1. Docs
  2. Reference
  3. API
  4. pulumi_gcp
  5. organizations

This page documents the language specification for the gcp package. If you're looking for help working with the inputs, outputs, or functions of gcp resources in a Pulumi program, please see the resource documentation for examples and API reference.

organizations

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-gcp repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-google repo.

class pulumi_gcp.organizations.AwaitableGetActiveFolderResult(display_name=None, id=None, name=None, parent=None)
class pulumi_gcp.organizations.AwaitableGetBillingAccountResult(billing_account=None, display_name=None, id=None, name=None, open=None, project_ids=None)
class pulumi_gcp.organizations.AwaitableGetClientConfigResult(access_token=None, id=None, project=None, region=None, zone=None)
class pulumi_gcp.organizations.AwaitableGetClientOpenIdUserInfoResult(email=None, id=None)
class pulumi_gcp.organizations.AwaitableGetFolderResult(create_time=None, display_name=None, folder=None, id=None, lifecycle_state=None, lookup_organization=None, name=None, organization=None, parent=None)
class pulumi_gcp.organizations.AwaitableGetIAMPolicyResult(audit_configs=None, bindings=None, id=None, policy_data=None)
class pulumi_gcp.organizations.AwaitableGetOrganizationResult(create_time=None, directory_customer_id=None, domain=None, id=None, lifecycle_state=None, name=None, org_id=None, organization=None)
class pulumi_gcp.organizations.AwaitableGetProjectResult(auto_create_network=None, billing_account=None, folder_id=None, id=None, labels=None, name=None, number=None, org_id=None, project_id=None, skip_delete=None)
class pulumi_gcp.organizations.Folder(resource_name, opts=None, display_name=None, parent=None, __props__=None, __name__=None, __opts__=None)

Allows management of a Google Cloud Platform folder. For more information see the official documentation and API.

A folder can contain projects, other folders, or a combination of both. You can use folders to group projects under an organization in a hierarchy. For example, your organization might contain multiple departments, each with its own set of Cloud Platform resources. Folders allows you to group these resources on a per-department basis. Folders are used to group resources that share common IAM policies.

Folders created live inside an Organization. See the Organization documentation for more details.

The service account used to run the provider when creating a organizations.Folder resource must have roles/resourcemanager.folderCreator. See the Access Control for Folders Using IAM doc for more information.

import pulumi
import pulumi_gcp as gcp

# Top-level folder under an organization.
department1 = gcp.organizations.Folder("department1",
    display_name="Department 1",
    parent="organizations/1234567")
# Folder nested under another folder.
team_abc = gcp.organizations.Folder("team-abc",
    display_name="Team ABC",
    parent=department1.name)
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • display_name (pulumi.Input[str]) – The folder’s display name. A folder’s display name must be unique amongst its siblings, e.g. no two folders with the same parent can share the same display name. The display name must start and end with a letter or digit, may contain letters, digits, spaces, hyphens and underscores and can be no longer than 30 characters.

  • parent (pulumi.Input[str]) – The resource name of the parent Folder or Organization. Must be of the form folders/{folder_id} or organizations/{org_id}.

create_time: pulumi.Output[str] = None

Timestamp when the Folder was created. Assigned by the server. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

display_name: pulumi.Output[str] = None

The folder’s display name. A folder’s display name must be unique amongst its siblings, e.g. no two folders with the same parent can share the same display name. The display name must start and end with a letter or digit, may contain letters, digits, spaces, hyphens and underscores and can be no longer than 30 characters.

lifecycle_state: pulumi.Output[str] = None

The lifecycle state of the folder such as ACTIVE or DELETE_REQUESTED.

name: pulumi.Output[str] = None

The resource name of the Folder. Its format is folders/{folder_id}.

parent: pulumi.Output[str] = None

The resource name of the parent Folder or Organization. Must be of the form folders/{folder_id} or organizations/{org_id}.

static get(resource_name, id, opts=None, create_time=None, display_name=None, lifecycle_state=None, name=None, parent=None)

Get an existing Folder resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • create_time (pulumi.Input[str]) – Timestamp when the Folder was created. Assigned by the server. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

  • display_name (pulumi.Input[str]) – The folder’s display name. A folder’s display name must be unique amongst its siblings, e.g. no two folders with the same parent can share the same display name. The display name must start and end with a letter or digit, may contain letters, digits, spaces, hyphens and underscores and can be no longer than 30 characters.

  • lifecycle_state (pulumi.Input[str]) – The lifecycle state of the folder such as ACTIVE or DELETE_REQUESTED.

  • name (pulumi.Input[str]) – The resource name of the Folder. Its format is folders/{folder_id}.

  • parent (pulumi.Input[str]) – The resource name of the parent Folder or Organization. Must be of the form folders/{folder_id} or organizations/{org_id}.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.organizations.GetActiveFolderResult(display_name=None, id=None, name=None, parent=None)

A collection of values returned by getActiveFolder.

id = None

The provider-assigned unique ID for this managed resource.

name = None

The resource name of the Folder. This uniquely identifies the folder.

class pulumi_gcp.organizations.GetBillingAccountResult(billing_account=None, display_name=None, id=None, name=None, open=None, project_ids=None)

A collection of values returned by getBillingAccount.

id = None

The provider-assigned unique ID for this managed resource.

name = None

The resource name of the billing account in the form billingAccounts/{billing_account_id}.

project_ids = None

The IDs of any projects associated with the billing account.

class pulumi_gcp.organizations.GetClientConfigResult(access_token=None, id=None, project=None, region=None, zone=None)

A collection of values returned by getClientConfig.

access_token = None

The OAuth2 access token used by the client to authenticate against the Google Cloud API.

id = None

The provider-assigned unique ID for this managed resource.

project = None

The ID of the project to apply any resources to.

region = None

The region to operate under.

zone = None

The zone to operate under.

class pulumi_gcp.organizations.GetClientOpenIdUserInfoResult(email=None, id=None)

A collection of values returned by getClientOpenIdUserInfo.

email = None

The email of the account used by the provider to authenticate with GCP.

id = None

The provider-assigned unique ID for this managed resource.

class pulumi_gcp.organizations.GetFolderResult(create_time=None, display_name=None, folder=None, id=None, lifecycle_state=None, lookup_organization=None, name=None, organization=None, parent=None)

A collection of values returned by getFolder.

create_time = None

Timestamp when the Organization was created. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

display_name = None

The folder’s display name.

id = None

The provider-assigned unique ID for this managed resource.

lifecycle_state = None

The Folder’s current lifecycle state.

name = None

The resource name of the Folder in the form folders/{folder_id}.

organization = None

If lookup_organization is enable, the resource name of the Organization that the folder belongs.

parent = None

The resource name of the parent Folder or Organization.

class pulumi_gcp.organizations.GetIAMPolicyResult(audit_configs=None, bindings=None, id=None, policy_data=None)

A collection of values returned by getIAMPolicy.

id = None

The provider-assigned unique ID for this managed resource.

policy_data = None

The above bindings serialized in a format suitable for referencing from a resource that supports IAM.

class pulumi_gcp.organizations.GetOrganizationResult(create_time=None, directory_customer_id=None, domain=None, id=None, lifecycle_state=None, name=None, org_id=None, organization=None)

A collection of values returned by getOrganization.

create_time = None

Timestamp when the Organization was created. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

directory_customer_id = None

The Google for Work customer ID of the Organization.

id = None

The provider-assigned unique ID for this managed resource.

lifecycle_state = None

The Organization’s current lifecycle state.

name = None

The resource name of the Organization in the form organizations/{organization_id}.

org_id = None

The Organization ID.

class pulumi_gcp.organizations.GetProjectResult(auto_create_network=None, billing_account=None, folder_id=None, id=None, labels=None, name=None, number=None, org_id=None, project_id=None, skip_delete=None)

A collection of values returned by getProject.

id = None

The provider-assigned unique ID for this managed resource.

class pulumi_gcp.organizations.IAMBinding(resource_name, opts=None, condition=None, members=None, org_id=None, role=None, __props__=None, __name__=None, __opts__=None)

Allows creation and management of a single binding within IAM policy for an existing Google Cloud Platform Organization.

Note: This resource must not be used in conjunction with

organizations.IAMMember for the same role or they will fight over what your policy should be.

Note: On create, this resource will overwrite members of any existing roles.

Use pulumi import and inspect the `output to ensure your existing members are preserved.

import pulumi
import pulumi_gcp as gcp

binding = gcp.organizations.IAMBinding("binding",
    members=["user:alice@gmail.com"],
    org_id="123456789",
    role="roles/browser")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • members (pulumi.Input[list]) – A list of users that the role should apply to. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding

  • org_id (pulumi.Input[str]) – The numeric ID of the organization in which you want to create a custom role.

  • role (pulumi.Input[str]) – The role that should be applied. Only one organizations.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

  • description (pulumi.Input[str])

  • expression (pulumi.Input[str])

  • title (pulumi.Input[str])

etag: pulumi.Output[str] = None

(Computed) The etag of the organization’s IAM policy.

members: pulumi.Output[list] = None

A list of users that the role should apply to. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding

org_id: pulumi.Output[str] = None

The numeric ID of the organization in which you want to create a custom role.

role: pulumi.Output[str] = None

The role that should be applied. Only one organizations.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

static get(resource_name, id, opts=None, condition=None, etag=None, members=None, org_id=None, role=None)

Get an existing IAMBinding resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • etag (pulumi.Input[str]) – (Computed) The etag of the organization’s IAM policy.

  • members (pulumi.Input[list]) – A list of users that the role should apply to. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding

  • org_id (pulumi.Input[str]) – The numeric ID of the organization in which you want to create a custom role.

  • role (pulumi.Input[str]) – The role that should be applied. Only one organizations.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

  • description (pulumi.Input[str])

  • expression (pulumi.Input[str])

  • title (pulumi.Input[str])

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.organizations.IAMCustomRole(resource_name, opts=None, description=None, org_id=None, permissions=None, role_id=None, stage=None, title=None, __props__=None, __name__=None, __opts__=None)

Allows management of a customized Cloud IAM organization role. For more information see the official documentation and API.

Warning: Note that custom roles in GCP have the concept of a soft-delete. There are two issues that may arise

from this and how roles are propagated. 1) creating a role may involve undeleting and then updating a role with the same name, possibly causing confusing behavior between undelete and update. 2) A deleted role is permanently deleted after 7 days, but it can take up to 30 more days (i.e. between 7 and 37 days after deletion) before the role name is made available again. This means a deleted role that has been deleted for more than 7 days cannot be changed at all by the provider, and new roles cannot share that name.

import pulumi
import pulumi_gcp as gcp

my_custom_role = gcp.organizations.IAMCustomRole("my-custom-role",
    description="A description",
    org_id="123456789",
    permissions=[
        "iam.roles.list",
        "iam.roles.create",
        "iam.roles.delete",
    ],
    role_id="myCustomRole",
    title="My Custom Role")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • description (pulumi.Input[str]) – A human-readable description for the role.

  • org_id (pulumi.Input[str]) – The numeric ID of the organization in which you want to create a custom role.

  • permissions (pulumi.Input[list]) – The names of the permissions this role grants when bound in an IAM policy. At least one permission must be specified.

  • role_id (pulumi.Input[str]) – The role id to use for this role.

  • stage (pulumi.Input[str]) – The current launch stage of the role. Defaults to GA. List of possible stages is here.

  • title (pulumi.Input[str]) – A human-readable title for the role.

deleted: pulumi.Output[bool] = None

(Optional) The current deleted state of the role.

description: pulumi.Output[str] = None

A human-readable description for the role.

name: pulumi.Output[str] = None

The name of the role in the format organizations/{{org_id}}/roles/{{role_id}}. Like id, this field can be used as a reference in other resources such as IAM role bindings.

org_id: pulumi.Output[str] = None

The numeric ID of the organization in which you want to create a custom role.

permissions: pulumi.Output[list] = None

The names of the permissions this role grants when bound in an IAM policy. At least one permission must be specified.

role_id: pulumi.Output[str] = None

The role id to use for this role.

stage: pulumi.Output[str] = None

The current launch stage of the role. Defaults to GA. List of possible stages is here.

title: pulumi.Output[str] = None

A human-readable title for the role.

static get(resource_name, id, opts=None, deleted=None, description=None, name=None, org_id=None, permissions=None, role_id=None, stage=None, title=None)

Get an existing IAMCustomRole resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • deleted (pulumi.Input[bool]) – (Optional) The current deleted state of the role.

  • description (pulumi.Input[str]) – A human-readable description for the role.

  • name (pulumi.Input[str]) – The name of the role in the format organizations/{{org_id}}/roles/{{role_id}}. Like id, this field can be used as a reference in other resources such as IAM role bindings.

  • org_id (pulumi.Input[str]) – The numeric ID of the organization in which you want to create a custom role.

  • permissions (pulumi.Input[list]) – The names of the permissions this role grants when bound in an IAM policy. At least one permission must be specified.

  • role_id (pulumi.Input[str]) – The role id to use for this role.

  • stage (pulumi.Input[str]) –

    The current launch stage of the role. Defaults to GA. List of possible stages is here.

  • title (pulumi.Input[str]) – A human-readable title for the role.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.organizations.IAMMember(resource_name, opts=None, condition=None, member=None, org_id=None, role=None, __props__=None, __name__=None, __opts__=None)

Allows creation and management of a single member for a single binding within the IAM policy for an existing Google Cloud Platform Organization.

Note: This resource must not be used in conjunction with

organizations.IAMBinding for the same role or they will fight over what your policy should be.

import pulumi
import pulumi_gcp as gcp

binding = gcp.organizations.IAMMember("binding",
    member="user:alice@gmail.com",
    org_id="0123456789",
    role="roles/editor")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • member (pulumi.Input[str]) – The user that the role should apply to. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding

  • org_id (pulumi.Input[str]) – The numeric ID of the organization in which you want to create a custom role.

  • role (pulumi.Input[str]) – The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

  • description (pulumi.Input[str])

  • expression (pulumi.Input[str])

  • title (pulumi.Input[str])

etag: pulumi.Output[str] = None

(Computed) The etag of the organization’s IAM policy.

member: pulumi.Output[str] = None

The user that the role should apply to. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding

org_id: pulumi.Output[str] = None

The numeric ID of the organization in which you want to create a custom role.

role: pulumi.Output[str] = None

The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

static get(resource_name, id, opts=None, condition=None, etag=None, member=None, org_id=None, role=None)

Get an existing IAMMember resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • etag (pulumi.Input[str]) – (Computed) The etag of the organization’s IAM policy.

  • member (pulumi.Input[str]) – The user that the role should apply to. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding

  • org_id (pulumi.Input[str]) – The numeric ID of the organization in which you want to create a custom role.

  • role (pulumi.Input[str]) – The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

  • description (pulumi.Input[str])

  • expression (pulumi.Input[str])

  • title (pulumi.Input[str])

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.organizations.IAMPolicy(resource_name, opts=None, org_id=None, policy_data=None, __props__=None, __name__=None, __opts__=None)

Allows management of the entire IAM policy for an existing Google Cloud Platform Organization.

!> Warning: New organizations have several default policies which will,

without extreme caution, be overwritten by use of this resource. The safest alternative is to use multiple organizations.IAMBinding resources. It is easy to use this resource to remove your own access to an organization, which will require a call to Google Support to have fixed, and can take multiple days to resolve. If you do use this resource, the best way to be sure that you are not making dangerous changes is to start by importing your existing policy, and examining the diff very closely.

Note: This resource must not be used in conjunction with

organizations.IAMMember or organizations.IAMBinding or they will fight over what your policy should be.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/editor",
    "members": ["user:jane@example.com"],
}])
policy = gcp.organizations.IAMPolicy("policy",
    org_id="123456789",
    policy_data=admin.policy_data)
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • org_id (pulumi.Input[str]) – The numeric ID of the organization in which you want to create a custom role.

  • policy_data (pulumi.Input[str]) – The organizations.getIAMPolicy data source that represents the IAM policy that will be applied to the organization. This policy overrides any existing policy applied to the organization.

org_id: pulumi.Output[str] = None

The numeric ID of the organization in which you want to create a custom role.

policy_data: pulumi.Output[str] = None

The organizations.getIAMPolicy data source that represents the IAM policy that will be applied to the organization. This policy overrides any existing policy applied to the organization.

static get(resource_name, id, opts=None, etag=None, org_id=None, policy_data=None)

Get an existing IAMPolicy resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • org_id (pulumi.Input[str]) – The numeric ID of the organization in which you want to create a custom role.

  • policy_data (pulumi.Input[str]) – The organizations.getIAMPolicy data source that represents the IAM policy that will be applied to the organization. This policy overrides any existing policy applied to the organization.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.organizations.IamAuditConfig(resource_name, opts=None, audit_log_configs=None, org_id=None, service=None, __props__=None, __name__=None, __opts__=None)

Allows management of audit logging config for a given service for a Google Cloud Platform Organization.

import pulumi
import pulumi_gcp as gcp

config = gcp.organizations.IamAuditConfig("config",
    audit_log_configs=[{
        "exemptedMembers": ["user:joebloggs@hashicorp.com"],
        "logType": "DATA_READ",
    }],
    org_id="your-organization-id",
    service="allServices")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • audit_log_configs (pulumi.Input[list]) – The configuration for logging of each type of permission. This can be specified multiple times. Structure is documented below.

  • org_id (pulumi.Input[str]) – The numeric ID of the organization in which you want to manage the audit logging config.

  • service (pulumi.Input[str]) – Service which will be enabled for audit logging. The special value allServices covers all services. Note that if there are google_organization_iam_audit_config resources covering both allServices and a specific service then the union of the two AuditConfigs is used for that service: the log_types specified in each audit_log_config are enabled, and the exempted_members in each audit_log_config are exempted.

The audit_log_configs object supports the following:

  • exemptedMembers (pulumi.Input[list]) - Identities that do not cause logging for this type of permission. Each entry can have one of the following values:

    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.

    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.

    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.

    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.

  • logType (pulumi.Input[str]) - Permission type for which logging is to be configured. Must be one of DATA_READ, DATA_WRITE, or ADMIN_READ.

audit_log_configs: pulumi.Output[list] = None

The configuration for logging of each type of permission. This can be specified multiple times. Structure is documented below.

  • exemptedMembers (list) - Identities that do not cause logging for this type of permission. Each entry can have one of the following values:

    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.

    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.

    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.

    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.

  • logType (str) - Permission type for which logging is to be configured. Must be one of DATA_READ, DATA_WRITE, or ADMIN_READ.

org_id: pulumi.Output[str] = None

The numeric ID of the organization in which you want to manage the audit logging config.

service: pulumi.Output[str] = None

Service which will be enabled for audit logging. The special value allServices covers all services. Note that if there are google_organization_iam_audit_config resources covering both allServices and a specific service then the union of the two AuditConfigs is used for that service: the log_types specified in each audit_log_config are enabled, and the exempted_members in each audit_log_config are exempted.

static get(resource_name, id, opts=None, audit_log_configs=None, etag=None, org_id=None, service=None)

Get an existing IamAuditConfig resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • audit_log_configs (pulumi.Input[list]) – The configuration for logging of each type of permission. This can be specified multiple times. Structure is documented below.

  • org_id (pulumi.Input[str]) – The numeric ID of the organization in which you want to manage the audit logging config.

  • service (pulumi.Input[str]) – Service which will be enabled for audit logging. The special value allServices covers all services. Note that if there are google_organization_iam_audit_config resources covering both allServices and a specific service then the union of the two AuditConfigs is used for that service: the log_types specified in each audit_log_config are enabled, and the exempted_members in each audit_log_config are exempted.

The audit_log_configs object supports the following:

  • exemptedMembers (pulumi.Input[list]) - Identities that do not cause logging for this type of permission. Each entry can have one of the following values:

    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.

    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.

    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.

    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.

  • logType (pulumi.Input[str]) - Permission type for which logging is to be configured. Must be one of DATA_READ, DATA_WRITE, or ADMIN_READ.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.organizations.Policy(resource_name, opts=None, boolean_policy=None, constraint=None, list_policy=None, org_id=None, restore_policy=None, version=None, __props__=None, __name__=None, __opts__=None)

Allows management of Organization policies for a Google Organization. For more information see the official documentation and API.

import pulumi
import pulumi_gcp as gcp

serial_port_policy = gcp.organizations.Policy("serialPortPolicy",
    boolean_policy={
        "enforced": True,
    },
    constraint="compute.disableSerialPortAccess",
    org_id="123456789")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • boolean_policy (pulumi.Input[dict]) – A boolean policy is a constraint that is either enforced or not. Structure is documented below.

  • constraint (pulumi.Input[str]) – The name of the Constraint the Policy is configuring, for example, serviceuser.services. Check out the complete list of available constraints.

  • list_policy (pulumi.Input[dict]) – A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.

  • org_id (pulumi.Input[str]) – The numeric ID of the organization to set the policy for.

  • restore_policy (pulumi.Input[dict]) – A restore policy is a constraint to restore the default policy. Structure is documented below.

  • version (pulumi.Input[float]) – Version of the Policy. Default version is 0.

The boolean_policy object supports the following:

  • enforced (pulumi.Input[bool]) - If true, then the Policy is enforced. If false, then any configuration is acceptable.

The list_policy object supports the following:

  • allow (pulumi.Input[dict]) - or deny - (Optional) One or the other must be set.

    • all (pulumi.Input[bool]) - The policy allows or denies all values.

    • values (pulumi.Input[list]) - The policy can define specific values that are allowed or denied.

  • deny (pulumi.Input[dict])

    • all (pulumi.Input[bool]) - The policy allows or denies all values.

    • values (pulumi.Input[list]) - The policy can define specific values that are allowed or denied.

  • inheritFromParent (pulumi.Input[bool]) - If set to true, the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy.

  • suggestedValue (pulumi.Input[str]) - The Google Cloud Console will try to default to a configuration that matches the value specified in this field.

The restore_policy object supports the following:

  • default (pulumi.Input[bool]) - May only be set to true. If set, then the default Policy is restored.

boolean_policy: pulumi.Output[dict] = None

A boolean policy is a constraint that is either enforced or not. Structure is documented below.

  • enforced (bool) - If true, then the Policy is enforced. If false, then any configuration is acceptable.

constraint: pulumi.Output[str] = None

The name of the Constraint the Policy is configuring, for example, serviceuser.services. Check out the complete list of available constraints.

etag: pulumi.Output[str] = None

(Computed) The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.

list_policy: pulumi.Output[dict] = None

A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.

  • allow (dict) - or deny - (Optional) One or the other must be set.

    • all (bool) - The policy allows or denies all values.

    • values (list) - The policy can define specific values that are allowed or denied.

  • deny (dict)

    • all (bool) - The policy allows or denies all values.

    • values (list) - The policy can define specific values that are allowed or denied.

  • inheritFromParent (bool) - If set to true, the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy.

  • suggestedValue (str) - The Google Cloud Console will try to default to a configuration that matches the value specified in this field.

org_id: pulumi.Output[str] = None

The numeric ID of the organization to set the policy for.

restore_policy: pulumi.Output[dict] = None

A restore policy is a constraint to restore the default policy. Structure is documented below.

  • default (bool) - May only be set to true. If set, then the default Policy is restored.

update_time: pulumi.Output[str] = None

(Computed) The timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds, representing when the variable was last updated. Example: “2016-10-09T12:33:37.578138407Z”.

version: pulumi.Output[float] = None

Version of the Policy. Default version is 0.

static get(resource_name, id, opts=None, boolean_policy=None, constraint=None, etag=None, list_policy=None, org_id=None, restore_policy=None, update_time=None, version=None)

Get an existing Policy resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • boolean_policy (pulumi.Input[dict]) – A boolean policy is a constraint that is either enforced or not. Structure is documented below.

  • constraint (pulumi.Input[str]) –

    The name of the Constraint the Policy is configuring, for example, serviceuser.services. Check out the complete list of available constraints.

  • etag (pulumi.Input[str]) – (Computed) The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.

  • list_policy (pulumi.Input[dict]) – A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.

  • org_id (pulumi.Input[str]) – The numeric ID of the organization to set the policy for.

  • restore_policy (pulumi.Input[dict]) – A restore policy is a constraint to restore the default policy. Structure is documented below.

  • update_time (pulumi.Input[str]) – (Computed) The timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds, representing when the variable was last updated. Example: “2016-10-09T12:33:37.578138407Z”.

  • version (pulumi.Input[float]) – Version of the Policy. Default version is 0.

The boolean_policy object supports the following:

  • enforced (pulumi.Input[bool]) - If true, then the Policy is enforced. If false, then any configuration is acceptable.

The list_policy object supports the following:

  • allow (pulumi.Input[dict]) - or deny - (Optional) One or the other must be set.

    • all (pulumi.Input[bool]) - The policy allows or denies all values.

    • values (pulumi.Input[list]) - The policy can define specific values that are allowed or denied.

  • deny (pulumi.Input[dict])

    • all (pulumi.Input[bool]) - The policy allows or denies all values.

    • values (pulumi.Input[list]) - The policy can define specific values that are allowed or denied.

  • inheritFromParent (pulumi.Input[bool]) - If set to true, the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy.

  • suggestedValue (pulumi.Input[str]) - The Google Cloud Console will try to default to a configuration that matches the value specified in this field.

The restore_policy object supports the following:

  • default (pulumi.Input[bool]) - May only be set to true. If set, then the default Policy is restored.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.organizations.Project(resource_name, opts=None, auto_create_network=None, billing_account=None, folder_id=None, labels=None, name=None, org_id=None, project_id=None, skip_delete=None, __props__=None, __name__=None, __opts__=None)

Allows creation and management of a Google Cloud Platform project.

Projects created with this resource must be associated with an Organization. See the Organization documentation for more details.

The service account used to run this provider when creating a organizations.Project resource must have roles/resourcemanager.projectCreator. See the Access Control for Organizations Using IAM doc for more information.

import pulumi
import pulumi_gcp as gcp

my_project = gcp.organizations.Project("myProject",
    org_id="1234567",
    project_id="your-project-id")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • auto_create_network (pulumi.Input[bool]) – Create the ‘default’ network automatically. Default true. If set to false, the default network will be deleted. Note that, for quota purposes, you will still need to have 1 network slot available to create the project successfully, even if you set auto_create_network to false, since the network will exist momentarily.

  • billing_account (pulumi.Input[str]) – The alphanumeric ID of the billing account this project belongs to. The user or service account performing this operation with the provider must have Billing Account Administrator privileges (roles/billing.admin) in the organization. See Google Cloud Billing API Access Control for more details.

  • folder_id (pulumi.Input[str]) – The numeric ID of the folder this project should be created under. Only one of org_id or folder_id may be specified. If the folder_id is specified, then the project is created under the specified folder. Changing this forces the project to be migrated to the newly specified folder.

  • labels (pulumi.Input[dict]) – A set of key/value label pairs to assign to the project.

  • name (pulumi.Input[str]) – The display name of the project.

  • org_id (pulumi.Input[str]) – The numeric ID of the organization this project belongs to. Changing this forces a new project to be created. Only one of org_id or folder_id may be specified. If the org_id is specified then the project is created at the top level. Changing this forces the project to be migrated to the newly specified organization.

  • project_id (pulumi.Input[str]) – The project ID. Changing this forces a new project to be created.

  • skip_delete (pulumi.Input[bool]) – If true, the resource can be deleted without deleting the Project via the Google API.

auto_create_network: pulumi.Output[bool] = None

Create the ‘default’ network automatically. Default true. If set to false, the default network will be deleted. Note that, for quota purposes, you will still need to have 1 network slot available to create the project successfully, even if you set auto_create_network to false, since the network will exist momentarily.

billing_account: pulumi.Output[str] = None

The alphanumeric ID of the billing account this project belongs to. The user or service account performing this operation with the provider must have Billing Account Administrator privileges (roles/billing.admin) in the organization. See Google Cloud Billing API Access Control for more details.

folder_id: pulumi.Output[str] = None

The numeric ID of the folder this project should be created under. Only one of org_id or folder_id may be specified. If the folder_id is specified, then the project is created under the specified folder. Changing this forces the project to be migrated to the newly specified folder.

labels: pulumi.Output[dict] = None

A set of key/value label pairs to assign to the project.

name: pulumi.Output[str] = None

The display name of the project.

number: pulumi.Output[str] = None

The numeric identifier of the project.

org_id: pulumi.Output[str] = None

The numeric ID of the organization this project belongs to. Changing this forces a new project to be created. Only one of org_id or folder_id may be specified. If the org_id is specified then the project is created at the top level. Changing this forces the project to be migrated to the newly specified organization.

project_id: pulumi.Output[str] = None

The project ID. Changing this forces a new project to be created.

skip_delete: pulumi.Output[bool] = None

If true, the resource can be deleted without deleting the Project via the Google API.

static get(resource_name, id, opts=None, auto_create_network=None, billing_account=None, folder_id=None, labels=None, name=None, number=None, org_id=None, project_id=None, skip_delete=None)

Get an existing Project resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • auto_create_network (pulumi.Input[bool]) – Create the ‘default’ network automatically. Default true. If set to false, the default network will be deleted. Note that, for quota purposes, you will still need to have 1 network slot available to create the project successfully, even if you set auto_create_network to false, since the network will exist momentarily.

  • billing_account (pulumi.Input[str]) –

    The alphanumeric ID of the billing account this project belongs to. The user or service account performing this operation with the provider must have Billing Account Administrator privileges (roles/billing.admin) in the organization. See Google Cloud Billing API Access Control for more details.

  • folder_id (pulumi.Input[str]) – The numeric ID of the folder this project should be created under. Only one of org_id or folder_id may be specified. If the folder_id is specified, then the project is created under the specified folder. Changing this forces the project to be migrated to the newly specified folder.

  • labels (pulumi.Input[dict]) – A set of key/value label pairs to assign to the project.

  • name (pulumi.Input[str]) – The display name of the project.

  • number (pulumi.Input[str]) – The numeric identifier of the project.

  • org_id (pulumi.Input[str]) – The numeric ID of the organization this project belongs to. Changing this forces a new project to be created. Only one of org_id or folder_id may be specified. If the org_id is specified then the project is created at the top level. Changing this forces the project to be migrated to the newly specified organization.

  • project_id (pulumi.Input[str]) – The project ID. Changing this forces a new project to be created.

  • skip_delete (pulumi.Input[bool]) – If true, the resource can be deleted without deleting the Project via the Google API.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

pulumi_gcp.organizations.get_active_folder(display_name=None, parent=None, opts=None)

Get an active folder within GCP by display_name and parent.

import pulumi
import pulumi_gcp as gcp

department1 = gcp.organizations.get_active_folder(display_name="Department 1",
    parent="organizations/1234567")
Parameters

  • display_name (str) – The folder’s display name.

  • parent (str) – The resource name of the parent Folder or Organization.

pulumi_gcp.organizations.get_billing_account(billing_account=None, display_name=None, open=None, opts=None)

Use this data source to get information about a Google Billing Account.

import pulumi
import pulumi_gcp as gcp

acct = gcp.organizations.get_billing_account(display_name="My Billing Account",
    open=True)
my_project = gcp.organizations.Project("myProject",
    project_id="your-project-id",
    org_id="1234567",
    billing_account=acct.id)
Parameters

  • billing_account (str) – The name of the billing account in the form {billing_account_id} or billingAccounts/{billing_account_id}.

  • display_name (str) – The display name of the billing account.

  • open (bool) – true if the billing account is open, false if the billing account is closed.

pulumi_gcp.organizations.get_client_config(opts=None)

Use this data source to access the configuration of the Google Cloud provider.

import pulumi
import pulumi_gcp as gcp

current = gcp.organizations.get_client_config()
pulumi.export("project", current.project)
pulumi_gcp.organizations.get_client_open_id_user_info(opts=None)

Get OpenID userinfo about the credentials used with the Google provider, specifically the email.

This datasource enables you to export the email of the account you’ve authenticated the provider with; this can be used alongside data.google_client_config’s access_token to perform OpenID Connect authentication with GKE and configure an RBAC role for the email used.

This resource will only work as expected if the provider is configured to use the https://www.googleapis.com/auth/userinfo.email scope! You will receive an error otherwise.

import pulumi
import pulumi_gcp as gcp

me = gcp.organizations.get_client_open_id_user_info()
pulumi.export("my-email", me.email)
pulumi_gcp.organizations.get_folder(folder=None, lookup_organization=None, opts=None)

Use this data source to get information about a Google Cloud Folder.

import pulumi
import pulumi_gcp as gcp

my_folder1 = gcp.organizations.get_folder(folder="folders/12345",
    lookup_organization=True)
my_folder2 = gcp.organizations.get_folder(folder="folders/23456")
pulumi.export("myFolder1Organization", my_folder1.organization)
pulumi.export("myFolder2Parent", my_folder2.parent)
Parameters

  • folder (str) – The name of the Folder in the form {folder_id} or folders/{folder_id}.

  • lookup_organization (bool) – true to find the organization that the folder belongs, false to avoid the lookup. It searches up the tree. (defaults to false)

pulumi_gcp.organizations.get_iam_policy(audit_configs=None, bindings=None, opts=None)

Generates an IAM policy document that may be referenced by and applied to other Google Cloud Platform resources, such as the organizations.Project resource.

Note: Several restrictions apply when setting IAM policies through this API. See the setIamPolicy docs for a list of these restrictions.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(audit_configs=[{
        "audit_log_configs": [
            {
                "exemptedMembers": ["user:you@domain.com"],
                "logType": "DATA_READ",
            },
            {
                "logType": "DATA_WRITE",
            },
            {
                "logType": "ADMIN_READ",
            },
        ],
        "service": "cloudkms.googleapis.com",
    }],
    bindings=[
        {
            "members": ["serviceAccount:your-custom-sa@your-project.iam.gserviceaccount.com"],
            "role": "roles/compute.instanceAdmin",
        },
        {
            "members": ["user:alice@gmail.com"],
            "role": "roles/storage.objectViewer",
        },
    ])

This data source is used to define IAM policies to apply to other resources. Currently, defining a policy through a datasource and referencing that policy from another resource is the only way to apply an IAM policy to a resource.

Parameters

  • audit_configs (list) – A nested configuration block that defines logging additional configuration for your project.

  • bindings (list) – A nested configuration block (described below) defining a binding to be included in the policy document. Multiple binding arguments are supported.

The audit_configs object supports the following:

  • audit_log_configs (list) - A nested block that defines the operations you’d like to log.

    • exemptedMembers (list) - Specifies the identities that are exempt from these types of logging operations. Follows the same format of the members array for binding.

    • logType (str) - Defines the logging level. DATA_READ, DATA_WRITE and ADMIN_READ capture different types of events. See the audit configuration documentation for more details.

  • service (str) - Defines a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services.

The bindings object supports the following:

  • condition (dict)

    • description (str)

    • expression (str)

    • title (str)

  • members (list) - An array of identities that will be granted the privilege in the role. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding Each entry can have one of the following values:

    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account. It can’t be used with the organizations.Project resource.

    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account. It can’t be used with the organizations.Project resource.

    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com.

    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.

    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.

    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.

  • role (str) - The role/permission that will be granted to the members. See the IAM Roles documentation for a complete list of roles. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

pulumi_gcp.organizations.get_organization(domain=None, organization=None, opts=None)

Use this data source to get information about a Google Cloud Organization.

import pulumi
import pulumi_gcp as gcp

org = gcp.organizations.get_organization(domain="example.com")
sales = gcp.organizations.Folder("sales",
    display_name="Sales",
    parent=org.name)
Parameters

  • domain (str) – The domain name of the Organization.

  • organization (str) – The name of the Organization in the form {organization_id} or organizations/{organization_id}.

pulumi_gcp.organizations.get_project(project_id=None, opts=None)

Use this data source to get project details. For more information see API

import pulumi
import pulumi_gcp as gcp

project = gcp.organizations.get_project()
pulumi.export("projectNumber", project.number)
Parameters

project_id (str) – The project ID. If it is not provided, the provider project is used.