Skip to content

googleIamAccessBoundaryPolicy

Represents a collection of access boundary policies to apply to a given resource. NOTE: This is a private feature and users should contact GCP support if they would like to test it.

Example Usage - Iam Access Boundary Policy Basic

resource "google_project" "project" {
  project_id      = "tf-test%{random_suffix}"
  name            = "tf-test%{random_suffix}"
  org_id          = "123456789"
  billing_account = "000000-0000000-0000000-000000"
}

resource "google_access_context_manager_access_level" "test-access" {
  parent = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}"
  name   = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/accessLevels/tf_test_chromeos_no_lock%{random_suffix}"
  title  = "tf_test_chromeos_no_lock%{random_suffix}"
  basic {
    conditions {
      device_policy {
        require_screen_lock = true
        os_constraints {
          os_type = "DESKTOP_CHROME_OS"
        }
      }
      regions = [
        "CH",
        "IT",
        "US",
      ]
    }
  }
}

resource "google_access_context_manager_access_policy" "access-policy" {
  parent = "organizations/${google_project.project.org_id}"
  title  = "my policy"
}

resource "google_iam_access_boundary_policy" "example" {
  parent   = urlencode("cloudresourcemanager.googleapis.com/projects/${google_project.project.project_id}")
  name     = "my-ab-policy"
  display_name = "My AB policy"
  rules {
    description = "AB rule"
    access_boundary_rule {
      available_resource = "*"
      available_permissions = ["*"]
      availability_condition {
        title = "Access level expr"
        expression = "request.matchAccessLevels('${google_project.project.org_id}', ['${google_access_context_manager_access_level.test-access.name}'])"
      }
    }
  }
}

Argument Reference

The following arguments are supported:

  • name - (Required) The name of the policy.

  • parent - (Required) The attachment point is identified by its URL-encoded full resource name.

  • rules - (Required) Rules to be applied. Structure is documented below.

The rules block supports:

  • description - (Optional) The description of the rule.

  • accessBoundaryRule - (Optional) An access boundary rule in an IAM policy. Structure is documented below.

The accessBoundaryRule block supports:

  • availableResource - (Optional) The full resource name of a Google Cloud resource entity.

  • availablePermissions - (Optional) A list of permissions that may be allowed for use on the specified resource.

  • availabilityCondition - (Optional) The availability condition further constrains the access allowed by the access boundary rule. Structure is documented below.

The availabilityCondition block supports:

  • expression - (Required) Textual representation of an expression in Common Expression Language syntax.

  • title - (Optional) Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

  • description - (Optional) Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

  • location - (Optional) String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

  • displayName - (Optional) The display name of the rule.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • id - an identifier for the resource with format {{parent}}/{{name}}

  • etag - The hash of the resource. Used internally during updates.

Timeouts

This resource provides the following Timeouts configuration options:

  • create - Default is 20 minutes.
  • update - Default is 20 minutes.
  • delete - Default is 20 minutes.

Import

AccessBoundaryPolicy can be imported using any of these accepted formats:

$ terraform import google_iam_access_boundary_policy.default {{parent}}/{{name}}