From 1162b7442dfc0c53213bb03348dcb5a1b69130cb Mon Sep 17 00:00:00 2001 From: Vincent Roseberry Date: Wed, 6 Dec 2017 09:33:21 -0800 Subject: [PATCH] Add google_kms_key_ring_iam_policy resource and improve iam docs (#814) * Add google_kms_key_ring_iam_policy resource and improve iam docs * Delete iam_binding and iam_member specific doc page for key ring --- docs/r/google_kms_crypto_key.html.markdown | 2 +- docs/r/google_kms_key_ring.html.markdown | 2 +- docs/r/google_kms_key_ring_iam.html.markdown | 92 +++++++++++++++++++ ...gle_kms_key_ring_iam_binding.html.markdown | 46 ---------- ...ogle_kms_key_ring_iam_member.html.markdown | 47 ---------- google.erb | 11 +-- 6 files changed, 98 insertions(+), 102 deletions(-) create mode 100644 docs/r/google_kms_key_ring_iam.html.markdown delete mode 100644 docs/r/google_kms_key_ring_iam_binding.html.markdown delete mode 100644 docs/r/google_kms_key_ring_iam_member.html.markdown diff --git a/docs/r/google_kms_crypto_key.html.markdown b/docs/r/google_kms_crypto_key.html.markdown index 081f9c48aba..3ae2182f4de 100644 --- a/docs/r/google_kms_crypto_key.html.markdown +++ b/docs/r/google_kms_crypto_key.html.markdown @@ -1,7 +1,7 @@ --- layout: "google" page_title: "Google: google_kms_crypto_key" -sidebar_current: "docs-google-kms-crypto-key" +sidebar_current: "docs-google-kms-crypto-key-x" description: |- Allows creation of a Google Cloud Platform KMS CryptoKey. --- diff --git a/docs/r/google_kms_key_ring.html.markdown b/docs/r/google_kms_key_ring.html.markdown index 4e9700e67f4..323c689a354 100644 --- a/docs/r/google_kms_key_ring.html.markdown +++ b/docs/r/google_kms_key_ring.html.markdown @@ -1,7 +1,7 @@ --- layout: "google" page_title: "Google: google_kms_key_ring" -sidebar_current: "docs-google-kms-key-ring" +sidebar_current: "docs-google-kms-key-ring-x" description: |- Allows creation of a Google Cloud Platform KMS KeyRing. --- diff --git a/docs/r/google_kms_key_ring_iam.html.markdown b/docs/r/google_kms_key_ring_iam.html.markdown new file mode 100644 index 00000000000..aab2b01adb8 --- /dev/null +++ b/docs/r/google_kms_key_ring_iam.html.markdown @@ -0,0 +1,92 @@ +--- +layout: "google" +page_title: "Google: google_kms_key_ring_iam" +sidebar_current: "docs-google-kms-key-ring-iam" +description: |- + Collection of resources to manage IAM policy for a Google Cloud KMS key ring. +--- + +# IAM policy for Google Cloud KMS key ring + +Three different resources help you manage your IAM policy for KMS key ring. Each of these resources serves a different use case: + +* `google_kms_key_ring_iam_policy`: Authoritative. Sets the IAM policy for the key ring and replaces any existing policy already attached. +* `google_kms_key_ring_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the key ring are preserved. +* `google_kms_key_ring_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the key ring are preserved. + +~> **Note:** `google_kms_key_ring_iam_policy` **cannot** be used in conjunction with `google_kms_key_ring_iam_binding` and `google_kms_key_ring_iam_member` or they will fight over what your policy should be. + +~> **Note:** `google_kms_key_ring_iam_binding` resources **can be** used in conjunction with `google_kms_key_ring_iam_member` resources **only if** they do not grant privilege to the same role. + +## google\_kms\_key\_ring\_iam\_policy + +```hcl +data "google_iam_policy" "admin" { + binding { + role = "roles/editor" + + members = [ + "user:jane@example.com", + ] + } +} + +resource "google_kms_key_ring_iam_policy" "key_ring" { + key_ring_id = "your-key-ring-id" + policy_data = "${data.google_iam_policy.admin.policy_data}" +} +``` + +## google\_kms\_key\_ring\_iam\_binding + +```hcl +resource "google_kms_key_ring_binding" "key_ring" { + key_ring_id = "your-key-ring-id" + role = "roles/editor" + + members = [ + "user:jane@example.com", + ] +} +``` + +## google\_kms\_key\_ring\_iam\_member + +```hcl +resource "google_kms_key_ring_iam_member" "key_ring" { + key_ring_id = "your-key-ring-id" + role = "roles/editor" + member = "user:jane@example.com" +} +``` + +## Argument Reference + +The following arguments are supported: + +* `key_ring_id` - (Required) The key ring ID, in the form + `{project_id}/{location_name}/{key_ring_name}` or + `{location_name}/{key_ring_name}`. In the second form, the provider's + project setting will be used as a fallback. + +* `member/members` - (Required) Identities that will be granted the privilege in `role`. + Each entry can have one of the following values: + * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. + * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. + * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. + * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. + * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. + * **domain:{domain}**: A Google Apps domain name that represents all the users of that domain. For example, google.com or example.com. + +* `role` - (Required) The role that should be applied. Only one + `google_kms_key_ring_iam_binding` can be used per role. + +* `policy_data` - (Required only by `google_kms_key_ring_iam_policy`) The policy data generated by + a `google_iam_policy` data source. + +## Attributes Reference + +In addition to the arguments listed above, the following computed attributes are +exported: + +* `etag` - (Computed) The etag of the key ring's IAM policy. diff --git a/docs/r/google_kms_key_ring_iam_binding.html.markdown b/docs/r/google_kms_key_ring_iam_binding.html.markdown deleted file mode 100644 index 5e0fda3b5ce..00000000000 --- a/docs/r/google_kms_key_ring_iam_binding.html.markdown +++ /dev/null @@ -1,46 +0,0 @@ ---- -layout: "google" -page_title: "Google: google_kms_key_ring_iam_binding" -sidebar_current: "docs-google-kms-key-ring-iam-binding" -description: |- - Allows management of a single binding with an IAM policy for a Google Cloud KMS key ring ---- - -# google\_kms\_key\_ring\_iam\_binding - -Allows creation and management of a single binding within IAM policy for -an existing Google Cloud KMS key ring. - -## Example Usage - -```hcl -resource "google_kms_key_ring_binding" "key_ring" { - key_ring_id = "your-key-ring-id" - role = "roles/editor" - - members = [ - "user:jane@example.com", - ] -} -``` - -## Argument Reference - -The following arguments are supported: - -* `members` - (Required) A list of users that the role should apply to. - -* `role` - (Required) The role that should be applied. Only one - `google_kms_key_ring_iam_binding` can be used per role. - -* `key_ring_id` - (Required) The key ring ID, in the form - `{project_id}/{location_name}/{key_ring_name}` or - `{location_name}/{key_ring_name}`. In the second form, the provider's - project setting will be used as a fallback. -## Attributes Reference - -In addition to the arguments listed above, the following computed attributes are -exported: - -* `etag` - (Computed) The etag of the key ring's IAM policy. - diff --git a/docs/r/google_kms_key_ring_iam_member.html.markdown b/docs/r/google_kms_key_ring_iam_member.html.markdown deleted file mode 100644 index ceab314a42e..00000000000 --- a/docs/r/google_kms_key_ring_iam_member.html.markdown +++ /dev/null @@ -1,47 +0,0 @@ ---- -layout: "google" -page_title: "Google: google_kms_key_ring_iam_member" -sidebar_current: "docs-google-kms-key-ring-iam-member" -description: |- - Allows management of a single member for a single binding on the IAM policy for a Google Cloud KMS key ring. ---- - -# google\_kms\_key\_ring\_iam\_member - -Allows creation and management of a single member for a single binding within -the IAM policy for an existing Google Cloud KMS key ring. - -~> **Note:** This resource _must not_ be used in conjunction with - `google_kms_key_ring_iam_policy` or they will fight over what your policy - should be. Similarly, roles controlled by `google_kms_key_ring_iam_binding` - should not be assigned to using `google_kms_key_ring_iam_member`. - -## Example Usage - -```hcl -resource "google_kms_key_ring_iam_member" "key_ring" { - key_ring_id = "your-key-ring-id" - role = "roles/editor" - member = "user:jane@example.com" -} -``` - -## Argument Reference - -The following arguments are supported: - -* `member` - (Required) The user that the role should apply to. - -* `role` - (Required) The role that should be applied. - -* `key_ring_id` - (Required) The key ring ID, in the form - `{project_id}/{location_name}/{key_ring_name}` or - `{location_name}/{key_ring_name}`. In the second form, the provider's - project setting will be used as a fallback. - -## Attributes Reference - -In addition to the arguments listed above, the following computed attributes are -exported: - -* `etag` - (Computed) The etag of the project's IAM policy. diff --git a/google.erb b/google.erb index 03656704d74..d4281ba6f3e 100644 --- a/google.erb +++ b/google.erb @@ -447,16 +447,13 @@ > Google Key Management Service Resources