googleIamAccessBoundaryPolicy
Represents a collection of access boundary policies to apply to a given resource. NOTE: This is a private feature and users should contact GCP support if they would like to test it.
Example Usage - Iam Access Boundary Policy Basic
resource "google_project" "project" {
project_id = "tf-test%{random_suffix}"
name = "tf-test%{random_suffix}"
org_id = "123456789"
billing_account = "000000-0000000-0000000-000000"
}
resource "google_access_context_manager_access_level" "test-access" {
parent = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}"
name = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/accessLevels/tf_test_chromeos_no_lock%{random_suffix}"
title = "tf_test_chromeos_no_lock%{random_suffix}"
basic {
conditions {
device_policy {
require_screen_lock = true
os_constraints {
os_type = "DESKTOP_CHROME_OS"
}
}
regions = [
"CH",
"IT",
"US",
]
}
}
}
resource "google_access_context_manager_access_policy" "access-policy" {
parent = "organizations/${google_project.project.org_id}"
title = "my policy"
}
resource "google_iam_access_boundary_policy" "example" {
parent = urlencode("cloudresourcemanager.googleapis.com/projects/${google_project.project.project_id}")
name = "my-ab-policy"
display_name = "My AB policy"
rules {
description = "AB rule"
access_boundary_rule {
available_resource = "*"
available_permissions = ["*"]
availability_condition {
title = "Access level expr"
expression = "request.matchAccessLevels('${google_project.project.org_id}', ['${google_access_context_manager_access_level.test-access.name}'])"
}
}
}
}
Argument Reference
The following arguments are supported:
-
name
- (Required) The name of the policy. -
parent
- (Required) The attachment point is identified by its URL-encoded full resource name. -
rules
- (Required) Rules to be applied. Structure is documented below.
-
description
- (Optional) The description of the rule. -
accessBoundaryRule
- (Optional) An access boundary rule in an IAM policy. Structure is documented below.
The accessBoundaryRule
block supports:
-
availableResource
- (Optional) The full resource name of a Google Cloud resource entity. -
availablePermissions
- (Optional) A list of permissions that may be allowed for use on the specified resource. -
availabilityCondition
- (Optional) The availability condition further constrains the access allowed by the access boundary rule. Structure is documented below.
The availabilityCondition
block supports:
-
expression
- (Required) Textual representation of an expression in Common Expression Language syntax. -
title
- (Optional) Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. -
description
- (Optional) Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. -
location
- (Optional) String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
displayName
- (Optional) The display name of the rule.
Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
-
id
- an identifier for the resource with format{{parent}}/{{name}}
-
etag
- The hash of the resource. Used internally during updates.
Timeouts
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.
Import
AccessBoundaryPolicy can be imported using any of these accepted formats: