Skip to content

googleIamDenyPolicy

Represents a collection of denial policies to apply to a given resource.

\~> Warning: This resource is in beta, and should be used with the terraform-provider-google-beta provider. See Provider Versions for more details on beta resources.

To get more information about DenyPolicy, see:

Example Usage - Iam Deny Policy Basic

resource "google_project" "project" {
  provider        = google-beta
  project_id      = "tf-test%{random_suffix}"
  name            = "tf-test%{random_suffix}"
  org_id          = "123456789"
  billing_account = "000000-0000000-0000000-000000"
}

resource "google_iam_deny_policy" "example" {
  provider = google-beta
  parent   = urlencode("cloudresourcemanager.googleapis.com/projects/${google_project.project.project_id}")
  name     = "my-deny-policy"
  display_name = "A deny rule"
  rules {
    description = "First rule"
    deny_rule {
      denied_principals = ["principalSet://goog/public:all"]
      denial_condition {
        title = "Some expr"
        expression = "!resource.matchTag('12345678/env', 'test')"
      }
      denied_permissions = ["cloudresourcemanager.googleapis.com/projects.delete"]
    }
  }
  rules {
    description = "Second rule"
    deny_rule {
      denied_principals = ["principalSet://goog/public:all"]
      denial_condition {
        title = "Some expr"
        expression = "!resource.matchTag('12345678/env', 'test')"
      }
      denied_permissions = ["cloudresourcemanager.googleapis.com/projects.delete"]
      exception_principals = ["principal://iam.googleapis.com/projects/-/serviceAccounts/${google_service_account.test-account.email}"]
    }
  }
}

resource "google_service_account" "test-account" {
  provider = google-beta
  account_id   = "svc-acc"
  display_name = "Test Service Account"
  project      = google_project.project.project_id
}

Argument Reference

The following arguments are supported:

  • name - (Required) The name of the policy.

  • parent - (Required) The attachment point is identified by its URL-encoded full resource name.

  • rules - (Required) Rules to be applied. Structure is documented below.

The rules block supports:

  • description - (Optional) The description of the rule.

  • denyRule - (Optional) A deny rule in an IAM deny policy. Structure is documented below.

The denyRule block supports:

  • deniedPrincipals - (Optional) The identities that are prevented from using one or more permissions on Google Cloud resources.

  • exceptionPrincipals - (Optional) The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.

  • deniedPermissions - (Optional) The permissions that are explicitly denied by this rule. Each permission uses the format {serviceFqdn}/{resource}.{verb}, where {serviceFqdn} is the fully qualified domain name for the service. For example, iamGoogleapisCom/rolesList.

  • exceptionPermissions - (Optional) Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.

  • denialCondition - (Optional) User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.

The denialCondition block supports:

  • expression - (Required) Textual representation of an expression in Common Expression Language syntax.

  • title - (Optional) Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

  • description - (Optional) Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

  • location - (Optional) String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

  • displayName - (Optional) The display name of the rule.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • id - an identifier for the resource with format {{parent}}/{{name}}

  • etag - The hash of the resource. Used internally during updates.

Timeouts

This resource provides the following Timeouts configuration options:

  • create - Default is 20 minutes.
  • update - Default is 20 minutes.
  • delete - Default is 20 minutes.

Import

DenyPolicy can be imported using any of these accepted formats:

$ terraform import google_iam_deny_policy.default {{parent}}/{{name}}