forked from hashicorp/terraform-provider-google
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Document the google_project_iam_audit_config resource (hashicorp#1066)
Signed-off-by: Modular Magician <[email protected]>
- Loading branch information
1 parent
e69327b
commit 43af0af
Showing
2 changed files
with
44 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -8,13 +8,15 @@ description: |- | |
|
||
# IAM policy for projects | ||
|
||
Three different resources help you manage your IAM policy for a project. Each of these resources serves a different use case: | ||
Four different resources help you manage your IAM policy for a project. Each of these resources serves a different use case: | ||
|
||
* `google_project_iam_policy`: Authoritative. Sets the IAM policy for the project and replaces any existing policy already attached. | ||
* `google_project_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved. | ||
* `google_project_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the project are preserved. | ||
* `google_project_iam_audit_config`: Authoritative for a given service. Updates the IAM policy to enable audit logging for the given service. | ||
|
||
~> **Note:** `google_project_iam_policy` **cannot** be used in conjunction with `google_project_iam_binding` and `google_project_iam_member` or they will fight over what your policy should be. | ||
|
||
~> **Note:** `google_project_iam_policy` **cannot** be used in conjunction with `google_project_iam_binding`, `google_project_iam_member`, or `google_project_iam_audit_config` or they will fight over what your policy should be. | ||
|
||
~> **Note:** `google_project_iam_binding` resources **can be** used in conjunction with `google_project_iam_member` resources **only if** they do not grant privilege to the same role. | ||
|
||
|
@@ -69,18 +71,33 @@ resource "google_project_iam_member" "project" { | |
} | ||
``` | ||
|
||
## google\_project\_iam\_audit\_config | ||
|
||
```hcl | ||
resource "google_project_iam_audit_config" "project" { | ||
project = "your-project-id" | ||
service = "allServices" | ||
audit_log_config { | ||
log_type = "DATA_READ" | ||
exempted_members = [ | ||
"user:[email protected]", | ||
] | ||
} | ||
} | ||
``` | ||
|
||
## Argument Reference | ||
|
||
The following arguments are supported: | ||
|
||
* `member/members` - (Required) Identities that will be granted the privilege in `role`. | ||
* `member/members` - (Required except for google\_project\_iam\_audit\_config) Identities that will be granted the privilege in `role`. | ||
Each entry can have one of the following values: | ||
* **user:{emailid}**: An email address that represents a specific Google account. For example, [email protected] or [email protected]. | ||
* **serviceAccount:{emailid}**: An email address that represents a service account. For example, [email protected]. | ||
* **group:{emailid}**: An email address that represents a Google group. For example, [email protected]. | ||
* **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. | ||
|
||
* `role` - (Required) The role that should be applied. Only one | ||
* `role` - (Required except for google\_project\_iam\_audit\_config) The role that should be applied. Only one | ||
`google_project_iam_binding` can be used per role. Note that custom roles must be of the format | ||
`[projects|organizations]/{parent-name}/roles/{role-name}`. | ||
|
||
|
@@ -93,11 +110,22 @@ The following arguments are supported: | |
Deleting this removes all policies from the project, locking out users without | ||
organization-level access. | ||
|
||
* `project` - (Optional) The project ID. If not specified for `google_project_iam_binding` | ||
or `google_project_iam_member`, uses the ID of the project configured with the provider. | ||
* `project` - (Optional) The project ID. If not specified for `google_project_iam_binding`, `google_project_iam_member`, or `google_project_iam_audit_config`, uses the ID of the project configured with the provider. | ||
Required for `google_project_iam_policy` - you must explicitly set the project, and it | ||
will not be inferred from the provider. | ||
|
||
|
||
* `service` - (Required only by google\_project\_iam\_audit\_config) Service which will be enabled for audit logging. The special value `allServices` covers all services. Note that if there are google\_project\_iam\_audit\_config resources covering both `allServices` and a specific service then the union of the two AuditConfigs is used for that service: the `log_types` specified in each `audit_log_config` are enabled, and the `exempted_members` in each `audit_log_config` are exempted. | ||
|
||
* `audit_log_config` - (Required only by google\_project\_iam\_audit\_config) The configuration for logging of each type of permission. This can be specified multiple times. Structure is documented below. | ||
|
||
--- | ||
|
||
The `audit_log_config` block supports: | ||
|
||
* `log_type` - (Required) Permission type for which logging is to be configured. Must be one of `DATA_READ`, `DATA_WRITE`, or `ADMIN_READ`. | ||
|
||
* `exempted_members` - (Optional) Identities that do not cause logging for this type of permission. The format is the same as that for `members`. | ||
|
||
## Attributes Reference | ||
|
||
In addition to the arguments listed above, the following computed attributes are | ||
|
@@ -125,3 +153,9 @@ IAM policy imports use the identifier of the resource in question. This policy | |
``` | ||
$ terraform import google_project_iam_policy.my_project your-project-id | ||
``` | ||
|
||
IAM audit config imports use the identifier of the resource in question and the service, e.g. | ||
|
||
``` | ||
terraform import google_project_iam_audit_config.my_project "your-project-id foo.googleapis.com" | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters