IAMAuditConfig

Four different resources help you manage your IAM policy for a project. Each of these resources serves a different use case:

gcp.projects.IAMPolicy: Authoritative. Sets the IAM policy for the project and replaces any existing policy already attached.
gcp.projects.IAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.
gcp.projects.IAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the project are preserved.
gcp.projects.IAMAuditConfig: Authoritative for a given service. Updates the IAM policy to enable audit logging for the given service.

Note: gcp.projects.IAMPolicy cannot be used in conjunction with gcp.projects.IAMBinding, gcp.projects.IAMMember, or gcp.projects.IAMAuditConfig or they will fight over what your policy should be.
Note: gcp.projects.IAMBinding resources can be used in conjunction with gcp.projects.IAMMember resources only if they do not grant privilege to the same role.

Create a IAMAuditConfig Resource

new IAMAuditConfig(name: string, args: IAMAuditConfigArgs, opts?: CustomResourceOptions);

def IAMAuditConfig(resource_name, opts=None, audit_log_configs=None, project=None, service=None, __props__=None);

func NewIAMAuditConfig(ctx *Context, name string, args IAMAuditConfigArgs, opts ...ResourceOption) (*IAMAuditConfig, error)

public IAMAuditConfig(string name, IAMAuditConfigArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args IAMAuditConfigArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args IAMAuditConfigArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args IAMAuditConfigArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

IAMAuditConfig Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The IAMAuditConfig resource accepts the following input properties:

AuditLogConfigs List<IAMAuditConfigAuditLogConfigArgs>: The configuration for logging of each type of permission. This can be specified multiple times. Structure is documented below.
Service string: Service which will be enabled for audit logging. The special value allServices covers all services. Note that if there are google_project_iam_audit_config resources covering both allServices and a specific service then the union of the two AuditConfigs is used for that service: the log_types specified in each audit_log_config are enabled, and the exempted_members in each audit_log_config are exempted.
Project string: The project ID. If not specified for gcp.projects.IAMBinding, gcp.projects.IAMMember, or gcp.projects.IAMAuditConfig, uses the ID of the project configured with the provider. Required for gcp.projects.IAMPolicy - you must explicitly set the project, and it will not be inferred from the provider.

AuditLogConfigs []IAMAuditConfigAuditLogConfig: The configuration for logging of each type of permission. This can be specified multiple times. Structure is documented below.
Service string: Service which will be enabled for audit logging. The special value allServices covers all services. Note that if there are google_project_iam_audit_config resources covering both allServices and a specific service then the union of the two AuditConfigs is used for that service: the log_types specified in each audit_log_config are enabled, and the exempted_members in each audit_log_config are exempted.
Project string: The project ID. If not specified for gcp.projects.IAMBinding, gcp.projects.IAMMember, or gcp.projects.IAMAuditConfig, uses the ID of the project configured with the provider. Required for gcp.projects.IAMPolicy - you must explicitly set the project, and it will not be inferred from the provider.

auditLogConfigs IAMAuditConfigAuditLogConfig[]: The configuration for logging of each type of permission. This can be specified multiple times. Structure is documented below.
service string: Service which will be enabled for audit logging. The special value allServices covers all services. Note that if there are google_project_iam_audit_config resources covering both allServices and a specific service then the union of the two AuditConfigs is used for that service: the log_types specified in each audit_log_config are enabled, and the exempted_members in each audit_log_config are exempted.
project string: The project ID. If not specified for gcp.projects.IAMBinding, gcp.projects.IAMMember, or gcp.projects.IAMAuditConfig, uses the ID of the project configured with the provider. Required for gcp.projects.IAMPolicy - you must explicitly set the project, and it will not be inferred from the provider.

audit_log_configs List[IAMAuditConfigAuditLogConfig]: The configuration for logging of each type of permission. This can be specified multiple times. Structure is documented below.
service str: Service which will be enabled for audit logging. The special value allServices covers all services. Note that if there are google_project_iam_audit_config resources covering both allServices and a specific service then the union of the two AuditConfigs is used for that service: the log_types specified in each audit_log_config are enabled, and the exempted_members in each audit_log_config are exempted.
project str: The project ID. If not specified for gcp.projects.IAMBinding, gcp.projects.IAMMember, or gcp.projects.IAMAuditConfig, uses the ID of the project configured with the provider. Required for gcp.projects.IAMPolicy - you must explicitly set the project, and it will not be inferred from the provider.

Outputs

All input properties are implicitly available as output properties. Additionally, the IAMAuditConfig resource produces the following output properties:

Etag string: (Computed) The etag of the project’s IAM policy.
Id string: The provider-assigned unique ID for this managed resource.

Etag string: (Computed) The etag of the project’s IAM policy.
Id string: The provider-assigned unique ID for this managed resource.

etag string: (Computed) The etag of the project’s IAM policy.
id string: The provider-assigned unique ID for this managed resource.

etag str: (Computed) The etag of the project’s IAM policy.
id str: The provider-assigned unique ID for this managed resource.

Look up an Existing IAMAuditConfig Resource

Get an existing IAMAuditConfig resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: IAMAuditConfigState, opts?: CustomResourceOptions): IAMAuditConfig

static get(resource_name, id, opts=None, audit_log_configs=None, etag=None, project=None, service=None, __props__=None);

func GetIAMAuditConfig(ctx *Context, name string, id IDInput, state *IAMAuditConfigState, opts ...ResourceOption) (*IAMAuditConfig, error)

public static IAMAuditConfig Get(string name, Input<string> id, IAMAuditConfigState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AuditLogConfigs List<IAMAuditConfigAuditLogConfigArgs>: The configuration for logging of each type of permission. This can be specified multiple times. Structure is documented below.
Etag string: (Computed) The etag of the project’s IAM policy.
Project string: The project ID. If not specified for gcp.projects.IAMBinding, gcp.projects.IAMMember, or gcp.projects.IAMAuditConfig, uses the ID of the project configured with the provider. Required for gcp.projects.IAMPolicy - you must explicitly set the project, and it will not be inferred from the provider.
Service string: Service which will be enabled for audit logging. The special value allServices covers all services. Note that if there are google_project_iam_audit_config resources covering both allServices and a specific service then the union of the two AuditConfigs is used for that service: the log_types specified in each audit_log_config are enabled, and the exempted_members in each audit_log_config are exempted.

AuditLogConfigs []IAMAuditConfigAuditLogConfig: The configuration for logging of each type of permission. This can be specified multiple times. Structure is documented below.
Etag string: (Computed) The etag of the project’s IAM policy.
Project string: The project ID. If not specified for gcp.projects.IAMBinding, gcp.projects.IAMMember, or gcp.projects.IAMAuditConfig, uses the ID of the project configured with the provider. Required for gcp.projects.IAMPolicy - you must explicitly set the project, and it will not be inferred from the provider.
Service string: Service which will be enabled for audit logging. The special value allServices covers all services. Note that if there are google_project_iam_audit_config resources covering both allServices and a specific service then the union of the two AuditConfigs is used for that service: the log_types specified in each audit_log_config are enabled, and the exempted_members in each audit_log_config are exempted.

auditLogConfigs IAMAuditConfigAuditLogConfig[]: The configuration for logging of each type of permission. This can be specified multiple times. Structure is documented below.
etag string: (Computed) The etag of the project’s IAM policy.
project string: The project ID. If not specified for gcp.projects.IAMBinding, gcp.projects.IAMMember, or gcp.projects.IAMAuditConfig, uses the ID of the project configured with the provider. Required for gcp.projects.IAMPolicy - you must explicitly set the project, and it will not be inferred from the provider.
service string: Service which will be enabled for audit logging. The special value allServices covers all services. Note that if there are google_project_iam_audit_config resources covering both allServices and a specific service then the union of the two AuditConfigs is used for that service: the log_types specified in each audit_log_config are enabled, and the exempted_members in each audit_log_config are exempted.

audit_log_configs List[IAMAuditConfigAuditLogConfig]: The configuration for logging of each type of permission. This can be specified multiple times. Structure is documented below.
etag str: (Computed) The etag of the project’s IAM policy.
project str: The project ID. If not specified for gcp.projects.IAMBinding, gcp.projects.IAMMember, or gcp.projects.IAMAuditConfig, uses the ID of the project configured with the provider. Required for gcp.projects.IAMPolicy - you must explicitly set the project, and it will not be inferred from the provider.
service str: Service which will be enabled for audit logging. The special value allServices covers all services. Note that if there are google_project_iam_audit_config resources covering both allServices and a specific service then the union of the two AuditConfigs is used for that service: the log_types specified in each audit_log_config are enabled, and the exempted_members in each audit_log_config are exempted.

Supporting Types

IAMAuditConfigAuditLogConfig

See the input and output API doc for this type.

LogType string: Permission type for which logging is to be configured. Must be one of DATA_READ, DATA_WRITE, or ADMIN_READ.
ExemptedMembers List<string>: Identities that do not cause logging for this type of permission. The format is the same as that for members.

LogType string: Permission type for which logging is to be configured. Must be one of DATA_READ, DATA_WRITE, or ADMIN_READ.
ExemptedMembers []string: Identities that do not cause logging for this type of permission. The format is the same as that for members.

logType string: Permission type for which logging is to be configured. Must be one of DATA_READ, DATA_WRITE, or ADMIN_READ.
exemptedMembers string[]: Identities that do not cause logging for this type of permission. The format is the same as that for members.

logType str: Permission type for which logging is to be configured. Must be one of DATA_READ, DATA_WRITE, or ADMIN_READ.
exemptedMembers List[str]: Identities that do not cause logging for this type of permission. The format is the same as that for members.

Package Details

Repository: https://github.com/pulumi/pulumi-gcp
License: Apache-2.0
Notes: This Pulumi package is based on the google-beta Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud