This page documents the language specification for the gcp package. If you're looking for help working with the inputs, outputs, or functions of gcp resources in a Pulumi program, please see the resource documentation for examples and API reference.

projects¶

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-gcp repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-google repo.

class pulumi_gcp.projects.AwaitableGetOrganizationPolicyResult(boolean_policies=None, constraint=None, etag=None, id=None, list_policies=None, project=None, restore_policies=None, update_time=None, version=None)¶

class pulumi_gcp.projects.AwaitableGetProjectResult(filter=None, id=None, projects=None)¶

class pulumi_gcp.projects.GetOrganizationPolicyResult(boolean_policies=None, constraint=None, etag=None, id=None, list_policies=None, project=None, restore_policies=None, update_time=None, version=None)¶

A collection of values returned by getOrganizationPolicy.

id = None¶: The provider-assigned unique ID for this managed resource.

class pulumi_gcp.projects.GetProjectResult(filter=None, id=None, projects=None)¶

A collection of values returned by getProject.

id = None¶: The provider-assigned unique ID for this managed resource.

projects = None¶: A list of projects matching the provided filter. Structure is defined below.

class pulumi_gcp.projects.IAMAuditConfig(resource_name, opts=None, audit_log_configs=None, project=None, service=None, __props__=None, __name__=None, __opts__=None)¶

Four different resources help you manage your IAM policy for a project. Each of these resources serves a different use case:

projects.IAMPolicy: Authoritative. Sets the IAM policy for the project and replaces any existing policy already attached.
projects.IAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.
projects.IAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the project are preserved.
projects.IAMAuditConfig: Authoritative for a given service. Updates the IAM policy to enable audit logging for the given service.

Note: projects.IAMPolicy cannot be used in conjunction with projects.IAMBinding, projects.IAMMember, or projects.IAMAuditConfig or they will fight over what your policy should be.
Note: projects.IAMBinding resources can be used in conjunction with projects.IAMMember resources only if they do not grant privilege to the same role.

Be careful! You can accidentally lock yourself out of your project
using this resource. Deleting a projects.IAMPolicy removes access from anyone without organization-level access to the project. Proceed with caution. It’s not recommended to use projects.IAMPolicy with your provider project to avoid locking yourself out, and it should generally only be used with projects fully managed by this provider. If you do use this resource, it is recommended to import the policy before applying the change.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/editor",
    "members": ["user:jane@example.com"],
}])
project = gcp.projects.IAMPolicy("project",
    project="your-project-id",
    policy_data=admin.policy_data)

With IAM Conditions):

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(bindings=[{
    "condition": {
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    "members": ["user:jane@example.com"],
    "role": "roles/editor",
}])
project = gcp.projects.IAMPolicy("project",
    policy_data=admin.policy_data,
    project="your-project-id")

Note: If role is set to roles/owner and you don’t specify a user or service account you have access to in members, you can lock yourself out of your project.

import pulumi
import pulumi_gcp as gcp

project = gcp.projects.IAMBinding("project",
    members=["user:jane@example.com"],
    project="your-project-id",
    role="roles/editor")

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

project = gcp.projects.IAMBinding("project",
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    members=["user:jane@example.com"],
    project="your-project-id",
    role="roles/editor")

import pulumi
import pulumi_gcp as gcp

project = gcp.projects.IAMMember("project",
    member="user:jane@example.com",
    project="your-project-id",
    role="roles/editor")

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

project = gcp.projects.IAMMember("project",
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    member="user:jane@example.com",
    project="your-project-id",
    role="roles/editor")

import pulumi
import pulumi_gcp as gcp

project = gcp.projects.IAMAuditConfig("project",
    audit_log_configs=[
        {
            "logType": "ADMIN_READ",
        },
        {
            "exemptedMembers": ["user:joebloggs@hashicorp.com"],
            "logType": "DATA_READ",
        },
    ],
    project="your-project-id",
    service="allServices")

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
audit_log_configs (pulumi.Input[list]) – The configuration for logging of each type of permission. This can be specified multiple times. Structure is documented below.
project (pulumi.Input[str]) – The project ID. If not specified for projects.IAMBinding, projects.IAMMember, or projects.IAMAuditConfig, uses the ID of the project configured with the provider. Required for projects.IAMPolicy - you must explicitly set the project, and it will not be inferred from the provider.
service (pulumi.Input[str]) – Service which will be enabled for audit logging. The special value allServices covers all services. Note that if there are google_project_iam_audit_config resources covering both allServices and a specific service then the union of the two AuditConfigs is used for that service: the log_types specified in each audit_log_config are enabled, and the exempted_members in each audit_log_config are exempted.

The audit_log_configs object supports the following:

exemptedMembers (pulumi.Input[list]) - Identities that do not cause logging for this type of permission. The format is the same as that for members.
logType (pulumi.Input[str]) - Permission type for which logging is to be configured. Must be one of DATA_READ, DATA_WRITE, or ADMIN_READ.

audit_log_configs: pulumi.Output[list] = None¶

The configuration for logging of each type of permission. This can be specified multiple times. Structure is documented below.

exemptedMembers (list) - Identities that do not cause logging for this type of permission. The format is the same as that for members.
logType (str) - Permission type for which logging is to be configured. Must be one of DATA_READ, DATA_WRITE, or ADMIN_READ.

etag: pulumi.Output[str] = None¶: (Computed) The etag of the project’s IAM policy.

project: pulumi.Output[str] = None¶: The project ID. If not specified for projects.IAMBinding, projects.IAMMember, or projects.IAMAuditConfig, uses the ID of the project configured with the provider. Required for projects.IAMPolicy - you must explicitly set the project, and it will not be inferred from the provider.

service: pulumi.Output[str] = None¶: Service which will be enabled for audit logging. The special value allServices covers all services. Note that if there are google_project_iam_audit_config resources covering both allServices and a specific service then the union of the two AuditConfigs is used for that service: the log_types specified in each audit_log_config are enabled, and the exempted_members in each audit_log_config are exempted.

static get(resource_name, id, opts=None, audit_log_configs=None, etag=None, project=None, service=None)¶

Get an existing IAMAuditConfig resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
audit_log_configs (pulumi.Input[list]) – The configuration for logging of each type of permission. This can be specified multiple times. Structure is documented below.
etag (pulumi.Input[str]) – (Computed) The etag of the project’s IAM policy.
project (pulumi.Input[str]) – The project ID. If not specified for projects.IAMBinding, projects.IAMMember, or projects.IAMAuditConfig, uses the ID of the project configured with the provider. Required for projects.IAMPolicy - you must explicitly set the project, and it will not be inferred from the provider.
service (pulumi.Input[str]) – Service which will be enabled for audit logging. The special value allServices covers all services. Note that if there are google_project_iam_audit_config resources covering both allServices and a specific service then the union of the two AuditConfigs is used for that service: the log_types specified in each audit_log_config are enabled, and the exempted_members in each audit_log_config are exempted.

The audit_log_configs object supports the following:

exemptedMembers (pulumi.Input[list]) - Identities that do not cause logging for this type of permission. The format is the same as that for members.
logType (pulumi.Input[str]) - Permission type for which logging is to be configured. Must be one of DATA_READ, DATA_WRITE, or ADMIN_READ.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_gcp.projects.IAMBinding(resource_name, opts=None, condition=None, members=None, project=None, role=None, __props__=None, __name__=None, __opts__=None)¶

Four different resources help you manage your IAM policy for a project. Each of these resources serves a different use case:

projects.IAMPolicy: Authoritative. Sets the IAM policy for the project and replaces any existing policy already attached.
projects.IAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.
projects.IAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the project are preserved.
projects.IAMAuditConfig: Authoritative for a given service. Updates the IAM policy to enable audit logging for the given service.

Note: projects.IAMPolicy cannot be used in conjunction with projects.IAMBinding, projects.IAMMember, or projects.IAMAuditConfig or they will fight over what your policy should be.
Note: projects.IAMBinding resources can be used in conjunction with projects.IAMMember resources only if they do not grant privilege to the same role.

Be careful! You can accidentally lock yourself out of your project
using this resource. Deleting a projects.IAMPolicy removes access from anyone without organization-level access to the project. Proceed with caution. It’s not recommended to use projects.IAMPolicy with your provider project to avoid locking yourself out, and it should generally only be used with projects fully managed by this provider. If you do use this resource, it is recommended to import the policy before applying the change.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/editor",
    "members": ["user:jane@example.com"],
}])
project = gcp.projects.IAMPolicy("project",
    project="your-project-id",
    policy_data=admin.policy_data)

With IAM Conditions):

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(bindings=[{
    "condition": {
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    "members": ["user:jane@example.com"],
    "role": "roles/editor",
}])
project = gcp.projects.IAMPolicy("project",
    policy_data=admin.policy_data,
    project="your-project-id")

Note: If role is set to roles/owner and you don’t specify a user or service account you have access to in members, you can lock yourself out of your project.

import pulumi
import pulumi_gcp as gcp

project = gcp.projects.IAMBinding("project",
    members=["user:jane@example.com"],
    project="your-project-id",
    role="roles/editor")

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

project = gcp.projects.IAMBinding("project",
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    members=["user:jane@example.com"],
    project="your-project-id",
    role="roles/editor")

import pulumi
import pulumi_gcp as gcp

project = gcp.projects.IAMMember("project",
    member="user:jane@example.com",
    project="your-project-id",
    role="roles/editor")

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

project = gcp.projects.IAMMember("project",
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    member="user:jane@example.com",
    project="your-project-id",
    role="roles/editor")

import pulumi
import pulumi_gcp as gcp

project = gcp.projects.IAMAuditConfig("project",
    audit_log_configs=[
        {
            "logType": "ADMIN_READ",
        },
        {
            "exemptedMembers": ["user:joebloggs@hashicorp.com"],
            "logType": "DATA_READ",
        },
    ],
    project="your-project-id",
    service="allServices")

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
condition (pulumi.Input[dict]) – An IAM Condition for a given binding. Structure is documented below.
project (pulumi.Input[str]) – The project ID. If not specified for projects.IAMBinding, projects.IAMMember, or projects.IAMAuditConfig, uses the ID of the project configured with the provider. Required for projects.IAMPolicy - you must explicitly set the project, and it will not be inferred from the provider.
role (pulumi.Input[str]) – The role that should be applied. Only one projects.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.
title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

condition: pulumi.Output[dict] = None¶

An IAM Condition for a given binding. Structure is documented below.

description (str) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression (str) - Textual representation of an expression in Common Expression Language syntax.
title (str) - A title for the expression, i.e. a short string describing its purpose.

etag: pulumi.Output[str] = None¶: (Computed) The etag of the project’s IAM policy.

project: pulumi.Output[str] = None¶: The project ID. If not specified for projects.IAMBinding, projects.IAMMember, or projects.IAMAuditConfig, uses the ID of the project configured with the provider. Required for projects.IAMPolicy - you must explicitly set the project, and it will not be inferred from the provider.

role: pulumi.Output[str] = None¶: The role that should be applied. Only one projects.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

static get(resource_name, id, opts=None, condition=None, etag=None, members=None, project=None, role=None)¶

Get an existing IAMBinding resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
condition (pulumi.Input[dict]) –
An IAM Condition for a given binding. Structure is documented below.
etag (pulumi.Input[str]) – (Computed) The etag of the project’s IAM policy.
project (pulumi.Input[str]) – The project ID. If not specified for projects.IAMBinding, projects.IAMMember, or projects.IAMAuditConfig, uses the ID of the project configured with the provider. Required for projects.IAMPolicy - you must explicitly set the project, and it will not be inferred from the provider.
role (pulumi.Input[str]) – The role that should be applied. Only one projects.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.
title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_gcp.projects.IAMCustomRole(resource_name, opts=None, description=None, permissions=None, project=None, role_id=None, stage=None, title=None, __props__=None, __name__=None, __opts__=None)¶

Allows management of a customized Cloud IAM project role. For more information see the official documentation and API.

Warning: Note that custom roles in GCP have the concept of a soft-delete. There are two issues that may arise
from this and how roles are propagated. 1) creating a role may involve undeleting and then updating a role with the same name, possibly causing confusing behavior between undelete and update. 2) A deleted role is permanently deleted after 7 days, but it can take up to 30 more days (i.e. between 7 and 37 days after deletion) before the role name is made available again. This means a deleted role that has been deleted for more than 7 days cannot be changed at all by the provider, and new roles cannot share that name.

import pulumi
import pulumi_gcp as gcp

my_custom_role = gcp.projects.IAMCustomRole("my-custom-role",
    description="A description",
    permissions=[
        "iam.roles.list",
        "iam.roles.create",
        "iam.roles.delete",
    ],
    role_id="myCustomRole",
    title="My Custom Role")

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
description (pulumi.Input[str]) – A human-readable description for the role.
permissions (pulumi.Input[list]) – The names of the permissions this role grants when bound in an IAM policy. At least one permission must be specified.
project (pulumi.Input[str]) – The project that the service account will be created in. Defaults to the provider project configuration.
role_id (pulumi.Input[str]) – The camel case role id to use for this role. Cannot contain - characters.
stage (pulumi.Input[str]) – The current launch stage of the role. Defaults to GA. List of possible stages is here.
title (pulumi.Input[str]) – A human-readable title for the role.

deleted: pulumi.Output[bool] = None¶: (Optional) The current deleted state of the role.

description: pulumi.Output[str] = None¶: A human-readable description for the role.

name: pulumi.Output[str] = None¶: The name of the role in the format projects/{{project}}/roles/{{role_id}}. Like id, this field can be used as a reference in other resources such as IAM role bindings.

permissions: pulumi.Output[list] = None¶: The names of the permissions this role grants when bound in an IAM policy. At least one permission must be specified.

project: pulumi.Output[str] = None¶: The project that the service account will be created in. Defaults to the provider project configuration.

role_id: pulumi.Output[str] = None¶: The camel case role id to use for this role. Cannot contain - characters.

stage: pulumi.Output[str] = None¶: The current launch stage of the role. Defaults to GA. List of possible stages is here.

title: pulumi.Output[str] = None¶: A human-readable title for the role.

static get(resource_name, id, opts=None, deleted=None, description=None, name=None, permissions=None, project=None, role_id=None, stage=None, title=None)¶

Get an existing IAMCustomRole resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
deleted (pulumi.Input[bool]) – (Optional) The current deleted state of the role.
description (pulumi.Input[str]) – A human-readable description for the role.
name (pulumi.Input[str]) – The name of the role in the format projects/{{project}}/roles/{{role_id}}. Like id, this field can be used as a reference in other resources such as IAM role bindings.
permissions (pulumi.Input[list]) – The names of the permissions this role grants when bound in an IAM policy. At least one permission must be specified.
project (pulumi.Input[str]) – The project that the service account will be created in. Defaults to the provider project configuration.
role_id (pulumi.Input[str]) – The camel case role id to use for this role. Cannot contain - characters.
stage (pulumi.Input[str]) –
The current launch stage of the role. Defaults to GA. List of possible stages is here.
title (pulumi.Input[str]) – A human-readable title for the role.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_gcp.projects.IAMMember(resource_name, opts=None, condition=None, member=None, project=None, role=None, __props__=None, __name__=None, __opts__=None)¶

Four different resources help you manage your IAM policy for a project. Each of these resources serves a different use case:

projects.IAMPolicy: Authoritative. Sets the IAM policy for the project and replaces any existing policy already attached.
projects.IAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.
projects.IAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the project are preserved.
projects.IAMAuditConfig: Authoritative for a given service. Updates the IAM policy to enable audit logging for the given service.

Note: projects.IAMPolicy cannot be used in conjunction with projects.IAMBinding, projects.IAMMember, or projects.IAMAuditConfig or they will fight over what your policy should be.
Note: projects.IAMBinding resources can be used in conjunction with projects.IAMMember resources only if they do not grant privilege to the same role.

Be careful! You can accidentally lock yourself out of your project
using this resource. Deleting a projects.IAMPolicy removes access from anyone without organization-level access to the project. Proceed with caution. It’s not recommended to use projects.IAMPolicy with your provider project to avoid locking yourself out, and it should generally only be used with projects fully managed by this provider. If you do use this resource, it is recommended to import the policy before applying the change.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/editor",
    "members": ["user:jane@example.com"],
}])
project = gcp.projects.IAMPolicy("project",
    project="your-project-id",
    policy_data=admin.policy_data)

With IAM Conditions):

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(bindings=[{
    "condition": {
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    "members": ["user:jane@example.com"],
    "role": "roles/editor",
}])
project = gcp.projects.IAMPolicy("project",
    policy_data=admin.policy_data,
    project="your-project-id")

Note: If role is set to roles/owner and you don’t specify a user or service account you have access to in members, you can lock yourself out of your project.

import pulumi
import pulumi_gcp as gcp

project = gcp.projects.IAMBinding("project",
    members=["user:jane@example.com"],
    project="your-project-id",
    role="roles/editor")

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

project = gcp.projects.IAMBinding("project",
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    members=["user:jane@example.com"],
    project="your-project-id",
    role="roles/editor")

import pulumi
import pulumi_gcp as gcp

project = gcp.projects.IAMMember("project",
    member="user:jane@example.com",
    project="your-project-id",
    role="roles/editor")

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

project = gcp.projects.IAMMember("project",
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    member="user:jane@example.com",
    project="your-project-id",
    role="roles/editor")

import pulumi
import pulumi_gcp as gcp

project = gcp.projects.IAMAuditConfig("project",
    audit_log_configs=[
        {
            "logType": "ADMIN_READ",
        },
        {
            "exemptedMembers": ["user:joebloggs@hashicorp.com"],
            "logType": "DATA_READ",
        },
    ],
    project="your-project-id",
    service="allServices")

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
condition (pulumi.Input[dict]) –
An IAM Condition for a given binding. Structure is documented below.
project (pulumi.Input[str]) – The project ID. If not specified for projects.IAMBinding, projects.IAMMember, or projects.IAMAuditConfig, uses the ID of the project configured with the provider. Required for projects.IAMPolicy - you must explicitly set the project, and it will not be inferred from the provider.
role (pulumi.Input[str]) – The role that should be applied. Only one projects.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.
title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

condition: pulumi.Output[dict] = None¶

An IAM Condition for a given binding. Structure is documented below.

description (str) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression (str) - Textual representation of an expression in Common Expression Language syntax.
title (str) - A title for the expression, i.e. a short string describing its purpose.

etag: pulumi.Output[str] = None¶: (Computed) The etag of the project’s IAM policy.

project: pulumi.Output[str] = None¶: The project ID. If not specified for projects.IAMBinding, projects.IAMMember, or projects.IAMAuditConfig, uses the ID of the project configured with the provider. Required for projects.IAMPolicy - you must explicitly set the project, and it will not be inferred from the provider.

role: pulumi.Output[str] = None¶: The role that should be applied. Only one projects.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

static get(resource_name, id, opts=None, condition=None, etag=None, member=None, project=None, role=None)¶

Get an existing IAMMember resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
condition (pulumi.Input[dict]) –
An IAM Condition for a given binding. Structure is documented below.
etag (pulumi.Input[str]) – (Computed) The etag of the project’s IAM policy.
project (pulumi.Input[str]) – The project ID. If not specified for projects.IAMBinding, projects.IAMMember, or projects.IAMAuditConfig, uses the ID of the project configured with the provider. Required for projects.IAMPolicy - you must explicitly set the project, and it will not be inferred from the provider.
role (pulumi.Input[str]) – The role that should be applied. Only one projects.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

description (pulumi.Input[str]) - An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression (pulumi.Input[str]) - Textual representation of an expression in Common Expression Language syntax.
title (pulumi.Input[str]) - A title for the expression, i.e. a short string describing its purpose.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_gcp.projects.IAMPolicy(resource_name, opts=None, policy_data=None, project=None, __props__=None, __name__=None, __opts__=None)¶

Four different resources help you manage your IAM policy for a project. Each of these resources serves a different use case:

projects.IAMPolicy: Authoritative. Sets the IAM policy for the project and replaces any existing policy already attached.
projects.IAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.
projects.IAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the project are preserved.
projects.IAMAuditConfig: Authoritative for a given service. Updates the IAM policy to enable audit logging for the given service.

Note: projects.IAMPolicy cannot be used in conjunction with projects.IAMBinding, projects.IAMMember, or projects.IAMAuditConfig or they will fight over what your policy should be.
Note: projects.IAMBinding resources can be used in conjunction with projects.IAMMember resources only if they do not grant privilege to the same role.

Be careful! You can accidentally lock yourself out of your project
using this resource. Deleting a projects.IAMPolicy removes access from anyone without organization-level access to the project. Proceed with caution. It’s not recommended to use projects.IAMPolicy with your provider project to avoid locking yourself out, and it should generally only be used with projects fully managed by this provider. If you do use this resource, it is recommended to import the policy before applying the change.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/editor",
    "members": ["user:jane@example.com"],
}])
project = gcp.projects.IAMPolicy("project",
    project="your-project-id",
    policy_data=admin.policy_data)

With IAM Conditions):

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(bindings=[{
    "condition": {
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    "members": ["user:jane@example.com"],
    "role": "roles/editor",
}])
project = gcp.projects.IAMPolicy("project",
    policy_data=admin.policy_data,
    project="your-project-id")

Note: If role is set to roles/owner and you don’t specify a user or service account you have access to in members, you can lock yourself out of your project.

import pulumi
import pulumi_gcp as gcp

project = gcp.projects.IAMBinding("project",
    members=["user:jane@example.com"],
    project="your-project-id",
    role="roles/editor")

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

project = gcp.projects.IAMBinding("project",
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    members=["user:jane@example.com"],
    project="your-project-id",
    role="roles/editor")

import pulumi
import pulumi_gcp as gcp

project = gcp.projects.IAMMember("project",
    member="user:jane@example.com",
    project="your-project-id",
    role="roles/editor")

With IAM Conditions:

import pulumi
import pulumi_gcp as gcp

project = gcp.projects.IAMMember("project",
    condition={
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp("2020-01-01T00:00:00Z")",
        "title": "expires_after_2019_12_31",
    },
    member="user:jane@example.com",
    project="your-project-id",
    role="roles/editor")

import pulumi
import pulumi_gcp as gcp

project = gcp.projects.IAMAuditConfig("project",
    audit_log_configs=[
        {
            "logType": "ADMIN_READ",
        },
        {
            "exemptedMembers": ["user:joebloggs@hashicorp.com"],
            "logType": "DATA_READ",
        },
    ],
    project="your-project-id",
    service="allServices")

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
policy_data (pulumi.Input[str]) – The organizations.getIAMPolicy data source that represents the IAM policy that will be applied to the project. The policy will be merged with any existing policy applied to the project.
project (pulumi.Input[str]) – The project ID. If not specified for projects.IAMBinding, projects.IAMMember, or projects.IAMAuditConfig, uses the ID of the project configured with the provider. Required for projects.IAMPolicy - you must explicitly set the project, and it will not be inferred from the provider.

etag: pulumi.Output[str] = None¶: (Computed) The etag of the project’s IAM policy.

policy_data: pulumi.Output[str] = None¶: The organizations.getIAMPolicy data source that represents the IAM policy that will be applied to the project. The policy will be merged with any existing policy applied to the project.

project: pulumi.Output[str] = None¶: The project ID. If not specified for projects.IAMBinding, projects.IAMMember, or projects.IAMAuditConfig, uses the ID of the project configured with the provider. Required for projects.IAMPolicy - you must explicitly set the project, and it will not be inferred from the provider.

static get(resource_name, id, opts=None, etag=None, policy_data=None, project=None)¶

Get an existing IAMPolicy resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
etag (pulumi.Input[str]) – (Computed) The etag of the project’s IAM policy.
policy_data (pulumi.Input[str]) – The organizations.getIAMPolicy data source that represents the IAM policy that will be applied to the project. The policy will be merged with any existing policy applied to the project.
project (pulumi.Input[str]) – The project ID. If not specified for projects.IAMBinding, projects.IAMMember, or projects.IAMAuditConfig, uses the ID of the project configured with the provider. Required for projects.IAMPolicy - you must explicitly set the project, and it will not be inferred from the provider.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_gcp.projects.OrganizationPolicy(resource_name, opts=None, boolean_policy=None, constraint=None, list_policy=None, project=None, restore_policy=None, version=None, __props__=None, __name__=None, __opts__=None)¶

Allows management of Organization policies for a Google Project. For more information see the official documentation and API.

import pulumi
import pulumi_gcp as gcp

serial_port_policy = gcp.projects.OrganizationPolicy("serialPortPolicy",
    boolean_policy={
        "enforced": True,
    },
    constraint="compute.disableSerialPortAccess",
    project="your-project-id")

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
boolean_policy (pulumi.Input[dict]) – A boolean policy is a constraint that is either enforced or not. Structure is documented below.
constraint (pulumi.Input[str]) – The name of the Constraint the Policy is configuring, for example, serviceuser.services. Check out the complete list of available constraints.
list_policy (pulumi.Input[dict]) – A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.
project (pulumi.Input[str]) – The project id of the project to set the policy for.
restore_policy (pulumi.Input[dict]) – A restore policy is a constraint to restore the default policy. Structure is documented below.
version (pulumi.Input[float]) – Version of the Policy. Default version is 0.

The boolean_policy object supports the following:

enforced (pulumi.Input[bool]) - If true, then the Policy is enforced. If false, then any configuration is acceptable.

The list_policy object supports the following:

allow (pulumi.Input[dict]) - or deny - (Optional) One or the other must be set.
- all (pulumi.Input[bool]) - The policy allows or denies all values.
- values (pulumi.Input[list]) - The policy can define specific values that are allowed or denied.
deny (pulumi.Input[dict])
- all (pulumi.Input[bool]) - The policy allows or denies all values.
- values (pulumi.Input[list]) - The policy can define specific values that are allowed or denied.
inheritFromParent (pulumi.Input[bool]) - If set to true, the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy.
suggestedValue (pulumi.Input[str]) - The Google Cloud Console will try to default to a configuration that matches the value specified in this field.

The restore_policy object supports the following:

default (pulumi.Input[bool]) - May only be set to true. If set, then the default Policy is restored.

boolean_policy: pulumi.Output[dict] = None¶

A boolean policy is a constraint that is either enforced or not. Structure is documented below.

enforced (bool) - If true, then the Policy is enforced. If false, then any configuration is acceptable.

constraint: pulumi.Output[str] = None¶: The name of the Constraint the Policy is configuring, for example, serviceuser.services. Check out the complete list of available constraints.

etag: pulumi.Output[str] = None¶: (Computed) The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.

list_policy: pulumi.Output[dict] = None¶

A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.

allow (dict) - or deny - (Optional) One or the other must be set.
- all (bool) - The policy allows or denies all values.
- values (list) - The policy can define specific values that are allowed or denied.
deny (dict)
- all (bool) - The policy allows or denies all values.
- values (list) - The policy can define specific values that are allowed or denied.
inheritFromParent (bool) - If set to true, the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy.
suggestedValue (str) - The Google Cloud Console will try to default to a configuration that matches the value specified in this field.

project: pulumi.Output[str] = None¶: The project id of the project to set the policy for.

restore_policy: pulumi.Output[dict] = None¶

A restore policy is a constraint to restore the default policy. Structure is documented below.

default (bool) - May only be set to true. If set, then the default Policy is restored.

update_time: pulumi.Output[str] = None¶: (Computed) The timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds, representing when the variable was last updated. Example: “2016-10-09T12:33:37.578138407Z”.

version: pulumi.Output[float] = None¶: Version of the Policy. Default version is 0.

static get(resource_name, id, opts=None, boolean_policy=None, constraint=None, etag=None, list_policy=None, project=None, restore_policy=None, update_time=None, version=None)¶

Get an existing OrganizationPolicy resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
boolean_policy (pulumi.Input[dict]) – A boolean policy is a constraint that is either enforced or not. Structure is documented below.
constraint (pulumi.Input[str]) –
The name of the Constraint the Policy is configuring, for example, serviceuser.services. Check out the complete list of available constraints.
etag (pulumi.Input[str]) – (Computed) The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.
list_policy (pulumi.Input[dict]) – A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.
project (pulumi.Input[str]) – The project id of the project to set the policy for.
restore_policy (pulumi.Input[dict]) – A restore policy is a constraint to restore the default policy. Structure is documented below.
update_time (pulumi.Input[str]) – (Computed) The timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds, representing when the variable was last updated. Example: “2016-10-09T12:33:37.578138407Z”.
version (pulumi.Input[float]) – Version of the Policy. Default version is 0.

The boolean_policy object supports the following:

enforced (pulumi.Input[bool]) - If true, then the Policy is enforced. If false, then any configuration is acceptable.

The list_policy object supports the following:

allow (pulumi.Input[dict]) - or deny - (Optional) One or the other must be set.
- all (pulumi.Input[bool]) - The policy allows or denies all values.
- values (pulumi.Input[list]) - The policy can define specific values that are allowed or denied.
deny (pulumi.Input[dict])
- all (pulumi.Input[bool]) - The policy allows or denies all values.
- values (pulumi.Input[list]) - The policy can define specific values that are allowed or denied.
inheritFromParent (pulumi.Input[bool]) - If set to true, the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy.
suggestedValue (pulumi.Input[str]) - The Google Cloud Console will try to default to a configuration that matches the value specified in this field.

The restore_policy object supports the following:

default (pulumi.Input[bool]) - May only be set to true. If set, then the default Policy is restored.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_gcp.projects.Service(resource_name, opts=None, disable_dependent_services=None, disable_on_destroy=None, project=None, service=None, __props__=None, __name__=None, __opts__=None)¶

Allows management of a single API service for an existing Google Cloud Platform project.

For a list of services available, visit the API library page or run gcloud services list.

import pulumi
import pulumi_gcp as gcp

project = gcp.projects.Service("project",
    disable_dependent_services=True,
    project="your-project-id",
    service="iam.googleapis.com")

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
disable_dependent_services (pulumi.Input[bool]) – If true, services that are enabled and which depend on this service should also be disabled when this service is destroyed. If false or unset, an error will be generated if any enabled services depend on this service when destroying it.
disable_on_destroy (pulumi.Input[bool]) – If true, disable the service when the resource is destroyed. Defaults to true. May be useful in the event that a project is long-lived but the infrastructure running in that project changes frequently.
project (pulumi.Input[str]) – The project ID. If not provided, the provider project is used.
service (pulumi.Input[str]) – The service to enable.

disable_dependent_services: pulumi.Output[bool] = None¶: If true, services that are enabled and which depend on this service should also be disabled when this service is destroyed. If false or unset, an error will be generated if any enabled services depend on this service when destroying it.

disable_on_destroy: pulumi.Output[bool] = None¶: If true, disable the service when the resource is destroyed. Defaults to true. May be useful in the event that a project is long-lived but the infrastructure running in that project changes frequently.

project: pulumi.Output[str] = None¶: The project ID. If not provided, the provider project is used.

service: pulumi.Output[str] = None¶: The service to enable.

static get(resource_name, id, opts=None, disable_dependent_services=None, disable_on_destroy=None, project=None, service=None)¶

Get an existing Service resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
disable_dependent_services (pulumi.Input[bool]) – If true, services that are enabled and which depend on this service should also be disabled when this service is destroyed. If false or unset, an error will be generated if any enabled services depend on this service when destroying it.
disable_on_destroy (pulumi.Input[bool]) – If true, disable the service when the resource is destroyed. Defaults to true. May be useful in the event that a project is long-lived but the infrastructure running in that project changes frequently.
project (pulumi.Input[str]) – The project ID. If not provided, the provider project is used.
service (pulumi.Input[str]) – The service to enable.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_gcp.projects.UsageExportBucket(resource_name, opts=None, bucket_name=None, prefix=None, project=None, __props__=None, __name__=None, __opts__=None)¶

Allows creation and management of a Google Cloud Platform project.

Projects created with this resource must be associated with an Organization. See the Organization documentation for more details.

The service account used to run this provider when creating a organizations.Project resource must have roles/resourcemanager.projectCreator. See the Access Control for Organizations Using IAM doc for more information.

import pulumi
import pulumi_gcp as gcp

my_project = gcp.organizations.Project("myProject",
    org_id="1234567",
    project_id="your-project-id")

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.

static get(resource_name, id, opts=None, bucket_name=None, prefix=None, project=None)¶

Get an existing UsageExportBucket resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

pulumi_gcp.projects.get_organization_policy(constraint=None, project=None, opts=None)¶

Allows management of Organization policies for a Google Project. For more information see the official documentation

import pulumi
import pulumi_gcp as gcp

policy = gcp.projects.get_organization_policy(project="project-id",
    constraint="constraints/serviceuser.services")
pulumi.export("version", policy.version)

Parameters

constraint (str) –
(Required) The name of the Constraint the Policy is configuring, for example, serviceuser.services. Check out the complete list of available constraints.
project (str) – The project ID.

pulumi_gcp.projects.get_project(filter=None, opts=None)¶

Retrieve information about a set of projects based on a filter. See the REST API for more details.

import pulumi
import pulumi_gcp as gcp

my_org_projects = gcp.projects.get_project(filter="parent.id:012345678910 lifecycleState:DELETE_REQUESTED")
deletion_candidate = gcp.organizations.get_project(project_id=my_org_projects.projects[0]["project_id"])

Parameters

filter (str) –

A string filter as defined in the REST API.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud

projects¶

On This Page