Identities that will be granted the privilege in `role`. * Each entry can have one of the following values: * * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project" * * **Federated identities**: One or more federated identities in a workload or workforce identity pool, workload running on GKE, etc. Refer to the [Principal identifiers documentation](https://cloud.google.com/iam/docs/principal-identifiers#allow) for examples of targets and valid configuration. For example, "principal://iam.googleapis.com/locations/global/workforcePools/example-contractors/subject/joe@example.com" */ member?: pulumi.Input; /** * Used to find the parent resource to bind the IAM policy to */ name?: pulumi.Input; /** * The parent of the resource. Used to find the parent resource to bind the IAM policy to */ parent?: pulumi.Input; /** * The role that should be applied. Only one * `gcp.logging.LogViewIamBinding` can be used per role. Note that custom roles must be of the format * `[projects|organizations]/{parent-name}/roles/{role-name}`. */ role?: pulumi.Input; } /** * The set of arguments for constructing a LogViewIamMember resource. */ export interface LogViewIamMemberArgs { /** * The bucket of the resource Used to find the parent resource to bind the IAM policy to */ bucket: pulumi.Input; /** * An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. * Structure is documented below. */ condition?: pulumi.Input; /** * The location of the resource. The supported locations are: global, us-central1, us-east1, us-west1, asia-east1, europe-west1. Used to find the parent resource to bind the IAM policy to. If not specified, * the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no * location is specified, it is taken from the provider configuration. */ location?: pulumi.Input; /** * Identities that will be granted the privilege in `role`. * Each entry can have one of the following values: * * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project" * * **Federated identities**: One or more federated identities in a workload or workforce identity pool, workload running on GKE, etc. Refer to the [Principal identifiers documentation](https://cloud.google.com/iam/docs/principal-identifiers#allow) for examples of targets and valid configuration. For example, "principal://iam.googleapis.com/locations/global/workforcePools/example-contractors/subject/joe@example.com" */ member: pulumi.Input; /** * Used to find the parent resource to bind the IAM policy to */ name?: pulumi.Input; /** * The parent of the resource. Used to find the parent resource to bind the IAM policy to */ parent: pulumi.Input; /** * The role that should be applied. Only one * `gcp.logging.LogViewIamBinding` can be used per role. Note that custom roles must be of the format * `[projects|organizations]/{parent-name}/roles/{role-name}`. */ role: pulumi.Input; }