Skip to content

Commit

Permalink
Document the google_project_iam_audit_config resource (hashicorp#1066)
Browse files Browse the repository at this point in the history
Signed-off-by: Modular Magician <[email protected]>
  • Loading branch information
modular-magician authored and danawillow committed Sep 5, 2019
1 parent e69327b commit 43af0af
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 7 deletions.
48 changes: 41 additions & 7 deletions website/docs/r/google_project_iam.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,15 @@ description: |-

# IAM policy for projects

Three different resources help you manage your IAM policy for a project. Each of these resources serves a different use case:
Four different resources help you manage your IAM policy for a project. Each of these resources serves a different use case:

* `google_project_iam_policy`: Authoritative. Sets the IAM policy for the project and replaces any existing policy already attached.
* `google_project_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.
* `google_project_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the project are preserved.
* `google_project_iam_audit_config`: Authoritative for a given service. Updates the IAM policy to enable audit logging for the given service.

~> **Note:** `google_project_iam_policy` **cannot** be used in conjunction with `google_project_iam_binding` and `google_project_iam_member` or they will fight over what your policy should be.

~> **Note:** `google_project_iam_policy` **cannot** be used in conjunction with `google_project_iam_binding`, `google_project_iam_member`, or `google_project_iam_audit_config` or they will fight over what your policy should be.

~> **Note:** `google_project_iam_binding` resources **can be** used in conjunction with `google_project_iam_member` resources **only if** they do not grant privilege to the same role.

Expand Down Expand Up @@ -69,18 +71,33 @@ resource "google_project_iam_member" "project" {
}
```

## google\_project\_iam\_audit\_config

```hcl
resource "google_project_iam_audit_config" "project" {
project = "your-project-id"
service = "allServices"
audit_log_config {
log_type = "DATA_READ"
exempted_members = [
"user:[email protected]",
]
}
}
```

## Argument Reference

The following arguments are supported:

* `member/members` - (Required) Identities that will be granted the privilege in `role`.
* `member/members` - (Required except for google\_project\_iam\_audit\_config) Identities that will be granted the privilege in `role`.
Each entry can have one of the following values:
* **user:{emailid}**: An email address that represents a specific Google account. For example, [email protected] or [email protected].
* **serviceAccount:{emailid}**: An email address that represents a service account. For example, [email protected].
* **group:{emailid}**: An email address that represents a Google group. For example, [email protected].
* **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.

* `role` - (Required) The role that should be applied. Only one
* `role` - (Required except for google\_project\_iam\_audit\_config) The role that should be applied. Only one
`google_project_iam_binding` can be used per role. Note that custom roles must be of the format
`[projects|organizations]/{parent-name}/roles/{role-name}`.

Expand All @@ -93,11 +110,22 @@ The following arguments are supported:
Deleting this removes all policies from the project, locking out users without
organization-level access.

* `project` - (Optional) The project ID. If not specified for `google_project_iam_binding`
or `google_project_iam_member`, uses the ID of the project configured with the provider.
* `project` - (Optional) The project ID. If not specified for `google_project_iam_binding`, `google_project_iam_member`, or `google_project_iam_audit_config`, uses the ID of the project configured with the provider.
Required for `google_project_iam_policy` - you must explicitly set the project, and it
will not be inferred from the provider.


* `service` - (Required only by google\_project\_iam\_audit\_config) Service which will be enabled for audit logging. The special value `allServices` covers all services. Note that if there are google\_project\_iam\_audit\_config resources covering both `allServices` and a specific service then the union of the two AuditConfigs is used for that service: the `log_types` specified in each `audit_log_config` are enabled, and the `exempted_members` in each `audit_log_config` are exempted.

* `audit_log_config` - (Required only by google\_project\_iam\_audit\_config) The configuration for logging of each type of permission. This can be specified multiple times. Structure is documented below.

---

The `audit_log_config` block supports:

* `log_type` - (Required) Permission type for which logging is to be configured. Must be one of `DATA_READ`, `DATA_WRITE`, or `ADMIN_READ`.

* `exempted_members` - (Optional) Identities that do not cause logging for this type of permission. The format is the same as that for `members`.

## Attributes Reference

In addition to the arguments listed above, the following computed attributes are
Expand Down Expand Up @@ -125,3 +153,9 @@ IAM policy imports use the identifier of the resource in question. This policy
```
$ terraform import google_project_iam_policy.my_project your-project-id
```

IAM audit config imports use the identifier of the resource in question and the service, e.g.

```
terraform import google_project_iam_audit_config.my_project "your-project-id foo.googleapis.com"
```
3 changes: 3 additions & 0 deletions website/google.erb
Original file line number Diff line number Diff line change
Expand Up @@ -343,6 +343,9 @@
<li<%= sidebar_current("docs-google-project-x") %>>
<a href="/docs/providers/google/r/google_project.html">google_project</a>
</li>
<li<%= sidebar_current("docs-google-project-iam-x") %>>
<a href="/docs/providers/google/r/google_project_iam.html">google_project_iam_audit_config</a>
</li>
<li<%= sidebar_current("docs-google-project-iam-x") %>>
<a href="/docs/providers/google/r/google_project_iam.html">google_project_iam_binding</a>
</li>
Expand Down

0 comments on commit 43af0af

Please sign in to comment.