Skip to content

IAM policy for Google Cloud Healthcare FHIR store

\~> Warning: These resources are in beta, and should be used with the terraform-provider-google-beta provider. See Provider Versions for more details on beta resources.

Three different resources help you manage your IAM policy for Healthcare FHIR store. Each of these resources serves a different use case:

  • googleHealthcareFhirStoreIamPolicy: Authoritative. Sets the IAM policy for the FHIR store and replaces any existing policy already attached.
  • googleHealthcareFhirStoreIamBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the FHIR store are preserved.
  • googleHealthcareFhirStoreIamMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the FHIR store are preserved.

\~> Note: googleHealthcareFhirStoreIamPolicy cannot be used in conjunction with googleHealthcareFhirStoreIamBinding and googleHealthcareFhirStoreIamMember or they will fight over what your policy should be.

\~> Note: googleHealthcareFhirStoreIamBinding resources can be used in conjunction with googleHealthcareFhirStoreIamMember resources only if they do not grant privilege to the same role.

googleHealthcareFhirStoreIamPolicy

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const dataGoogleIamPolicyAdmin =
  new google.dataGoogleIamPolicy.DataGoogleIamPolicy(this, "admin", {
    binding: [
      {
        members: ["user:jane@example.com"],
        role: "roles/editor",
      },
    ],
  });
new google.healthcareFhirStoreIamPolicy.HealthcareFhirStoreIamPolicy(
  this,
  "fhir_store",
  {
    fhir_store_id: "your-fhir-store-id",
    policy_data: dataGoogleIamPolicyAdmin.policyData,
  }
);

googleHealthcareFhirStoreIamBinding

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.healthcareFhirStoreIamBinding.HealthcareFhirStoreIamBinding(
  this,
  "fhir_store",
  {
    fhir_store_id: "your-fhir-store-id",
    members: ["user:jane@example.com"],
    role: "roles/editor",
  }
);

googleHealthcareFhirStoreIamMember

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.healthcareFhirStoreIamMember.HealthcareFhirStoreIamMember(
  this,
  "fhir_store",
  {
    fhir_store_id: "your-fhir-store-id",
    member: "user:jane@example.com",
    role: "roles/editor",
  }
);

Argument Reference

The following arguments are supported:

  • fhirStoreId - (Required) The FHIR store ID, in the form {projectId}/{locationName}/{datasetName}/{fhirStoreName} or {locationName}/{datasetName}/{fhirStoreName}. In the second form, the provider's project setting will be used as a fallback.

  • member/members - (Required) Identities that will be granted the privilege in role. Each entry can have one of the following values:

    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.
    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.

  • role - (Required) The role that should be applied. Only one googleHealthcareFhirStoreIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parentName}/roles/{roleName}.

  • policyData - (Required only by googleHealthcareFhirStoreIamPolicy) The policy data generated by a googleIamPolicy data source.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • etag - (Computed) The etag of the FHIR store's IAM policy.

Import

IAM member imports use space-delimited identifiers; the resource in question, the role, and the account. This member resource can be imported using the fhirStoreId, role, and account e.g.

$ terraform import google_healthcare_fhir_store_iam_member.fhir_store_iam "your-project-id/location-name/dataset-name/fhir-store-name roles/viewer user:foo@example.com"

IAM binding imports use space-delimited identifiers; the resource in question and the role. This binding resource can be imported using the fhirStoreId and role, e.g.

$ terraform import google_healthcare_fhir_store_iam_binding.fhir_store_iam "your-project-id/location-name/dataset-name/fhir-store-name roles/viewer"

IAM policy imports use the identifier of the resource in question. This policy resource can be imported using the fhirStoreId, role, and account e.g.

$ terraform import google_healthcare_fhir_store_iam_policy.fhir_store_iam your-project-id/location-name/dataset-name/fhir-store-name