iap¶

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-gcp repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-google repo.

class pulumi_gcp.iap.AppEngineServiceIamBinding(resource_name, opts=None, app_id=None, condition=None, members=None, project=None, role=None, service=None, __props__=None, __name__=None, __opts__=None)¶

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineService. Each of these resources serves a different use case:

• iap.AppEngineServiceIamPolicy: Authoritative. Sets the IAM policy for the appengineservice and replaces any existing policy already attached.

• iap.AppEngineServiceIamBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineservice are preserved.

• iap.AppEngineServiceIamMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineservice are preserved.

Note: iap.AppEngineServiceIamPolicy cannot be used in conjunction with iap.AppEngineServiceIamBinding and iap.AppEngineServiceIamMember or they will fight over what your policy should be.

Note: iap.AppEngineServiceIamBinding resources can be used in conjunction with iap.AppEngineServiceIamMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/iap.httpsResourceAccessor",
    "members": ["user:jane@example.com"],
}])
policy = gcp.iap.AppEngineServiceIamPolicy("policy",
    project=google_app_engine_standard_app_version["version"]["project"],
    app_id=google_app_engine_standard_app_version["version"]["project"],
    service=google_app_engine_standard_app_version["version"]["service"],
    policy_data=admin.policy_data)

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/iap.httpsResourceAccessor",
    "members": ["user:jane@example.com"],
    "condition": {
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    },
}])
policy = gcp.iap.AppEngineServiceIamPolicy("policy",
    project=google_app_engine_standard_app_version["version"]["project"],
    app_id=google_app_engine_standard_app_version["version"]["project"],
    service=google_app_engine_standard_app_version["version"]["service"],
    policy_data=admin.policy_data)

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.AppEngineServiceIamBinding("binding",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    members=["user:jane@example.com"],
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"])

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.AppEngineServiceIamBinding("binding",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    members=["user:jane@example.com"],
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"])

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.AppEngineServiceIamMember("member",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    member="user:jane@example.com",
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"])

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.AppEngineServiceIamMember("member",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    member="user:jane@example.com",
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"])

Parameters

• resource_name (str) – The name of the resource.

• opts (pulumi.ResourceOptions) – Options for the resource.

• app_id (pulumi.Input[str]) – Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

• condition (pulumi.Input[dict]) – An IAM Condition for a given binding. Structure is documented below.

• project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

• role (pulumi.Input[str]) – The role that should be applied. Only one iap.AppEngineServiceIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

• service (pulumi.Input[str]) – Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

The condition object supports the following:

• description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.

• title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

app_id: pulumi.Output[str] = None¶

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

condition: pulumi.Output[dict] = None¶

An IAM Condition for a given binding. Structure is documented below.

• description (str) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• expression (str) - Textual representation of an expression in Common Expression Language syntax.

• title (str) - A title for the expression, i.e. a short string describing its purpose.

etag: pulumi.Output[str] = None¶

(Computed) The etag of the IAM policy.

project: pulumi.Output[str] = None¶

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

role: pulumi.Output[str] = None¶

The role that should be applied. Only one iap.AppEngineServiceIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

service: pulumi.Output[str] = None¶

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

static get(resource_name, id, opts=None, app_id=None, condition=None, etag=None, members=None, project=None, role=None, service=None)¶

Get an existing AppEngineServiceIamBinding resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

• resource_name (str) – The unique name of the resulting resource.

• id (str) – The unique provider ID of the resource to lookup.

• opts (pulumi.ResourceOptions) – Options for the resource.

• app_id (pulumi.Input[str]) – Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

• condition (pulumi.Input[dict]) –

  An IAM Condition for a given binding. Structure is documented below.

• etag (pulumi.Input[str]) – (Computed) The etag of the IAM policy.

• project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

• role (pulumi.Input[str]) – The role that should be applied. Only one iap.AppEngineServiceIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

• service (pulumi.Input[str]) – Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

The condition object supports the following:

• description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.

• title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.iap.AppEngineServiceIamMember(resource_name, opts=None, app_id=None, condition=None, member=None, project=None, role=None, service=None, __props__=None, __name__=None, __opts__=None)¶

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineService. Each of these resources serves a different use case:

• iap.AppEngineServiceIamPolicy: Authoritative. Sets the IAM policy for the appengineservice and replaces any existing policy already attached.

• iap.AppEngineServiceIamBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineservice are preserved.

• iap.AppEngineServiceIamMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineservice are preserved.

Note: iap.AppEngineServiceIamPolicy cannot be used in conjunction with iap.AppEngineServiceIamBinding and iap.AppEngineServiceIamMember or they will fight over what your policy should be.

Note: iap.AppEngineServiceIamBinding resources can be used in conjunction with iap.AppEngineServiceIamMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/iap.httpsResourceAccessor",
    "members": ["user:jane@example.com"],
}])
policy = gcp.iap.AppEngineServiceIamPolicy("policy",
    project=google_app_engine_standard_app_version["version"]["project"],
    app_id=google_app_engine_standard_app_version["version"]["project"],
    service=google_app_engine_standard_app_version["version"]["service"],
    policy_data=admin.policy_data)

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/iap.httpsResourceAccessor",
    "members": ["user:jane@example.com"],
    "condition": {
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    },
}])
policy = gcp.iap.AppEngineServiceIamPolicy("policy",
    project=google_app_engine_standard_app_version["version"]["project"],
    app_id=google_app_engine_standard_app_version["version"]["project"],
    service=google_app_engine_standard_app_version["version"]["service"],
    policy_data=admin.policy_data)

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.AppEngineServiceIamBinding("binding",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    members=["user:jane@example.com"],
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"])

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.AppEngineServiceIamBinding("binding",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    members=["user:jane@example.com"],
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"])

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.AppEngineServiceIamMember("member",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    member="user:jane@example.com",
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"])

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.AppEngineServiceIamMember("member",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    member="user:jane@example.com",
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"])

Parameters

• resource_name (str) – The name of the resource.

• opts (pulumi.ResourceOptions) – Options for the resource.

• app_id (pulumi.Input[str]) – Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

• condition (pulumi.Input[dict]) –

  An IAM Condition for a given binding. Structure is documented below.

• project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

• role (pulumi.Input[str]) – The role that should be applied. Only one iap.AppEngineServiceIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

• service (pulumi.Input[str]) – Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

The condition object supports the following:

• description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.

• title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

app_id: pulumi.Output[str] = None¶

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

condition: pulumi.Output[dict] = None¶

An IAM Condition for a given binding. Structure is documented below.

• description (str) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• expression (str) - Textual representation of an expression in Common Expression Language syntax.

• title (str) - A title for the expression, i.e. a short string describing its purpose.

etag: pulumi.Output[str] = None¶

(Computed) The etag of the IAM policy.

project: pulumi.Output[str] = None¶

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

role: pulumi.Output[str] = None¶

The role that should be applied. Only one iap.AppEngineServiceIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

service: pulumi.Output[str] = None¶

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

static get(resource_name, id, opts=None, app_id=None, condition=None, etag=None, member=None, project=None, role=None, service=None)¶

Get an existing AppEngineServiceIamMember resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

• resource_name (str) – The unique name of the resulting resource.

• id (str) – The unique provider ID of the resource to lookup.

• opts (pulumi.ResourceOptions) – Options for the resource.

• app_id (pulumi.Input[str]) – Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

• condition (pulumi.Input[dict]) –

  An IAM Condition for a given binding. Structure is documented below.

• etag (pulumi.Input[str]) – (Computed) The etag of the IAM policy.

• project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

• role (pulumi.Input[str]) – The role that should be applied. Only one iap.AppEngineServiceIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

• service (pulumi.Input[str]) – Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

The condition object supports the following:

• description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.

• title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.iap.AppEngineServiceIamPolicy(resource_name, opts=None, app_id=None, policy_data=None, project=None, service=None, __props__=None, __name__=None, __opts__=None)¶

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineService. Each of these resources serves a different use case:

• iap.AppEngineServiceIamPolicy: Authoritative. Sets the IAM policy for the appengineservice and replaces any existing policy already attached.

• iap.AppEngineServiceIamBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineservice are preserved.

• iap.AppEngineServiceIamMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineservice are preserved.

Note: iap.AppEngineServiceIamPolicy cannot be used in conjunction with iap.AppEngineServiceIamBinding and iap.AppEngineServiceIamMember or they will fight over what your policy should be.

Note: iap.AppEngineServiceIamBinding resources can be used in conjunction with iap.AppEngineServiceIamMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/iap.httpsResourceAccessor",
    "members": ["user:jane@example.com"],
}])
policy = gcp.iap.AppEngineServiceIamPolicy("policy",
    project=google_app_engine_standard_app_version["version"]["project"],
    app_id=google_app_engine_standard_app_version["version"]["project"],
    service=google_app_engine_standard_app_version["version"]["service"],
    policy_data=admin.policy_data)

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/iap.httpsResourceAccessor",
    "members": ["user:jane@example.com"],
    "condition": {
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    },
}])
policy = gcp.iap.AppEngineServiceIamPolicy("policy",
    project=google_app_engine_standard_app_version["version"]["project"],
    app_id=google_app_engine_standard_app_version["version"]["project"],
    service=google_app_engine_standard_app_version["version"]["service"],
    policy_data=admin.policy_data)

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.AppEngineServiceIamBinding("binding",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    members=["user:jane@example.com"],
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"])

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.AppEngineServiceIamBinding("binding",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    members=["user:jane@example.com"],
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"])

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.AppEngineServiceIamMember("member",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    member="user:jane@example.com",
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"])

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.AppEngineServiceIamMember("member",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    member="user:jane@example.com",
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"])

Parameters

• resource_name (str) – The name of the resource.

• opts (pulumi.ResourceOptions) – Options for the resource.

• app_id (pulumi.Input[str]) – Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

• policy_data (pulumi.Input[str]) – The policy data generated by a organizations.getIAMPolicy data source.

• project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

• service (pulumi.Input[str]) – Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

app_id: pulumi.Output[str] = None¶

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

etag: pulumi.Output[str] = None¶

(Computed) The etag of the IAM policy.

policy_data: pulumi.Output[str] = None¶

The policy data generated by a organizations.getIAMPolicy data source.

project: pulumi.Output[str] = None¶

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

service: pulumi.Output[str] = None¶

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

static get(resource_name, id, opts=None, app_id=None, etag=None, policy_data=None, project=None, service=None)¶

Get an existing AppEngineServiceIamPolicy resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

• resource_name (str) – The unique name of the resulting resource.

• id (str) – The unique provider ID of the resource to lookup.

• opts (pulumi.ResourceOptions) – Options for the resource.

• app_id (pulumi.Input[str]) – Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

• etag (pulumi.Input[str]) – (Computed) The etag of the IAM policy.

• policy_data (pulumi.Input[str]) – The policy data generated by a organizations.getIAMPolicy data source.

• project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

• service (pulumi.Input[str]) – Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.iap.AppEngineVersionIamBinding(resource_name, opts=None, app_id=None, condition=None, members=None, project=None, role=None, service=None, version_id=None, __props__=None, __name__=None, __opts__=None)¶

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineVersion. Each of these resources serves a different use case:

• iap.AppEngineVersionIamPolicy: Authoritative. Sets the IAM policy for the appengineversion and replaces any existing policy already attached.

• iap.AppEngineVersionIamBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineversion are preserved.

• iap.AppEngineVersionIamMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineversion are preserved.

Note: iap.AppEngineVersionIamPolicy cannot be used in conjunction with iap.AppEngineVersionIamBinding and iap.AppEngineVersionIamMember or they will fight over what your policy should be.

Note: iap.AppEngineVersionIamBinding resources can be used in conjunction with iap.AppEngineVersionIamMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/iap.httpsResourceAccessor",
    "members": ["user:jane@example.com"],
}])
policy = gcp.iap.AppEngineVersionIamPolicy("policy",
    project=google_app_engine_standard_app_version["version"]["project"],
    app_id=google_app_engine_standard_app_version["version"]["project"],
    service=google_app_engine_standard_app_version["version"]["service"],
    version_id=google_app_engine_standard_app_version["version"]["version_id"],
    policy_data=admin.policy_data)

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/iap.httpsResourceAccessor",
    "members": ["user:jane@example.com"],
    "condition": {
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    },
}])
policy = gcp.iap.AppEngineVersionIamPolicy("policy",
    project=google_app_engine_standard_app_version["version"]["project"],
    app_id=google_app_engine_standard_app_version["version"]["project"],
    service=google_app_engine_standard_app_version["version"]["service"],
    version_id=google_app_engine_standard_app_version["version"]["version_id"],
    policy_data=admin.policy_data)

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.AppEngineVersionIamBinding("binding",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    members=["user:jane@example.com"],
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"],
    version_id=google_app_engine_standard_app_version["version"]["version_id"])

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.AppEngineVersionIamBinding("binding",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    members=["user:jane@example.com"],
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"],
    version_id=google_app_engine_standard_app_version["version"]["version_id"])

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.AppEngineVersionIamMember("member",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    member="user:jane@example.com",
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"],
    version_id=google_app_engine_standard_app_version["version"]["version_id"])

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.AppEngineVersionIamMember("member",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    member="user:jane@example.com",
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"],
    version_id=google_app_engine_standard_app_version["version"]["version_id"])

Parameters

• resource_name (str) – The name of the resource.

• opts (pulumi.ResourceOptions) – Options for the resource.

• app_id (pulumi.Input[str]) – Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

• condition (pulumi.Input[dict]) –

  An IAM Condition for a given binding. Structure is documented below.

• project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

• role (pulumi.Input[str]) – The role that should be applied. Only one iap.AppEngineVersionIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

• service (pulumi.Input[str]) – Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

• version_id (pulumi.Input[str]) – Version id of the App Engine application Used to find the parent resource to bind the IAM policy to

The condition object supports the following:

• description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.

• title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

app_id: pulumi.Output[str] = None¶

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

condition: pulumi.Output[dict] = None¶

An IAM Condition for a given binding. Structure is documented below.

• description (str) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• expression (str) - Textual representation of an expression in Common Expression Language syntax.

• title (str) - A title for the expression, i.e. a short string describing its purpose.

etag: pulumi.Output[str] = None¶

(Computed) The etag of the IAM policy.

project: pulumi.Output[str] = None¶

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

role: pulumi.Output[str] = None¶

The role that should be applied. Only one iap.AppEngineVersionIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

service: pulumi.Output[str] = None¶

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

version_id: pulumi.Output[str] = None¶

Version id of the App Engine application Used to find the parent resource to bind the IAM policy to

static get(resource_name, id, opts=None, app_id=None, condition=None, etag=None, members=None, project=None, role=None, service=None, version_id=None)¶

Get an existing AppEngineVersionIamBinding resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

• resource_name (str) – The unique name of the resulting resource.

• id (str) – The unique provider ID of the resource to lookup.

• opts (pulumi.ResourceOptions) – Options for the resource.

• app_id (pulumi.Input[str]) – Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

• condition (pulumi.Input[dict]) –

  An IAM Condition for a given binding. Structure is documented below.

• etag (pulumi.Input[str]) – (Computed) The etag of the IAM policy.

• project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

• role (pulumi.Input[str]) – The role that should be applied. Only one iap.AppEngineVersionIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

• service (pulumi.Input[str]) – Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

• version_id (pulumi.Input[str]) – Version id of the App Engine application Used to find the parent resource to bind the IAM policy to

The condition object supports the following:

• description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.

• title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.iap.AppEngineVersionIamMember(resource_name, opts=None, app_id=None, condition=None, member=None, project=None, role=None, service=None, version_id=None, __props__=None, __name__=None, __opts__=None)¶

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineVersion. Each of these resources serves a different use case:

• iap.AppEngineVersionIamPolicy: Authoritative. Sets the IAM policy for the appengineversion and replaces any existing policy already attached.

• iap.AppEngineVersionIamBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineversion are preserved.

• iap.AppEngineVersionIamMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineversion are preserved.

Note: iap.AppEngineVersionIamPolicy cannot be used in conjunction with iap.AppEngineVersionIamBinding and iap.AppEngineVersionIamMember or they will fight over what your policy should be.

Note: iap.AppEngineVersionIamBinding resources can be used in conjunction with iap.AppEngineVersionIamMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/iap.httpsResourceAccessor",
    "members": ["user:jane@example.com"],
}])
policy = gcp.iap.AppEngineVersionIamPolicy("policy",
    project=google_app_engine_standard_app_version["version"]["project"],
    app_id=google_app_engine_standard_app_version["version"]["project"],
    service=google_app_engine_standard_app_version["version"]["service"],
    version_id=google_app_engine_standard_app_version["version"]["version_id"],
    policy_data=admin.policy_data)

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/iap.httpsResourceAccessor",
    "members": ["user:jane@example.com"],
    "condition": {
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    },
}])
policy = gcp.iap.AppEngineVersionIamPolicy("policy",
    project=google_app_engine_standard_app_version["version"]["project"],
    app_id=google_app_engine_standard_app_version["version"]["project"],
    service=google_app_engine_standard_app_version["version"]["service"],
    version_id=google_app_engine_standard_app_version["version"]["version_id"],
    policy_data=admin.policy_data)

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.AppEngineVersionIamBinding("binding",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    members=["user:jane@example.com"],
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"],
    version_id=google_app_engine_standard_app_version["version"]["version_id"])

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.AppEngineVersionIamBinding("binding",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    members=["user:jane@example.com"],
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"],
    version_id=google_app_engine_standard_app_version["version"]["version_id"])

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.AppEngineVersionIamMember("member",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    member="user:jane@example.com",
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"],
    version_id=google_app_engine_standard_app_version["version"]["version_id"])

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.AppEngineVersionIamMember("member",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    member="user:jane@example.com",
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"],
    version_id=google_app_engine_standard_app_version["version"]["version_id"])

Parameters

• resource_name (str) – The name of the resource.

• opts (pulumi.ResourceOptions) – Options for the resource.

• app_id (pulumi.Input[str]) – Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

• condition (pulumi.Input[dict]) –

  An IAM Condition for a given binding. Structure is documented below.

• project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

• role (pulumi.Input[str]) – The role that should be applied. Only one iap.AppEngineVersionIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

• service (pulumi.Input[str]) – Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

• version_id (pulumi.Input[str]) – Version id of the App Engine application Used to find the parent resource to bind the IAM policy to

The condition object supports the following:

• description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.

• title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

app_id: pulumi.Output[str] = None¶

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

condition: pulumi.Output[dict] = None¶

An IAM Condition for a given binding. Structure is documented below.

• description (str) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• expression (str) - Textual representation of an expression in Common Expression Language syntax.

• title (str) - A title for the expression, i.e. a short string describing its purpose.

etag: pulumi.Output[str] = None¶

(Computed) The etag of the IAM policy.

project: pulumi.Output[str] = None¶

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

role: pulumi.Output[str] = None¶

The role that should be applied. Only one iap.AppEngineVersionIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

service: pulumi.Output[str] = None¶

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

version_id: pulumi.Output[str] = None¶

Version id of the App Engine application Used to find the parent resource to bind the IAM policy to

static get(resource_name, id, opts=None, app_id=None, condition=None, etag=None, member=None, project=None, role=None, service=None, version_id=None)¶

Get an existing AppEngineVersionIamMember resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

• resource_name (str) – The unique name of the resulting resource.

• id (str) – The unique provider ID of the resource to lookup.

• opts (pulumi.ResourceOptions) – Options for the resource.

• app_id (pulumi.Input[str]) – Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

• condition (pulumi.Input[dict]) –

  An IAM Condition for a given binding. Structure is documented below.

• etag (pulumi.Input[str]) – (Computed) The etag of the IAM policy.

• project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

• role (pulumi.Input[str]) – The role that should be applied. Only one iap.AppEngineVersionIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

• service (pulumi.Input[str]) – Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

• version_id (pulumi.Input[str]) – Version id of the App Engine application Used to find the parent resource to bind the IAM policy to

The condition object supports the following:

• description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.

• title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.iap.AppEngineVersionIamPolicy(resource_name, opts=None, app_id=None, policy_data=None, project=None, service=None, version_id=None, __props__=None, __name__=None, __opts__=None)¶

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineVersion. Each of these resources serves a different use case:

• iap.AppEngineVersionIamPolicy: Authoritative. Sets the IAM policy for the appengineversion and replaces any existing policy already attached.

• iap.AppEngineVersionIamBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineversion are preserved.

• iap.AppEngineVersionIamMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineversion are preserved.

Note: iap.AppEngineVersionIamPolicy cannot be used in conjunction with iap.AppEngineVersionIamBinding and iap.AppEngineVersionIamMember or they will fight over what your policy should be.

Note: iap.AppEngineVersionIamBinding resources can be used in conjunction with iap.AppEngineVersionIamMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/iap.httpsResourceAccessor",
    "members": ["user:jane@example.com"],
}])
policy = gcp.iap.AppEngineVersionIamPolicy("policy",
    project=google_app_engine_standard_app_version["version"]["project"],
    app_id=google_app_engine_standard_app_version["version"]["project"],
    service=google_app_engine_standard_app_version["version"]["service"],
    version_id=google_app_engine_standard_app_version["version"]["version_id"],
    policy_data=admin.policy_data)

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/iap.httpsResourceAccessor",
    "members": ["user:jane@example.com"],
    "condition": {
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    },
}])
policy = gcp.iap.AppEngineVersionIamPolicy("policy",
    project=google_app_engine_standard_app_version["version"]["project"],
    app_id=google_app_engine_standard_app_version["version"]["project"],
    service=google_app_engine_standard_app_version["version"]["service"],
    version_id=google_app_engine_standard_app_version["version"]["version_id"],
    policy_data=admin.policy_data)

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.AppEngineVersionIamBinding("binding",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    members=["user:jane@example.com"],
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"],
    version_id=google_app_engine_standard_app_version["version"]["version_id"])

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.AppEngineVersionIamBinding("binding",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    members=["user:jane@example.com"],
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"],
    version_id=google_app_engine_standard_app_version["version"]["version_id"])

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.AppEngineVersionIamMember("member",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    member="user:jane@example.com",
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"],
    version_id=google_app_engine_standard_app_version["version"]["version_id"])

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.AppEngineVersionIamMember("member",
    app_id=google_app_engine_standard_app_version["version"]["project"],
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    member="user:jane@example.com",
    project=google_app_engine_standard_app_version["version"]["project"],
    role="roles/iap.httpsResourceAccessor",
    service=google_app_engine_standard_app_version["version"]["service"],
    version_id=google_app_engine_standard_app_version["version"]["version_id"])

Parameters

• resource_name (str) – The name of the resource.

• opts (pulumi.ResourceOptions) – Options for the resource.

• app_id (pulumi.Input[str]) – Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

• policy_data (pulumi.Input[str]) – The policy data generated by a organizations.getIAMPolicy data source.

• project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

• service (pulumi.Input[str]) – Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

• version_id (pulumi.Input[str]) – Version id of the App Engine application Used to find the parent resource to bind the IAM policy to

app_id: pulumi.Output[str] = None¶

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

etag: pulumi.Output[str] = None¶

(Computed) The etag of the IAM policy.

policy_data: pulumi.Output[str] = None¶

The policy data generated by a organizations.getIAMPolicy data source.

project: pulumi.Output[str] = None¶

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

service: pulumi.Output[str] = None¶

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

version_id: pulumi.Output[str] = None¶

Version id of the App Engine application Used to find the parent resource to bind the IAM policy to

static get(resource_name, id, opts=None, app_id=None, etag=None, policy_data=None, project=None, service=None, version_id=None)¶

Get an existing AppEngineVersionIamPolicy resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

• resource_name (str) – The unique name of the resulting resource.

• id (str) – The unique provider ID of the resource to lookup.

• opts (pulumi.ResourceOptions) – Options for the resource.

• app_id (pulumi.Input[str]) – Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

• etag (pulumi.Input[str]) – (Computed) The etag of the IAM policy.

• policy_data (pulumi.Input[str]) – The policy data generated by a organizations.getIAMPolicy data source.

• project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

• service (pulumi.Input[str]) – Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

• version_id (pulumi.Input[str]) – Version id of the App Engine application Used to find the parent resource to bind the IAM policy to

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.iap.Brand(resource_name, opts=None, application_title=None, project=None, support_email=None, __props__=None, __name__=None, __opts__=None)¶

OAuth brand data. Only “Organization Internal” brands can be created programatically via API. To convert it into an external brands please use the GCP Console.

Note: Brands can be created only once for a Google Cloud Platform project and cannot be deleted. Destroying a provider-managed Brand will remove it from state but will not delete the resource on the server.

Parameters

• resource_name (str) – The name of the resource.

• opts (pulumi.ResourceOptions) – Options for the resource.

• application_title (pulumi.Input[str]) – Application name displayed on OAuth consent screen.

• project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

• support_email (pulumi.Input[str]) – Support email displayed on the OAuth consent screen. Can be either a user or group email. When a user email is specified, the caller must be the user with the associated email address. When a group email is specified, the caller can be either a user or a service account which is an owner of the specified group in Cloud Identity.

application_title: pulumi.Output[str] = None¶

Application name displayed on OAuth consent screen.

name: pulumi.Output[str] = None¶

Output only. Identifier of the brand, in the format ‘projects/{project_number}/brands/{brand_id}’. NOTE: The brand identification corresponds to the project number as only one brand per project can be created.

org_internal_only: pulumi.Output[bool] = None¶

Whether the brand is only intended for usage inside the GSuite organization only.

project: pulumi.Output[str] = None¶

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

support_email: pulumi.Output[str] = None¶

Support email displayed on the OAuth consent screen. Can be either a user or group email. When a user email is specified, the caller must be the user with the associated email address. When a group email is specified, the caller can be either a user or a service account which is an owner of the specified group in Cloud Identity.

static get(resource_name, id, opts=None, application_title=None, name=None, org_internal_only=None, project=None, support_email=None)¶

Get an existing Brand resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

• resource_name (str) – The unique name of the resulting resource.

• id (str) – The unique provider ID of the resource to lookup.

• opts (pulumi.ResourceOptions) – Options for the resource.

• application_title (pulumi.Input[str]) – Application name displayed on OAuth consent screen.

• name (pulumi.Input[str]) – Output only. Identifier of the brand, in the format ‘projects/{project_number}/brands/{brand_id}’. NOTE: The brand identification corresponds to the project number as only one brand per project can be created.

• org_internal_only (pulumi.Input[bool]) – Whether the brand is only intended for usage inside the GSuite organization only.

• project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

• support_email (pulumi.Input[str]) – Support email displayed on the OAuth consent screen. Can be either a user or group email. When a user email is specified, the caller must be the user with the associated email address. When a group email is specified, the caller can be either a user or a service account which is an owner of the specified group in Cloud Identity.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.iap.Client(resource_name, opts=None, brand=None, display_name=None, __props__=None, __name__=None, __opts__=None)¶

Contains the data that describes an Identity Aware Proxy owned client.

Note: Only internal org clients can be created via declarative tools. Other types of clients must be manually created via the GCP console. This restriction is due to the existing APIs and not lack of support in this tool.

Warning: All arguments including secret will be stored in the raw state as plain-text. Read more about secrets in state.

Parameters

• resource_name (str) – The name of the resource.

• opts (pulumi.ResourceOptions) – Options for the resource.

• brand (pulumi.Input[str]) – Identifier of the brand to which this client is attached to. The format is projects/{project_number}/brands/{brand_id}/identityAwareProxyClients/{client_id}.

• display_name (pulumi.Input[str]) – Human-friendly name given to the OAuth client.

brand: pulumi.Output[str] = None¶

Identifier of the brand to which this client is attached to. The format is projects/{project_number}/brands/{brand_id}/identityAwareProxyClients/{client_id}.

client_id: pulumi.Output[str] = None¶

Output only. Unique identifier of the OAuth client.

display_name: pulumi.Output[str] = None¶

Human-friendly name given to the OAuth client.

secret: pulumi.Output[str] = None¶

Output only. Client secret of the OAuth client.

static get(resource_name, id, opts=None, brand=None, client_id=None, display_name=None, secret=None)¶

Get an existing Client resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

• resource_name (str) – The unique name of the resulting resource.

• id (str) – The unique provider ID of the resource to lookup.

• opts (pulumi.ResourceOptions) – Options for the resource.

• brand (pulumi.Input[str]) – Identifier of the brand to which this client is attached to. The format is projects/{project_number}/brands/{brand_id}/identityAwareProxyClients/{client_id}.

• client_id (pulumi.Input[str]) – Output only. Unique identifier of the OAuth client.

• display_name (pulumi.Input[str]) – Human-friendly name given to the OAuth client.

• secret (pulumi.Input[str]) – Output only. Client secret of the OAuth client.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.iap.TunnelInstanceIAMBinding(resource_name, opts=None, condition=None, instance=None, members=None, project=None, role=None, zone=None, __props__=None, __name__=None, __opts__=None)¶

Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelInstance. Each of these resources serves a different use case:

• iap.TunnelInstanceIAMPolicy: Authoritative. Sets the IAM policy for the tunnelinstance and replaces any existing policy already attached.

• iap.TunnelInstanceIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnelinstance are preserved.

• iap.TunnelInstanceIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnelinstance are preserved.

Note: iap.TunnelInstanceIAMPolicy cannot be used in conjunction with iap.TunnelInstanceIAMBinding and iap.TunnelInstanceIAMMember or they will fight over what your policy should be.

Note: iap.TunnelInstanceIAMBinding resources can be used in conjunction with iap.TunnelInstanceIAMMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/iap.tunnelResourceAccessor",
    "members": ["user:jane@example.com"],
}])
policy = gcp.iap.TunnelInstanceIAMPolicy("policy",
    project=google_compute_instance["tunnelvm"]["project"],
    zone=google_compute_instance["tunnelvm"]["zone"],
    instance=google_compute_instance["tunnelvm"]["name"],
    policy_data=admin.policy_data)

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/iap.tunnelResourceAccessor",
    "members": ["user:jane@example.com"],
    "condition": {
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    },
}])
policy = gcp.iap.TunnelInstanceIAMPolicy("policy",
    project=google_compute_instance["tunnelvm"]["project"],
    zone=google_compute_instance["tunnelvm"]["zone"],
    instance=google_compute_instance["tunnelvm"]["name"],
    policy_data=admin.policy_data)

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.TunnelInstanceIAMBinding("binding",
    project=google_compute_instance["tunnelvm"]["project"],
    zone=google_compute_instance["tunnelvm"]["zone"],
    instance=google_compute_instance["tunnelvm"]["name"],
    role="roles/iap.tunnelResourceAccessor",
    members=["user:jane@example.com"])

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.TunnelInstanceIAMBinding("binding",
    project=google_compute_instance["tunnelvm"]["project"],
    zone=google_compute_instance["tunnelvm"]["zone"],
    instance=google_compute_instance["tunnelvm"]["name"],
    role="roles/iap.tunnelResourceAccessor",
    members=["user:jane@example.com"],
    condition={
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    })

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.TunnelInstanceIAMMember("member",
    project=google_compute_instance["tunnelvm"]["project"],
    zone=google_compute_instance["tunnelvm"]["zone"],
    instance=google_compute_instance["tunnelvm"]["name"],
    role="roles/iap.tunnelResourceAccessor",
    member="user:jane@example.com")

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.TunnelInstanceIAMMember("member",
    project=google_compute_instance["tunnelvm"]["project"],
    zone=google_compute_instance["tunnelvm"]["zone"],
    instance=google_compute_instance["tunnelvm"]["name"],
    role="roles/iap.tunnelResourceAccessor",
    member="user:jane@example.com",
    condition={
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    })

Parameters

• resource_name (str) – The name of the resource.

• opts (pulumi.ResourceOptions) – Options for the resource.

• condition (pulumi.Input[dict]) –

  ) An IAM Condition for a given binding. Structure is documented below.

• instance (pulumi.Input[str]) – Used to find the parent resource to bind the IAM policy to

• project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

• role (pulumi.Input[str]) – The role that should be applied. Only one iap.TunnelInstanceIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

• description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.

• title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

condition: pulumi.Output[dict] = None¶

) An IAM Condition for a given binding. Structure is documented below.

• description (str) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• expression (str) - Textual representation of an expression in Common Expression Language syntax.

• title (str) - A title for the expression, i.e. a short string describing its purpose.

etag: pulumi.Output[str] = None¶

(Computed) The etag of the IAM policy.

instance: pulumi.Output[str] = None¶

Used to find the parent resource to bind the IAM policy to

project: pulumi.Output[str] = None¶

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

role: pulumi.Output[str] = None¶

The role that should be applied. Only one iap.TunnelInstanceIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

static get(resource_name, id, opts=None, condition=None, etag=None, instance=None, members=None, project=None, role=None, zone=None)¶

Get an existing TunnelInstanceIAMBinding resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

• resource_name (str) – The unique name of the resulting resource.

• id (str) – The unique provider ID of the resource to lookup.

• opts (pulumi.ResourceOptions) – Options for the resource.

• condition (pulumi.Input[dict]) –

  ) An IAM Condition for a given binding. Structure is documented below.

• etag (pulumi.Input[str]) – (Computed) The etag of the IAM policy.

• instance (pulumi.Input[str]) – Used to find the parent resource to bind the IAM policy to

• project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

• role (pulumi.Input[str]) – The role that should be applied. Only one iap.TunnelInstanceIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

• description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.

• title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.iap.TunnelInstanceIAMMember(resource_name, opts=None, condition=None, instance=None, member=None, project=None, role=None, zone=None, __props__=None, __name__=None, __opts__=None)¶

Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelInstance. Each of these resources serves a different use case:

• iap.TunnelInstanceIAMPolicy: Authoritative. Sets the IAM policy for the tunnelinstance and replaces any existing policy already attached.

• iap.TunnelInstanceIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnelinstance are preserved.

• iap.TunnelInstanceIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnelinstance are preserved.

Note: iap.TunnelInstanceIAMPolicy cannot be used in conjunction with iap.TunnelInstanceIAMBinding and iap.TunnelInstanceIAMMember or they will fight over what your policy should be.

Note: iap.TunnelInstanceIAMBinding resources can be used in conjunction with iap.TunnelInstanceIAMMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/iap.tunnelResourceAccessor",
    "members": ["user:jane@example.com"],
}])
policy = gcp.iap.TunnelInstanceIAMPolicy("policy",
    project=google_compute_instance["tunnelvm"]["project"],
    zone=google_compute_instance["tunnelvm"]["zone"],
    instance=google_compute_instance["tunnelvm"]["name"],
    policy_data=admin.policy_data)

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/iap.tunnelResourceAccessor",
    "members": ["user:jane@example.com"],
    "condition": {
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    },
}])
policy = gcp.iap.TunnelInstanceIAMPolicy("policy",
    project=google_compute_instance["tunnelvm"]["project"],
    zone=google_compute_instance["tunnelvm"]["zone"],
    instance=google_compute_instance["tunnelvm"]["name"],
    policy_data=admin.policy_data)

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.TunnelInstanceIAMBinding("binding",
    project=google_compute_instance["tunnelvm"]["project"],
    zone=google_compute_instance["tunnelvm"]["zone"],
    instance=google_compute_instance["tunnelvm"]["name"],
    role="roles/iap.tunnelResourceAccessor",
    members=["user:jane@example.com"])

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.TunnelInstanceIAMBinding("binding",
    project=google_compute_instance["tunnelvm"]["project"],
    zone=google_compute_instance["tunnelvm"]["zone"],
    instance=google_compute_instance["tunnelvm"]["name"],
    role="roles/iap.tunnelResourceAccessor",
    members=["user:jane@example.com"],
    condition={
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    })

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.TunnelInstanceIAMMember("member",
    project=google_compute_instance["tunnelvm"]["project"],
    zone=google_compute_instance["tunnelvm"]["zone"],
    instance=google_compute_instance["tunnelvm"]["name"],
    role="roles/iap.tunnelResourceAccessor",
    member="user:jane@example.com")

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.TunnelInstanceIAMMember("member",
    project=google_compute_instance["tunnelvm"]["project"],
    zone=google_compute_instance["tunnelvm"]["zone"],
    instance=google_compute_instance["tunnelvm"]["name"],
    role="roles/iap.tunnelResourceAccessor",
    member="user:jane@example.com",
    condition={
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    })

Parameters

• resource_name (str) – The name of the resource.

• opts (pulumi.ResourceOptions) – Options for the resource.

• condition (pulumi.Input[dict]) –

  ) An IAM Condition for a given binding. Structure is documented below.

• instance (pulumi.Input[str]) – Used to find the parent resource to bind the IAM policy to

• project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

• role (pulumi.Input[str]) – The role that should be applied. Only one iap.TunnelInstanceIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

• description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.

• title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

condition: pulumi.Output[dict] = None¶

) An IAM Condition for a given binding. Structure is documented below.

• description (str) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• expression (str) - Textual representation of an expression in Common Expression Language syntax.

• title (str) - A title for the expression, i.e. a short string describing its purpose.

etag: pulumi.Output[str] = None¶

(Computed) The etag of the IAM policy.

instance: pulumi.Output[str] = None¶

Used to find the parent resource to bind the IAM policy to

project: pulumi.Output[str] = None¶

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

role: pulumi.Output[str] = None¶

The role that should be applied. Only one iap.TunnelInstanceIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

static get(resource_name, id, opts=None, condition=None, etag=None, instance=None, member=None, project=None, role=None, zone=None)¶

Get an existing TunnelInstanceIAMMember resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

• resource_name (str) – The unique name of the resulting resource.

• id (str) – The unique provider ID of the resource to lookup.

• opts (pulumi.ResourceOptions) – Options for the resource.

• condition (pulumi.Input[dict]) –

  ) An IAM Condition for a given binding. Structure is documented below.

• etag (pulumi.Input[str]) – (Computed) The etag of the IAM policy.

• instance (pulumi.Input[str]) – Used to find the parent resource to bind the IAM policy to

• project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

• role (pulumi.Input[str]) – The role that should be applied. Only one iap.TunnelInstanceIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

• description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.

• title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.iap.TunnelInstanceIAMPolicy(resource_name, opts=None, instance=None, policy_data=None, project=None, zone=None, __props__=None, __name__=None, __opts__=None)¶

Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelInstance. Each of these resources serves a different use case:

• iap.TunnelInstanceIAMPolicy: Authoritative. Sets the IAM policy for the tunnelinstance and replaces any existing policy already attached.

• iap.TunnelInstanceIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnelinstance are preserved.

• iap.TunnelInstanceIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnelinstance are preserved.

Note: iap.TunnelInstanceIAMPolicy cannot be used in conjunction with iap.TunnelInstanceIAMBinding and iap.TunnelInstanceIAMMember or they will fight over what your policy should be.

Note: iap.TunnelInstanceIAMBinding resources can be used in conjunction with iap.TunnelInstanceIAMMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/iap.tunnelResourceAccessor",
    "members": ["user:jane@example.com"],
}])
policy = gcp.iap.TunnelInstanceIAMPolicy("policy",
    project=google_compute_instance["tunnelvm"]["project"],
    zone=google_compute_instance["tunnelvm"]["zone"],
    instance=google_compute_instance["tunnelvm"]["name"],
    policy_data=admin.policy_data)

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/iap.tunnelResourceAccessor",
    "members": ["user:jane@example.com"],
    "condition": {
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    },
}])
policy = gcp.iap.TunnelInstanceIAMPolicy("policy",
    project=google_compute_instance["tunnelvm"]["project"],
    zone=google_compute_instance["tunnelvm"]["zone"],
    instance=google_compute_instance["tunnelvm"]["name"],
    policy_data=admin.policy_data)

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.TunnelInstanceIAMBinding("binding",
    project=google_compute_instance["tunnelvm"]["project"],
    zone=google_compute_instance["tunnelvm"]["zone"],
    instance=google_compute_instance["tunnelvm"]["name"],
    role="roles/iap.tunnelResourceAccessor",
    members=["user:jane@example.com"])

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.TunnelInstanceIAMBinding("binding",
    project=google_compute_instance["tunnelvm"]["project"],
    zone=google_compute_instance["tunnelvm"]["zone"],
    instance=google_compute_instance["tunnelvm"]["name"],
    role="roles/iap.tunnelResourceAccessor",
    members=["user:jane@example.com"],
    condition={
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    })

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.TunnelInstanceIAMMember("member",
    project=google_compute_instance["tunnelvm"]["project"],
    zone=google_compute_instance["tunnelvm"]["zone"],
    instance=google_compute_instance["tunnelvm"]["name"],
    role="roles/iap.tunnelResourceAccessor",
    member="user:jane@example.com")

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.TunnelInstanceIAMMember("member",
    project=google_compute_instance["tunnelvm"]["project"],
    zone=google_compute_instance["tunnelvm"]["zone"],
    instance=google_compute_instance["tunnelvm"]["name"],
    role="roles/iap.tunnelResourceAccessor",
    member="user:jane@example.com",
    condition={
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    })

Parameters

• resource_name (str) – The name of the resource.

• opts (pulumi.ResourceOptions) – Options for the resource.

• instance (pulumi.Input[str]) – Used to find the parent resource to bind the IAM policy to

• policy_data (pulumi.Input[str]) – The policy data generated by a organizations.getIAMPolicy data source.

• project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

etag: pulumi.Output[str] = None¶

(Computed) The etag of the IAM policy.

instance: pulumi.Output[str] = None¶

Used to find the parent resource to bind the IAM policy to

policy_data: pulumi.Output[str] = None¶

The policy data generated by a organizations.getIAMPolicy data source.

project: pulumi.Output[str] = None¶

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

static get(resource_name, id, opts=None, etag=None, instance=None, policy_data=None, project=None, zone=None)¶

Get an existing TunnelInstanceIAMPolicy resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

• resource_name (str) – The unique name of the resulting resource.

• id (str) – The unique provider ID of the resource to lookup.

• opts (pulumi.ResourceOptions) – Options for the resource.

• etag (pulumi.Input[str]) – (Computed) The etag of the IAM policy.

• instance (pulumi.Input[str]) – Used to find the parent resource to bind the IAM policy to

• policy_data (pulumi.Input[str]) – The policy data generated by a organizations.getIAMPolicy data source.

• project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.iap.WebBackendServiceIamBinding(resource_name, opts=None, condition=None, members=None, project=None, role=None, web_backend_service=None, __props__=None, __name__=None, __opts__=None)¶

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebBackendService. Each of these resources serves a different use case:

• iap.WebBackendServiceIamPolicy: Authoritative. Sets the IAM policy for the webbackendservice and replaces any existing policy already attached.

• iap.WebBackendServiceIamBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webbackendservice are preserved.

• iap.WebBackendServiceIamMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webbackendservice are preserved.

Note: iap.WebBackendServiceIamPolicy cannot be used in conjunction with iap.WebBackendServiceIamBinding and iap.WebBackendServiceIamMember or they will fight over what your policy should be.

Note: iap.WebBackendServiceIamBinding resources can be used in conjunction with iap.WebBackendServiceIamMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/iap.httpsResourceAccessor",
    "members": ["user:jane@example.com"],
}])
policy = gcp.iap.WebBackendServiceIamPolicy("policy",
    project=google_compute_backend_service["default"]["project"],
    web_backend_service=google_compute_backend_service["default"]["name"],
    policy_data=admin.policy_data)

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/iap.httpsResourceAccessor",
    "members": ["user:jane@example.com"],
    "condition": {
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    },
}])
policy = gcp.iap.WebBackendServiceIamPolicy("policy",
    project=google_compute_backend_service["default"]["project"],
    web_backend_service=google_compute_backend_service["default"]["name"],
    policy_data=admin.policy_data)

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.WebBackendServiceIamBinding("binding",
    project=google_compute_backend_service["default"]["project"],
    web_backend_service=google_compute_backend_service["default"]["name"],
    role="roles/iap.httpsResourceAccessor",
    members=["user:jane@example.com"])

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.WebBackendServiceIamBinding("binding",
    project=google_compute_backend_service["default"]["project"],
    web_backend_service=google_compute_backend_service["default"]["name"],
    role="roles/iap.httpsResourceAccessor",
    members=["user:jane@example.com"],
    condition={
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    })

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.WebBackendServiceIamMember("member",
    project=google_compute_backend_service["default"]["project"],
    web_backend_service=google_compute_backend_service["default"]["name"],
    role="roles/iap.httpsResourceAccessor",
    member="user:jane@example.com")

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.WebBackendServiceIamMember("member",
    project=google_compute_backend_service["default"]["project"],
    web_backend_service=google_compute_backend_service["default"]["name"],
    role="roles/iap.httpsResourceAccessor",
    member="user:jane@example.com",
    condition={
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
    })

Parameters

• resource_name (str) – The name of the resource.

• opts (pulumi.ResourceOptions) – Options for the resource.

• condition (pulumi.Input[dict]) –

  ) An IAM Condition for a given binding. Structure is documented below.

• project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

• role (pulumi.Input[str]) – The role that should be applied. Only one iap.WebBackendServiceIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

• web_backend_service (pulumi.Input[str]) – Used to find the parent resource to bind the IAM policy to

The condition object supports the following:

• description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.

• title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

condition: pulumi.Output[dict] = None¶

) An IAM Condition for a given binding. Structure is documented below.

• description (str) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• expression (str) - Textual representation of an expression in Common Expression Language syntax.

• title (str) - A title for the expression, i.e. a short string describing its purpose.

etag: pulumi.Output[str] = None¶

(Computed) The etag of the IAM policy.

project: pulumi.Output[str] = None¶

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

role: pulumi.Output[str] = None¶

The role that should be applied. Only one iap.WebBackendServiceIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

web_backend_service: pulumi.Output[str] = None¶

Used to find the parent resource to bind the IAM policy to

static get(resource_name, id, opts=None, condition=None, etag=None, members=None, project=None, role=None, web_backend_service=None)¶

Get an existing WebBackendServiceIamBinding resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

• resource_name (str) – The unique name of the resulting resource.

• id (str) – The unique provider ID of the resource to lookup.

• opts (pulumi.ResourceOptions) – Options for the resource.

• condition (pulumi.Input[dict]) –

  ) An IAM Condition for a given binding. Structure is documented below.

• etag (pulumi.Input[str]) – (Computed) The etag of the IAM policy.

• project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

• role (pulumi.Input[str]) – The role that should be applied. Only one iap.WebBackendServiceIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

• web_backend_service (pulumi.Input[str]) – Used to find the parent resource to bind the IAM policy to

The condition object supports the following:

• description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.

• title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str