1. Docs
2. Reference
3. API
4. @pulumi/gcp
5. organizations

Module organizations

Resources

• Folder
• IamAuditConfig
• IAMBinding
• IAMCustomRole
• IAMMember
• IAMPolicy
• Policy
• Project

Functions

• getActiveFolder
• getBillingAccount
• getClientConfig
• getClientOpenIdUserInfo
• getFolder
• getIAMPolicy
• getOrganization
• getProject

Others

• FolderArgs
• FolderState
• GetActiveFolderArgs
• GetActiveFolderResult
• GetBillingAccountArgs
• GetBillingAccountResult
• GetClientConfigResult
• GetClientOpenIdUserInfoResult
• GetFolderArgs
• GetFolderResult
• GetIAMPolicyArgs
• GetIAMPolicyResult
• GetOrganizationArgs
• GetOrganizationResult
• GetProjectArgs
• GetProjectResult
• IamAuditConfigArgs
• IamAuditConfigState
• IAMBindingArgs
• IAMBindingState
• IAMCustomRoleArgs
• IAMCustomRoleState
• IAMMemberArgs
• IAMMemberState
• IAMPolicyArgs
• IAMPolicyState
• PolicyArgs
• PolicyState
• ProjectArgs
• ProjectState

Resources

Resource Folder

class Folder extends CustomResource

Allows management of a Google Cloud Platform folder. For more information see the official documentation and API.

A folder can contain projects, other folders, or a combination of both. You can use folders to group projects under an organization in a hierarchy. For example, your organization might contain multiple departments, each with its own set of Cloud Platform resources. Folders allows you to group these resources on a per-department basis. Folders are used to group resources that share common IAM policies.

Folders created live inside an Organization. See the Organization documentation for more details.

The service account used to run the provider when creating a gcp.organizations.Folder resource must have roles/resourcemanager.folderCreator. See the Access Control for Folders Using IAM doc for more information.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

// Top-level folder under an organization.
const department1 = new gcp.organizations.Folder("department1", {
    displayName: "Department 1",
    parent: "organizations/1234567",
});
// Folder nested under another folder.
const teamAbc = new gcp.organizations.Folder("team-abc", {
    displayName: "Team ABC",
    parent: department1.name,
});

constructor

new Folder(name: string, args: FolderArgs, opts?: pulumi.CustomResourceOptions)

Create a Folder resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: FolderState, opts?: pulumi.CustomResourceOptions): Folder

Get an existing Folder resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Folder

Returns true if the given object is an instance of Folder. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property createTime

public createTime: pulumi.Output<string>;

Timestamp when the Folder was created. Assigned by the server. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

property displayName

public displayName: pulumi.Output<string>;

The folder’s display name. A folder’s display name must be unique amongst its siblings, e.g. no two folders with the same parent can share the same display name. The display name must start and end with a letter or digit, may contain letters, digits, spaces, hyphens and underscores and can be no longer than 30 characters.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property lifecycleState

public lifecycleState: pulumi.Output<string>;

The lifecycle state of the folder such as ACTIVE or DELETE_REQUESTED.

property name

public name: pulumi.Output<string>;

The resource name of the Folder. Its format is folders/{folder_id}.

property parent

public parent: pulumi.Output<string>;

The resource name of the parent Folder or Organization. Must be of the form folders/{folder_id} or organizations/{org_id}.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource IamAuditConfig

class IamAuditConfig extends CustomResource

Allows management of audit logging config for a given service for a Google Cloud Platform Organization.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const config = new gcp.organizations.IamAuditConfig("config", {
    auditLogConfigs: [{
        exemptedMembers: ["user:joebloggs@hashicorp.com"],
        logType: "DATA_READ",
    }],
    orgId: "your-organization-id",
    service: "allServices",
});

constructor

new IamAuditConfig(name: string, args: IamAuditConfigArgs, opts?: pulumi.CustomResourceOptions)

Create a IamAuditConfig resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: IamAuditConfigState, opts?: pulumi.CustomResourceOptions): IamAuditConfig

Get an existing IamAuditConfig resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is IamAuditConfig

Returns true if the given object is an instance of IamAuditConfig. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property auditLogConfigs

public auditLogConfigs: pulumi.Output<IamAuditConfigAuditLogConfig[]>;

The configuration for logging of each type of permission. This can be specified multiple times. Structure is documented below.

property etag

public etag: pulumi.Output<string>;

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property orgId

public orgId: pulumi.Output<string>;

The numeric ID of the organization in which you want to manage the audit logging config.

property service

public service: pulumi.Output<string>;

Service which will be enabled for audit logging. The special value allServices covers all services. Note that if there are google_organization_iam_audit_config resources covering both allServices and a specific service then the union of the two AuditConfigs is used for that service: the logTypes specified in each auditLogConfig are enabled, and the exemptedMembers in each auditLogConfig are exempted.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource IAMBinding

class IAMBinding extends CustomResource

Allows creation and management of a single binding within IAM policy for an existing Google Cloud Platform Organization.

Note: This resource must not be used in conjunction with gcp.organizations.IAMMember for the same role or they will fight over what your policy should be.

Note: On create, this resource will overwrite members of any existing roles. Use pulumi import and inspect the `output to ensure your existing members are preserved.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.organizations.IAMBinding("binding", {
    members: ["user:alice@gmail.com"],
    orgId: "123456789",
    role: "roles/browser",
});

constructor

new IAMBinding(name: string, args: IAMBindingArgs, opts?: pulumi.CustomResourceOptions)

Create a IAMBinding resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: IAMBindingState, opts?: pulumi.CustomResourceOptions): IAMBinding

Get an existing IAMBinding resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is IAMBinding

Returns true if the given object is an instance of IAMBinding. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property condition

public condition: pulumi.Output<IAMBindingCondition | undefined>;

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the organization’s IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property members

public members: pulumi.Output<string[]>;

A list of users that the role should apply to. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding

property orgId

public orgId: pulumi.Output<string>;

The numeric ID of the organization in which you want to create a custom role.

property role

public role: pulumi.Output<string>;

The role that should be applied. Only one gcp.organizations.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource IAMCustomRole

class IAMCustomRole extends CustomResource

Allows management of a customized Cloud IAM organization role. For more information see the official documentation and API.

Warning: Note that custom roles in GCP have the concept of a soft-delete. There are two issues that may arise from this and how roles are propagated. 1) creating a role may involve undeleting and then updating a role with the same name, possibly causing confusing behavior between undelete and update. 2) A deleted role is permanently deleted after 7 days, but it can take up to 30 more days (i.e. between 7 and 37 days after deletion) before the role name is made available again. This means a deleted role that has been deleted for more than 7 days cannot be changed at all by the provider, and new roles cannot share that name.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const myCustomRole = new gcp.organizations.IAMCustomRole("my-custom-role", {
    description: "A description",
    orgId: "123456789",
    permissions: [
        "iam.roles.list",
        "iam.roles.create",
        "iam.roles.delete",
    ],
    roleId: "myCustomRole",
    title: "My Custom Role",
});

constructor

new IAMCustomRole(name: string, args: IAMCustomRoleArgs, opts?: pulumi.CustomResourceOptions)

Create a IAMCustomRole resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: IAMCustomRoleState, opts?: pulumi.CustomResourceOptions): IAMCustomRole

Get an existing IAMCustomRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is IAMCustomRole

Returns true if the given object is an instance of IAMCustomRole. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property deleted

public deleted: pulumi.Output<boolean>;

(Optional) The current deleted state of the role.

property description

public description: pulumi.Output<string | undefined>;

A human-readable description for the role.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The name of the role in the format organizations/{{org_id}}/roles/{{role_id}}. Like id, this field can be used as a reference in other resources such as IAM role bindings.

property orgId

public orgId: pulumi.Output<string>;

The numeric ID of the organization in which you want to create a custom role.

property permissions

public permissions: pulumi.Output<string[]>;

The names of the permissions this role grants when bound in an IAM policy. At least one permission must be specified.

property roleId

public roleId: pulumi.Output<string>;

The role id to use for this role.

property stage

public stage: pulumi.Output<string | undefined>;

The current launch stage of the role. Defaults to GA. List of possible stages is here.

property title

public title: pulumi.Output<string>;

A human-readable title for the role.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource IAMMember

class IAMMember extends CustomResource

Allows creation and management of a single member for a single binding within the IAM policy for an existing Google Cloud Platform Organization.

Note: This resource must not be used in conjunction with gcp.organizations.IAMBinding for the same role or they will fight over what your policy should be.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.organizations.IAMMember("binding", {
    member: "user:alice@gmail.com",
    orgId: "0123456789",
    role: "roles/editor",
});

constructor

new IAMMember(name: string, args: IAMMemberArgs, opts?: pulumi.CustomResourceOptions)

Create a IAMMember resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: IAMMemberState, opts?: pulumi.CustomResourceOptions): IAMMember

Get an existing IAMMember resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is IAMMember

Returns true if the given object is an instance of IAMMember. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property condition

public condition: pulumi.Output<IAMMemberCondition | undefined>;

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the organization’s IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property member

public member: pulumi.Output<string>;

The user that the role should apply to. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding

property orgId

public orgId: pulumi.Output<string>;

The numeric ID of the organization in which you want to create a custom role.

property role

public role: pulumi.Output<string>;

The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource IAMPolicy

class IAMPolicy extends CustomResource

Allows management of the entire IAM policy for an existing Google Cloud Platform Organization.

!> Warning: New organizations have several default policies which will, without extreme caution, be overwritten by use of this resource. The safest alternative is to use multiple gcp.organizations.IAMBinding resources. It is easy to use this resource to remove your own access to an organization, which will require a call to Google Support to have fixed, and can take multiple days to resolve. If you do use this resource, the best way to be sure that you are not making dangerous changes is to start by importing your existing policy, and examining the diff very closely.

Note: This resource must not be used in conjunction with gcp.organizations.IAMMember or gcp.organizations.IAMBinding or they will fight over what your policy should be.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/editor",
        members: ["user:jane@example.com"],
    }],
});
const policy = new gcp.organizations.IAMPolicy("policy", {
    orgId: "123456789",
    policyData: admin.then(admin => admin.policyData),
});

constructor

new IAMPolicy(name: string, args: IAMPolicyArgs, opts?: pulumi.CustomResourceOptions)

Create a IAMPolicy resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: IAMPolicyState, opts?: pulumi.CustomResourceOptions): IAMPolicy

Get an existing IAMPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is IAMPolicy

Returns true if the given object is an instance of IAMPolicy. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property etag

public etag: pulumi.Output<string>;

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property orgId

public orgId: pulumi.Output<string>;

The numeric ID of the organization in which you want to create a custom role.

property policyData

public policyData: pulumi.Output<string>;

The gcp.organizations.getIAMPolicy data source that represents the IAM policy that will be applied to the organization. This policy overrides any existing policy applied to the organization.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource Policy

class Policy extends CustomResource

Allows management of Organization policies for a Google Organization. For more information see the official documentation and API.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const serialPortPolicy = new gcp.organizations.Policy("serialPortPolicy", {
    booleanPolicy: {
        enforced: true,
    },
    constraint: "compute.disableSerialPortAccess",
    orgId: "123456789",
});

constructor

new Policy(name: string, args: PolicyArgs, opts?: pulumi.CustomResourceOptions)

Create a Policy resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: PolicyState, opts?: pulumi.CustomResourceOptions): Policy

Get an existing Policy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Policy

Returns true if the given object is an instance of Policy. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property booleanPolicy

public booleanPolicy: pulumi.Output<PolicyBooleanPolicy | undefined>;

A boolean policy is a constraint that is either enforced or not. Structure is documented below.

property constraint

public constraint: pulumi.Output<string>;

The name of the Constraint the Policy is configuring, for example, serviceuser.services. Check out the complete list of available constraints.

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property listPolicy

public listPolicy: pulumi.Output<PolicyListPolicy | undefined>;

A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.

property orgId

public orgId: pulumi.Output<string>;

The numeric ID of the organization to set the policy for.

property restorePolicy

public restorePolicy: pulumi.Output<PolicyRestorePolicy | undefined>;

A restore policy is a constraint to restore the default policy. Structure is documented below.

property updateTime

public updateTime: pulumi.Output<string>;

(Computed) The timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds, representing when the variable was last updated. Example: “2016-10-09T12:33:37.578138407Z”.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property version

public version: pulumi.Output<number>;

Version of the Policy. Default version is 0.

Resource Project

class Project extends CustomResource

Allows creation and management of a Google Cloud Platform project.

Projects created with this resource must be associated with an Organization. See the Organization documentation for more details.

The service account used to run this provider when creating a gcp.organizations.Project resource must have roles/resourcemanager.projectCreator. See the Access Control for Organizations Using IAM doc for more information.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const myProject = new gcp.organizations.Project("myProject", {
    orgId: "1234567",
    projectId: "your-project-id",
});

constructor

new Project(name: string, args: ProjectArgs, opts?: pulumi.CustomResourceOptions)

Create a Project resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: ProjectState, opts?: pulumi.CustomResourceOptions): Project

Get an existing Project resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Project

Returns true if the given object is an instance of Project. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property autoCreateNetwork

public autoCreateNetwork: pulumi.Output<boolean | undefined>;

Create the ‘default’ network automatically. Default true. If set to false, the default network will be deleted. Note that, for quota purposes, you will still need to have 1 network slot available to create the project successfully, even if you set autoCreateNetwork to false, since the network will exist momentarily.

property billingAccount

public billingAccount: pulumi.Output<string | undefined>;

The alphanumeric ID of the billing account this project belongs to. The user or service account performing this operation with the provider must have Billing Account Administrator privileges (roles/billing.admin) in the organization. See Google Cloud Billing API Access Control for more details.

property folderId

public folderId: pulumi.Output<string>;

The numeric ID of the folder this project should be created under. Only one of orgId or folderId may be specified. If the folderId is specified, then the project is created under the specified folder. Changing this forces the project to be migrated to the newly specified folder.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property labels

public labels: pulumi.Output<{[key: string]: string} | undefined>;

A set of key/value label pairs to assign to the project.

property name

public name: pulumi.Output<string>;

The display name of the project.

property number

public number: pulumi.Output<string>;

The numeric identifier of the project.

property orgId

public orgId: pulumi.Output<string>;

The numeric ID of the organization this project belongs to. Changing this forces a new project to be created. Only one of orgId or folderId may be specified. If the orgId is specified then the project is created at the top level. Changing this forces the project to be migrated to the newly specified organization.

property projectId

public projectId: pulumi.Output<string>;

The project ID. Changing this forces a new project to be created.

property skipDelete

public skipDelete: pulumi.Output<boolean>;

If true, the resource can be deleted without deleting the Project via the Google API.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Functions

Function getActiveFolder

getActiveFolder(args: GetActiveFolderArgs, opts?: pulumi.InvokeOptions): Promise<GetActiveFolderResult>

Get an active folder within GCP by displayName and parent.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const department1 = pulumi.output(gcp.organizations.getActiveFolder({
    displayName: "Department 1",
    parent: "organizations/1234567",
}, { async: true }));

Function getBillingAccount

getBillingAccount(args?: GetBillingAccountArgs, opts?: pulumi.InvokeOptions): Promise<GetBillingAccountResult>

Use this data source to get information about a Google Billing Account.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const acct = gcp.organizations.getBillingAccount({
    displayName: "My Billing Account",
    open: true,
});
const myProject = new gcp.organizations.Project("myProject", {
    projectId: "your-project-id",
    orgId: "1234567",
    billingAccount: acct.then(acct => acct.id),
});

Function getClientConfig

getClientConfig(opts?: pulumi.InvokeOptions): Promise<GetClientConfigResult>

Use this data source to access the configuration of the Google Cloud provider.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const current = gcp.organizations.getClientConfig({});
export const project = current.then(current => current.project);

Function getClientOpenIdUserInfo

getClientOpenIdUserInfo(opts?: pulumi.InvokeOptions): Promise<GetClientOpenIdUserInfoResult>

Get OpenID userinfo about the credentials used with the Google provider, specifically the email.

This datasource enables you to export the email of the account you’ve authenticated the provider with; this can be used alongside data.google_client_config’s accessToken to perform OpenID Connect authentication with GKE and configure an RBAC role for the email used.

This resource will only work as expected if the provider is configured to use the https://www.googleapis.com/auth/userinfo.email scope! You will receive an error otherwise.

Example Usage - exporting an email

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const me = gcp.organizations.getClientOpenIdUserInfo({});
export const myEmail = me.then(me => me.email);

Function getFolder

getFolder(args: GetFolderArgs, opts?: pulumi.InvokeOptions): Promise<GetFolderResult>

Use this data source to get information about a Google Cloud Folder.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const myFolder1 = gcp.organizations.getFolder({
    folder: "folders/12345",
    lookupOrganization: true,
});
const myFolder2 = gcp.organizations.getFolder({
    folder: "folders/23456",
});
export const myFolder1Organization = myFolder1.then(myFolder1 => myFolder1.organization);
export const myFolder2Parent = myFolder2.then(myFolder2 => myFolder2.parent);

Function getIAMPolicy

getIAMPolicy(args?: GetIAMPolicyArgs, opts?: pulumi.InvokeOptions): Promise<GetIAMPolicyResult>

Generates an IAM policy document that may be referenced by and applied to other Google Cloud Platform resources, such as the gcp.organizations.Project resource.

Note: Several restrictions apply when setting IAM policies through this API. See the setIamPolicy docs for a list of these restrictions.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = pulumi.output(gcp.organizations.getIAMPolicy({
    auditConfigs: [{
        auditLogConfigs: [
            {
                exemptedMembers: ["user:you@domain.com"],
                logType: "DATA_READ",
            },
            {
                logType: "DATA_WRITE",
            },
            {
                logType: "ADMIN_READ",
            },
        ],
        service: "cloudkms.googleapis.com",
    }],
    bindings: [
        {
            members: ["serviceAccount:your-custom-sa@your-project.iam.gserviceaccount.com"],
            role: "roles/compute.instanceAdmin",
        },
        {
            members: ["user:alice@gmail.com"],
            role: "roles/storage.objectViewer",
        },
    ],
}, { async: true }));

This data source is used to define IAM policies to apply to other resources. Currently, defining a policy through a datasource and referencing that policy from another resource is the only way to apply an IAM policy to a resource.

Function getOrganization

getOrganization(args?: GetOrganizationArgs, opts?: pulumi.InvokeOptions): Promise<GetOrganizationResult>

Use this data source to get information about a Google Cloud Organization.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const org = gcp.organizations.getOrganization({
    domain: "example.com",
});
const sales = new gcp.organizations.Folder("sales", {
    displayName: "Sales",
    parent: org.then(org => org.name),
});

Function getProject

getProject(args?: GetProjectArgs, opts?: pulumi.InvokeOptions): Promise<GetProjectResult>

Use this data source to get project details. For more information see API

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const project = gcp.organizations.getProject({});
export const projectNumber = project.then(project => project.number);

Others

interface FolderArgs

interface FolderArgs

The set of arguments for constructing a Folder resource.

property displayName

displayName: pulumi.Input<string>;

The folder’s display name. A folder’s display name must be unique amongst its siblings, e.g. no two folders with the same parent can share the same display name. The display name must start and end with a letter or digit, may contain letters, digits, spaces, hyphens and underscores and can be no longer than 30 characters.

property parent

parent: pulumi.Input<string>;

The resource name of the parent Folder or Organization. Must be of the form folders/{folder_id} or organizations/{org_id}.

interface FolderState

interface FolderState

Input properties used for looking up and filtering Folder resources.

property createTime

createTime?: pulumi.Input<string>;

Timestamp when the Folder was created. Assigned by the server. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

property displayName

displayName?: pulumi.Input<string>;

The folder’s display name. A folder’s display name must be unique amongst its siblings, e.g. no two folders with the same parent can share the same display name. The display name must start and end with a letter or digit, may contain letters, digits, spaces, hyphens and underscores and can be no longer than 30 characters.

property lifecycleState

lifecycleState?: pulumi.Input<string>;

The lifecycle state of the folder such as ACTIVE or DELETE_REQUESTED.

property name

name?: pulumi.Input<string>;

The resource name of the Folder. Its format is folders/{folder_id}.

property parent

parent?: pulumi.Input<string>;

The resource name of the parent Folder or Organization. Must be of the form folders/{folder_id} or organizations/{org_id}.

interface GetActiveFolderArgs

interface GetActiveFolderArgs

A collection of arguments for invoking getActiveFolder.

property displayName

displayName: string;

The folder’s display name.

property parent

parent: string;

The resource name of the parent Folder or Organization.

interface GetActiveFolderResult

interface GetActiveFolderResult

A collection of values returned by getActiveFolder.

property displayName

displayName: string;

property id

id: string;

The provider-assigned unique ID for this managed resource.

property name

name: string;

The resource name of the Folder. This uniquely identifies the folder.

property parent

parent: string;

interface GetBillingAccountArgs

interface GetBillingAccountArgs

A collection of arguments for invoking getBillingAccount.

property billingAccount

billingAccount?: undefined | string;

The name of the billing account in the form {billing_account_id} or billingAccounts/{billing_account_id}.

property displayName

displayName?: undefined | string;

The display name of the billing account.

property open

open?: undefined | false | true;

true if the billing account is open, false if the billing account is closed.

interface GetBillingAccountResult

interface GetBillingAccountResult

A collection of values returned by getBillingAccount.

property billingAccount

billingAccount?: undefined | string;

property displayName

displayName: string;

property id

id: string;

The provider-assigned unique ID for this managed resource.

property name

name: string;

The resource name of the billing account in the form billingAccounts/{billing_account_id}.

property open

open: boolean;

property projectIds

projectIds: string[];

The IDs of any projects associated with the billing account.

interface GetClientConfigResult

interface GetClientConfigResult

A collection of values returned by getClientConfig.

property accessToken

accessToken: string;

The OAuth2 access token used by the client to authenticate against the Google Cloud API.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property project

project: string;

The ID of the project to apply any resources to.

property region

region: string;

The region to operate under.

property zone

zone: string;

The zone to operate under.

interface GetClientOpenIdUserInfoResult

interface GetClientOpenIdUserInfoResult

A collection of values returned by getClientOpenIdUserInfo.

property email

email: string;

The email of the account used by the provider to authenticate with GCP.

property id

id: string;

The provider-assigned unique ID for this managed resource.

interface GetFolderArgs

interface GetFolderArgs

A collection of arguments for invoking getFolder.

property folder

folder: string;

The name of the Folder in the form {folder_id} or folders/{folder_id}.

property lookupOrganization

lookupOrganization?: undefined | false | true;

true to find the organization that the folder belongs, false to avoid the lookup. It searches up the tree. (defaults to false)

interface GetFolderResult

interface GetFolderResult

A collection of values returned by getFolder.

property createTime

createTime: string;

Timestamp when the Organization was created. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

property displayName

displayName: string;

The folder’s display name.

property folder

folder: string;

property id

id: string;

The provider-assigned unique ID for this managed resource.

property lifecycleState

lifecycleState: string;

The Folder’s current lifecycle state.

property lookupOrganization

lookupOrganization?: undefined | false | true;

property name

name: string;

The resource name of the Folder in the form folders/{folder_id}.

property organization

organization: string;

If lookupOrganization is enable, the resource name of the Organization that the folder belongs.

property parent

parent: string;

The resource name of the parent Folder or Organization.

interface GetIAMPolicyArgs

interface GetIAMPolicyArgs

A collection of arguments for invoking getIAMPolicy.

property auditConfigs

auditConfigs?: GetIAMPolicyAuditConfig[];

A nested configuration block that defines logging additional configuration for your project.

property bindings

bindings?: GetIAMPolicyBinding[];

A nested configuration block (described below) defining a binding to be included in the policy document. Multiple binding arguments are supported.

interface GetIAMPolicyResult

interface GetIAMPolicyResult

A collection of values returned by getIAMPolicy.

property auditConfigs

auditConfigs?: GetIAMPolicyAuditConfig[];

property bindings

bindings?: GetIAMPolicyBinding[];

property id

id: string;

The provider-assigned unique ID for this managed resource.

property policyData

policyData: string;

The above bindings serialized in a format suitable for referencing from a resource that supports IAM.

interface GetOrganizationArgs

interface GetOrganizationArgs

A collection of arguments for invoking getOrganization.

property domain

domain?: undefined | string;

The domain name of the Organization.

property organization

organization?: undefined | string;

The name of the Organization in the form {organization_id} or organizations/{organization_id}.

interface GetOrganizationResult

interface GetOrganizationResult

A collection of values returned by getOrganization.

property createTime

createTime: string;

Timestamp when the Organization was created. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

property directoryCustomerId

directoryCustomerId: string;

The Google for Work customer ID of the Organization.

property domain

domain: string;

property id

id: string;

The provider-assigned unique ID for this managed resource.

property lifecycleState

lifecycleState: string;

The Organization’s current lifecycle state.

property name

name: string;

The resource name of the Organization in the form organizations/{organization_id}.

property orgId

orgId: string;

The Organization ID.

property organization

organization?: undefined | string;

interface GetProjectArgs

interface GetProjectArgs

A collection of arguments for invoking getProject.

property projectId

projectId?: undefined | string;

The project ID. If it is not provided, the provider project is used.

interface GetProjectResult

interface GetProjectResult

A collection of values returned by getProject.

property autoCreateNetwork

autoCreateNetwork: boolean;

property billingAccount

billingAccount: string;

property folderId

folderId: string;

property id

id: string;

The provider-assigned unique ID for this managed resource.

property labels

labels: {[key: string]: string};

property name

name: string;

property number

number: string;

property orgId

orgId: string;

property projectId

projectId?: undefined | string;

property skipDelete

skipDelete: boolean;

interface IamAuditConfigArgs

interface IamAuditConfigArgs

The set of arguments for constructing a IamAuditConfig resource.

property auditLogConfigs

auditLogConfigs: pulumi.Input<pulumi.Input<IamAuditConfigAuditLogConfig>[]>;

The configuration for logging of each type of permission. This can be specified multiple times. Structure is documented below.

property orgId

orgId: pulumi.Input<string>;

The numeric ID of the organization in which you want to manage the audit logging config.

property service

service: pulumi.Input<string>;

Service which will be enabled for audit logging. The special value allServices covers all services. Note that if there are google_organization_iam_audit_config resources covering both allServices and a specific service then the union of the two AuditConfigs is used for that service: the logTypes specified in each auditLogConfig are enabled, and the exemptedMembers in each auditLogConfig are exempted.

interface IamAuditConfigState

interface IamAuditConfigState

Input properties used for looking up and filtering IamAuditConfig resources.

property auditLogConfigs

auditLogConfigs?: pulumi.Input<pulumi.Input<IamAuditConfigAuditLogConfig>[]>;

The configuration for logging of each type of permission. This can be specified multiple times. Structure is documented below.

property etag

etag?: pulumi.Input<string>;

property orgId

orgId?: pulumi.Input<string>;

The numeric ID of the organization in which you want to manage the audit logging config.

property service

service?: pulumi.Input<string>;

Service which will be enabled for audit logging. The special value allServices covers all services. Note that if there are google_organization_iam_audit_config resources covering both allServices and a specific service then the union of the two AuditConfigs is used for that service: the logTypes specified in each auditLogConfig are enabled, and the exemptedMembers in each auditLogConfig are exempted.

interface IAMBindingArgs

interface IAMBindingArgs

The set of arguments for constructing a IAMBinding resource.

property condition

condition?: pulumi.Input<IAMBindingCondition>;

property members

members: pulumi.Input<pulumi.Input<string>[]>;

A list of users that the role should apply to. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding

property orgId

orgId: pulumi.Input<string>;

The numeric ID of the organization in which you want to create a custom role.

property role

role: pulumi.Input<string>;

The role that should be applied. Only one gcp.organizations.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

interface IAMBindingState

interface IAMBindingState

Input properties used for looking up and filtering IAMBinding resources.

property condition

condition?: pulumi.Input<IAMBindingCondition>;

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the organization’s IAM policy.

property members

members?: pulumi.Input<pulumi.Input<string>[]>;

A list of users that the role should apply to. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding

property orgId

orgId?: pulumi.Input<string>;

The numeric ID of the organization in which you want to create a custom role.

property role

role?: pulumi.Input<string>;

The role that should be applied. Only one gcp.organizations.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

interface IAMCustomRoleArgs

interface IAMCustomRoleArgs

The set of arguments for constructing a IAMCustomRole resource.

property description

description?: pulumi.Input<string>;

A human-readable description for the role.

property orgId

orgId: pulumi.Input<string>;

The numeric ID of the organization in which you want to create a custom role.

property permissions

permissions: pulumi.Input<pulumi.Input<string>[]>;

The names of the permissions this role grants when bound in an IAM policy. At least one permission must be specified.

property roleId

roleId: pulumi.Input<string>;

The role id to use for this role.

property stage

stage?: pulumi.Input<string>;

The current launch stage of the role. Defaults to GA. List of possible stages is here.

property title

title: pulumi.Input<string>;

A human-readable title for the role.

interface IAMCustomRoleState

interface IAMCustomRoleState

Input properties used for looking up and filtering IAMCustomRole resources.

property deleted

deleted?: pulumi.Input<boolean>;

(Optional) The current deleted state of the role.

property description

description?: pulumi.Input<string>;

A human-readable description for the role.

property name

name?: pulumi.Input<string>;

The name of the role in the format organizations/{{org_id}}/roles/{{role_id}}. Like id, this field can be used as a reference in other resources such as IAM role bindings.

property orgId

orgId?: pulumi.Input<string>;

The numeric ID of the organization in which you want to create a custom role.

property permissions

permissions?: pulumi.Input<pulumi.Input<string>[]>;

The names of the permissions this role grants when bound in an IAM policy. At least one permission must be specified.

property roleId

roleId?: pulumi.Input<string>;

The role id to use for this role.

property stage

stage?: pulumi.Input<string>;

The current launch stage of the role. Defaults to GA. List of possible stages is here.

property title

title?: pulumi.Input<string>;

A human-readable title for the role.

interface IAMMemberArgs

interface IAMMemberArgs

The set of arguments for constructing a IAMMember resource.

property condition

condition?: pulumi.Input<IAMMemberCondition>;

property member

member: pulumi.Input<string>;

The user that the role should apply to. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding

property orgId

orgId: pulumi.Input<string>;

The numeric ID of the organization in which you want to create a custom role.

property role

role: pulumi.Input<string>;

The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

interface IAMMemberState

interface IAMMemberState

Input properties used for looking up and filtering IAMMember resources.

property condition

condition?: pulumi.Input<IAMMemberCondition>;

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the organization’s IAM policy.

property member

member?: pulumi.Input<string>;

The user that the role should apply to. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding

property orgId

orgId?: pulumi.Input<string>;

The numeric ID of the organization in which you want to create a custom role.

property role

role?: pulumi.Input<string>;

The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

interface IAMPolicyArgs

interface IAMPolicyArgs

The set of arguments for constructing a IAMPolicy resource.

property orgId

orgId: pulumi.Input<string>;

The numeric ID of the organization in which you want to create a custom role.

property policyData

policyData: pulumi.Input<string>;

The gcp.organizations.getIAMPolicy data source that represents the IAM policy that will be applied to the organization. This policy overrides any existing policy applied to the organization.

interface IAMPolicyState

interface IAMPolicyState

Input properties used for looking up and filtering IAMPolicy resources.

property etag

etag?: pulumi.Input<string>;

property orgId

orgId?: pulumi.Input<string>;

The numeric ID of the organization in which you want to create a custom role.

property policyData

policyData?: pulumi.Input<string>;

The gcp.organizations.getIAMPolicy data source that represents the IAM policy that will be applied to the organization. This policy overrides any existing policy applied to the organization.

interface PolicyArgs

interface PolicyArgs

The set of arguments for constructing a Policy resource.

property booleanPolicy

booleanPolicy?: pulumi.Input<PolicyBooleanPolicy>;

A boolean policy is a constraint that is either enforced or not. Structure is documented below.

property constraint

constraint: pulumi.Input<string>;

The name of the Constraint the Policy is configuring, for example, serviceuser.services. Check out the complete list of available constraints.

property listPolicy

listPolicy?: pulumi.Input<PolicyListPolicy>;

A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.

property orgId

orgId: pulumi.Input<string>;

The numeric ID of the organization to set the policy for.

property restorePolicy

restorePolicy?: pulumi.Input<PolicyRestorePolicy>;

A restore policy is a constraint to restore the default policy. Structure is documented below.

property version

version?: pulumi.Input<number>;

Version of the Policy. Default version is 0.

interface PolicyState

interface PolicyState

Input properties used for looking up and filtering Policy resources.

property booleanPolicy

booleanPolicy?: pulumi.Input<PolicyBooleanPolicy>;

A boolean policy is a constraint that is either enforced or not. Structure is documented below.

property constraint

constraint?: pulumi.Input<string>;

The name of the Constraint the Policy is configuring, for example, serviceuser.services. Check out the complete list of available constraints.

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.

property listPolicy

listPolicy?: pulumi.Input<PolicyListPolicy>;

A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.

property orgId

orgId?: pulumi.Input<string>;

The numeric ID of the organization to set the policy for.

property restorePolicy

restorePolicy?: pulumi.Input<PolicyRestorePolicy>;

A restore policy is a constraint to restore the default policy. Structure is documented below.

property updateTime

updateTime?: pulumi.Input<string>;

(Computed) The timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds, representing when the variable was last updated. Example: “2016-10-09T12:33:37.578138407Z”.

property version

version?: pulumi.Input<number>;

Version of the Policy. Default version is 0.

interface ProjectArgs

interface ProjectArgs

The set of arguments for constructing a Project resource.

property autoCreateNetwork

autoCreateNetwork?: pulumi.Input<boolean>;

Create the ‘default’ network automatically. Default true. If set to false, the default network will be deleted. Note that, for quota purposes, you will still need to have 1 network slot available to create the project successfully, even if you set autoCreateNetwork to false, since the network will exist momentarily.

property billingAccount

billingAccount?: pulumi.Input<string>;

The alphanumeric ID of the billing account this project belongs to. The user or service account performing this operation with the provider must have Billing Account Administrator privileges (roles/billing.admin) in the organization. See Google Cloud Billing API Access Control for more details.

property folderId

folderId?: pulumi.Input<string>;

The numeric ID of the folder this project should be created under. Only one of orgId or folderId may be specified. If the folderId is specified, then the project is created under the specified folder. Changing this forces the project to be migrated to the newly specified folder.

property labels

labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

A set of key/value label pairs to assign to the project.

property name

name?: pulumi.Input<string>;

The display name of the project.

property orgId

orgId?: pulumi.Input<string>;

The numeric ID of the organization this project belongs to. Changing this forces a new project to be created. Only one of orgId or folderId may be specified. If the orgId is specified then the project is created at the top level. Changing this forces the project to be migrated to the newly specified organization.

property projectId

projectId: pulumi.Input<string>;

The project ID. Changing this forces a new project to be created.

property skipDelete

skipDelete?: pulumi.Input<boolean>;

If true, the resource can be deleted without deleting the Project via the Google API.

interface ProjectState

interface ProjectState

Input properties used for looking up and filtering Project resources.

property autoCreateNetwork

autoCreateNetwork?: pulumi.Input<boolean>;

Create the ‘default’ network automatically. Default true. If set to false, the default network will be deleted. Note that, for quota purposes, you will still need to have 1 network slot available to create the project successfully, even if you set autoCreateNetwork to false, since the network will exist momentarily.

property billingAccount

billingAccount?: pulumi.Input<string>;

The alphanumeric ID of the billing account this project belongs to. The user or service account performing this operation with the provider must have Billing Account Administrator privileges (roles/billing.admin) in the organization. See Google Cloud Billing API Access Control for more details.

property folderId

folderId?: pulumi.Input<string>;

The numeric ID of the folder this project should be created under. Only one of orgId or folderId may be specified. If the folderId is specified, then the project is created under the specified folder. Changing this forces the project to be migrated to the newly specified folder.

property labels

labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

A set of key/value label pairs to assign to the project.

property name

name?: pulumi.Input<string>;

The display name of the project.

property number

number?: pulumi.Input<string>;

The numeric identifier of the project.

property orgId

orgId?: pulumi.Input<string>;

The numeric ID of the organization this project belongs to. Changing this forces a new project to be created. Only one of orgId or folderId may be specified. If the orgId is specified then the project is created at the top level. Changing this forces the project to be migrated to the newly specified organization.

property projectId

projectId?: pulumi.Input<string>;

The project ID. Changing this forces a new project to be created.

property skipDelete

skipDelete?: pulumi.Input<boolean>;

If true, the resource can be deleted without deleting the Project via the Google API.