diff --git a/website/docs/r/google_project_iam.html.markdown b/website/docs/r/google_project_iam.html.markdown index 70395b12a80..0a12b1e1987 100644 --- a/website/docs/r/google_project_iam.html.markdown +++ b/website/docs/r/google_project_iam.html.markdown @@ -8,13 +8,15 @@ description: |- # IAM policy for projects -Three different resources help you manage your IAM policy for a project. Each of these resources serves a different use case: +Four different resources help you manage your IAM policy for a project. Each of these resources serves a different use case: * `google_project_iam_policy`: Authoritative. Sets the IAM policy for the project and replaces any existing policy already attached. * `google_project_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved. * `google_project_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the project are preserved. +* `google_project_iam_audit_config`: Authoritative for a given service. Updates the IAM policy to enable audit logging for the given service. -~> **Note:** `google_project_iam_policy` **cannot** be used in conjunction with `google_project_iam_binding` and `google_project_iam_member` or they will fight over what your policy should be. + +~> **Note:** `google_project_iam_policy` **cannot** be used in conjunction with `google_project_iam_binding`, `google_project_iam_member`, or `google_project_iam_audit_config` or they will fight over what your policy should be. ~> **Note:** `google_project_iam_binding` resources **can be** used in conjunction with `google_project_iam_member` resources **only if** they do not grant privilege to the same role. @@ -69,18 +71,33 @@ resource "google_project_iam_member" "project" { } ``` +## google\_project\_iam\_audit\_config + +```hcl +resource "google_project_iam_audit_config" "project" { + project = "your-project-id" + service = "allServices" + audit_log_config { + log_type = "DATA_READ" + exempted_members = [ + "user:joebloggs@hashicorp.com", + ] + } +} +``` + ## Argument Reference The following arguments are supported: -* `member/members` - (Required) Identities that will be granted the privilege in `role`. +* `member/members` - (Required except for google\_project\_iam\_audit\_config) Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. -* `role` - (Required) The role that should be applied. Only one +* `role` - (Required except for google\_project\_iam\_audit\_config) The role that should be applied. Only one `google_project_iam_binding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`. @@ -93,11 +110,22 @@ The following arguments are supported: Deleting this removes all policies from the project, locking out users without organization-level access. -* `project` - (Optional) The project ID. If not specified for `google_project_iam_binding` -or `google_project_iam_member`, uses the ID of the project configured with the provider. +* `project` - (Optional) The project ID. If not specified for `google_project_iam_binding`, `google_project_iam_member`, or `google_project_iam_audit_config`, uses the ID of the project configured with the provider. Required for `google_project_iam_policy` - you must explicitly set the project, and it will not be inferred from the provider. - + +* `service` - (Required only by google\_project\_iam\_audit\_config) Service which will be enabled for audit logging. The special value `allServices` covers all services. Note that if there are google\_project\_iam\_audit\_config resources covering both `allServices` and a specific service then the union of the two AuditConfigs is used for that service: the `log_types` specified in each `audit_log_config` are enabled, and the `exempted_members` in each `audit_log_config` are exempted. + +* `audit_log_config` - (Required only by google\_project\_iam\_audit\_config) The configuration for logging of each type of permission. This can be specified multiple times. Structure is documented below. + +--- + +The `audit_log_config` block supports: + +* `log_type` - (Required) Permission type for which logging is to be configured. Must be one of `DATA_READ`, `DATA_WRITE`, or `ADMIN_READ`. + +* `exempted_members` - (Optional) Identities that do not cause logging for this type of permission. The format is the same as that for `members`. + ## Attributes Reference In addition to the arguments listed above, the following computed attributes are @@ -125,3 +153,9 @@ IAM policy imports use the identifier of the resource in question. This policy ``` $ terraform import google_project_iam_policy.my_project your-project-id ``` + +IAM audit config imports use the identifier of the resource in question and the service, e.g. + +``` +terraform import google_project_iam_audit_config.my_project "your-project-id foo.googleapis.com" +``` \ No newline at end of file diff --git a/website/google.erb b/website/google.erb index 7b840ed3938..5a4f1d85065 100644 --- a/website/google.erb +++ b/website/google.erb @@ -343,6 +343,9 @@ > google_project + > + google_project_iam_audit_config + > google_project_iam_binding