googleIamDenyPolicy
Represents a collection of denial policies to apply to a given resource.
\~> Warning: This resource is in beta, and should be used with the terraform-provider-google-beta provider. See Provider Versions for more details on beta resources.
To get more information about DenyPolicy, see:
- API documentation
- How-to Guides
- Permissions supported in deny policies
Example Usage - Iam Deny Policy Basic
resource "google_project" "project" {
provider = google-beta
project_id = "tf-test%{random_suffix}"
name = "tf-test%{random_suffix}"
org_id = "123456789"
billing_account = "000000-0000000-0000000-000000"
}
resource "google_iam_deny_policy" "example" {
provider = google-beta
parent = urlencode("cloudresourcemanager.googleapis.com/projects/${google_project.project.project_id}")
name = "my-deny-policy"
display_name = "A deny rule"
rules {
description = "First rule"
deny_rule {
denied_principals = ["principalSet://goog/public:all"]
denial_condition {
title = "Some expr"
expression = "!resource.matchTag('12345678/env', 'test')"
}
denied_permissions = ["cloudresourcemanager.googleapis.com/projects.delete"]
}
}
rules {
description = "Second rule"
deny_rule {
denied_principals = ["principalSet://goog/public:all"]
denial_condition {
title = "Some expr"
expression = "!resource.matchTag('12345678/env', 'test')"
}
denied_permissions = ["cloudresourcemanager.googleapis.com/projects.delete"]
exception_principals = ["principal://iam.googleapis.com/projects/-/serviceAccounts/${google_service_account.test-account.email}"]
}
}
}
resource "google_service_account" "test-account" {
provider = google-beta
account_id = "svc-acc"
display_name = "Test Service Account"
project = google_project.project.project_id
}
Argument Reference
The following arguments are supported:
-
name
- (Required) The name of the policy. -
parent
- (Required) The attachment point is identified by its URL-encoded full resource name. -
rules
- (Required) Rules to be applied. Structure is documented below.
-
description
- (Optional) The description of the rule. -
denyRule
- (Optional) A deny rule in an IAM deny policy. Structure is documented below.
-
deniedPrincipals
- (Optional) The identities that are prevented from using one or more permissions on Google Cloud resources. -
exceptionPrincipals
- (Optional) The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group. -
deniedPermissions
- (Optional) The permissions that are explicitly denied by this rule. Each permission uses the format{serviceFqdn}/{resource}.{verb}
, where{serviceFqdn}
is the fully qualified domain name for the service. For example,iamGoogleapisCom/rolesList
. -
exceptionPermissions
- (Optional) Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions. -
denialCondition
- (Optional) User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.
The denialCondition
block supports:
-
expression
- (Required) Textual representation of an expression in Common Expression Language syntax. -
title
- (Optional) Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. -
description
- (Optional) Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. -
location
- (Optional) String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
displayName
- (Optional) The display name of the rule.
Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
-
id
- an identifier for the resource with format{{parent}}/{{name}}
-
etag
- The hash of the resource. Used internally during updates.
Timeouts
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.
Import
DenyPolicy can be imported using any of these accepted formats: