iap

package
v6.61.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 28, 2023 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AppEngineServiceIamBinding

type AppEngineServiceIamBinding struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineServiceIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag    pulumi.StringOutput      `pulumi:"etag"`
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringOutput `pulumi:"service"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineService. Each of these resources serves a different use case:

* `iap.AppEngineServiceIamPolicy`: Authoritative. Sets the IAM policy for the appengineservice and replaces any existing policy already attached. * `iap.AppEngineServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineservice are preserved. * `iap.AppEngineServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineServiceIamPolicy`: Retrieves the IAM policy for the appengineservice

> **Note:** `iap.AppEngineServiceIamPolicy` **cannot** be used in conjunction with `iap.AppEngineServiceIamBinding` and `iap.AppEngineServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineServiceIamBinding` resources **can be** used in conjunction with `iap.AppEngineServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_app\_engine\_service\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			AppId:      pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Service:    pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			AppId:      pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Service:    pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_app\_engine\_service\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			AppId: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Project: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Service: pulumi.Any(google_app_engine_standard_app_version.Version.Service),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			AppId: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Condition: &iap.AppEngineServiceIamBindingConditionArgs{
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
				Title:       pulumi.String("expires_after_2019_12_31"),
			},
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Project: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Service: pulumi.Any(google_app_engine_standard_app_version.Version.Service),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_app\_engine\_service\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			AppId:   pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Member:  pulumi.String("user:jane@example.com"),
			Project: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Service: pulumi.Any(google_app_engine_standard_app_version.Version.Service),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			AppId: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Condition: &iap.AppEngineServiceIamMemberConditionArgs{
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
				Title:       pulumi.String("expires_after_2019_12_31"),
			},
			Member:  pulumi.String("user:jane@example.com"),
			Project: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Service: pulumi.Any(google_app_engine_standard_app_version.Version.Service),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} * {{project}}/{{appId}}/{{service}} * {{appId}}/{{service}} * {{service}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy appengineservice IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/appEngineServiceIamBinding:AppEngineServiceIamBinding editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} roles/iap.httpsResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/appEngineServiceIamBinding:AppEngineServiceIamBinding editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} roles/iap.httpsResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/appEngineServiceIamBinding:AppEngineServiceIamBinding editor projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetAppEngineServiceIamBinding

func GetAppEngineServiceIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AppEngineServiceIamBindingState, opts ...pulumi.ResourceOption) (*AppEngineServiceIamBinding, error)

GetAppEngineServiceIamBinding gets an existing AppEngineServiceIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAppEngineServiceIamBinding

func NewAppEngineServiceIamBinding(ctx *pulumi.Context,
	name string, args *AppEngineServiceIamBindingArgs, opts ...pulumi.ResourceOption) (*AppEngineServiceIamBinding, error)

NewAppEngineServiceIamBinding registers a new resource with the given unique name, arguments, and options.

func (*AppEngineServiceIamBinding) ElementType

func (*AppEngineServiceIamBinding) ElementType() reflect.Type

func (*AppEngineServiceIamBinding) ToAppEngineServiceIamBindingOutput

func (i *AppEngineServiceIamBinding) ToAppEngineServiceIamBindingOutput() AppEngineServiceIamBindingOutput

func (*AppEngineServiceIamBinding) ToAppEngineServiceIamBindingOutputWithContext

func (i *AppEngineServiceIamBinding) ToAppEngineServiceIamBindingOutputWithContext(ctx context.Context) AppEngineServiceIamBindingOutput

type AppEngineServiceIamBindingArgs

type AppEngineServiceIamBindingArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineServiceIamBindingConditionPtrInput
	Members   pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput
}

The set of arguments for constructing a AppEngineServiceIamBinding resource.

func (AppEngineServiceIamBindingArgs) ElementType

type AppEngineServiceIamBindingArray

type AppEngineServiceIamBindingArray []AppEngineServiceIamBindingInput

func (AppEngineServiceIamBindingArray) ElementType

func (AppEngineServiceIamBindingArray) ToAppEngineServiceIamBindingArrayOutput

func (i AppEngineServiceIamBindingArray) ToAppEngineServiceIamBindingArrayOutput() AppEngineServiceIamBindingArrayOutput

func (AppEngineServiceIamBindingArray) ToAppEngineServiceIamBindingArrayOutputWithContext

func (i AppEngineServiceIamBindingArray) ToAppEngineServiceIamBindingArrayOutputWithContext(ctx context.Context) AppEngineServiceIamBindingArrayOutput

type AppEngineServiceIamBindingArrayInput

type AppEngineServiceIamBindingArrayInput interface {
	pulumi.Input

	ToAppEngineServiceIamBindingArrayOutput() AppEngineServiceIamBindingArrayOutput
	ToAppEngineServiceIamBindingArrayOutputWithContext(context.Context) AppEngineServiceIamBindingArrayOutput
}

AppEngineServiceIamBindingArrayInput is an input type that accepts AppEngineServiceIamBindingArray and AppEngineServiceIamBindingArrayOutput values. You can construct a concrete instance of `AppEngineServiceIamBindingArrayInput` via:

AppEngineServiceIamBindingArray{ AppEngineServiceIamBindingArgs{...} }

type AppEngineServiceIamBindingArrayOutput

type AppEngineServiceIamBindingArrayOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamBindingArrayOutput) ElementType

func (AppEngineServiceIamBindingArrayOutput) Index

func (AppEngineServiceIamBindingArrayOutput) ToAppEngineServiceIamBindingArrayOutput

func (o AppEngineServiceIamBindingArrayOutput) ToAppEngineServiceIamBindingArrayOutput() AppEngineServiceIamBindingArrayOutput

func (AppEngineServiceIamBindingArrayOutput) ToAppEngineServiceIamBindingArrayOutputWithContext

func (o AppEngineServiceIamBindingArrayOutput) ToAppEngineServiceIamBindingArrayOutputWithContext(ctx context.Context) AppEngineServiceIamBindingArrayOutput

type AppEngineServiceIamBindingCondition

type AppEngineServiceIamBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type AppEngineServiceIamBindingConditionArgs

type AppEngineServiceIamBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (AppEngineServiceIamBindingConditionArgs) ElementType

func (AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionOutput

func (i AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionOutput() AppEngineServiceIamBindingConditionOutput

func (AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionOutputWithContext

func (i AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionOutputWithContext(ctx context.Context) AppEngineServiceIamBindingConditionOutput

func (AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionPtrOutput

func (i AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionPtrOutput() AppEngineServiceIamBindingConditionPtrOutput

func (AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionPtrOutputWithContext

func (i AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) AppEngineServiceIamBindingConditionPtrOutput

type AppEngineServiceIamBindingConditionInput

type AppEngineServiceIamBindingConditionInput interface {
	pulumi.Input

	ToAppEngineServiceIamBindingConditionOutput() AppEngineServiceIamBindingConditionOutput
	ToAppEngineServiceIamBindingConditionOutputWithContext(context.Context) AppEngineServiceIamBindingConditionOutput
}

AppEngineServiceIamBindingConditionInput is an input type that accepts AppEngineServiceIamBindingConditionArgs and AppEngineServiceIamBindingConditionOutput values. You can construct a concrete instance of `AppEngineServiceIamBindingConditionInput` via:

AppEngineServiceIamBindingConditionArgs{...}

type AppEngineServiceIamBindingConditionOutput

type AppEngineServiceIamBindingConditionOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamBindingConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineServiceIamBindingConditionOutput) ElementType

func (AppEngineServiceIamBindingConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineServiceIamBindingConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionOutput

func (o AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionOutput() AppEngineServiceIamBindingConditionOutput

func (AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionOutputWithContext

func (o AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionOutputWithContext(ctx context.Context) AppEngineServiceIamBindingConditionOutput

func (AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionPtrOutput

func (o AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionPtrOutput() AppEngineServiceIamBindingConditionPtrOutput

func (AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionPtrOutputWithContext

func (o AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) AppEngineServiceIamBindingConditionPtrOutput

type AppEngineServiceIamBindingConditionPtrInput

type AppEngineServiceIamBindingConditionPtrInput interface {
	pulumi.Input

	ToAppEngineServiceIamBindingConditionPtrOutput() AppEngineServiceIamBindingConditionPtrOutput
	ToAppEngineServiceIamBindingConditionPtrOutputWithContext(context.Context) AppEngineServiceIamBindingConditionPtrOutput
}

AppEngineServiceIamBindingConditionPtrInput is an input type that accepts AppEngineServiceIamBindingConditionArgs, AppEngineServiceIamBindingConditionPtr and AppEngineServiceIamBindingConditionPtrOutput values. You can construct a concrete instance of `AppEngineServiceIamBindingConditionPtrInput` via:

        AppEngineServiceIamBindingConditionArgs{...}

or:

        nil

type AppEngineServiceIamBindingConditionPtrOutput

type AppEngineServiceIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamBindingConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineServiceIamBindingConditionPtrOutput) Elem

func (AppEngineServiceIamBindingConditionPtrOutput) ElementType

func (AppEngineServiceIamBindingConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineServiceIamBindingConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineServiceIamBindingConditionPtrOutput) ToAppEngineServiceIamBindingConditionPtrOutput

func (o AppEngineServiceIamBindingConditionPtrOutput) ToAppEngineServiceIamBindingConditionPtrOutput() AppEngineServiceIamBindingConditionPtrOutput

func (AppEngineServiceIamBindingConditionPtrOutput) ToAppEngineServiceIamBindingConditionPtrOutputWithContext

func (o AppEngineServiceIamBindingConditionPtrOutput) ToAppEngineServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) AppEngineServiceIamBindingConditionPtrOutput

type AppEngineServiceIamBindingInput

type AppEngineServiceIamBindingInput interface {
	pulumi.Input

	ToAppEngineServiceIamBindingOutput() AppEngineServiceIamBindingOutput
	ToAppEngineServiceIamBindingOutputWithContext(ctx context.Context) AppEngineServiceIamBindingOutput
}

type AppEngineServiceIamBindingMap

type AppEngineServiceIamBindingMap map[string]AppEngineServiceIamBindingInput

func (AppEngineServiceIamBindingMap) ElementType

func (AppEngineServiceIamBindingMap) ToAppEngineServiceIamBindingMapOutput

func (i AppEngineServiceIamBindingMap) ToAppEngineServiceIamBindingMapOutput() AppEngineServiceIamBindingMapOutput

func (AppEngineServiceIamBindingMap) ToAppEngineServiceIamBindingMapOutputWithContext

func (i AppEngineServiceIamBindingMap) ToAppEngineServiceIamBindingMapOutputWithContext(ctx context.Context) AppEngineServiceIamBindingMapOutput

type AppEngineServiceIamBindingMapInput

type AppEngineServiceIamBindingMapInput interface {
	pulumi.Input

	ToAppEngineServiceIamBindingMapOutput() AppEngineServiceIamBindingMapOutput
	ToAppEngineServiceIamBindingMapOutputWithContext(context.Context) AppEngineServiceIamBindingMapOutput
}

AppEngineServiceIamBindingMapInput is an input type that accepts AppEngineServiceIamBindingMap and AppEngineServiceIamBindingMapOutput values. You can construct a concrete instance of `AppEngineServiceIamBindingMapInput` via:

AppEngineServiceIamBindingMap{ "key": AppEngineServiceIamBindingArgs{...} }

type AppEngineServiceIamBindingMapOutput

type AppEngineServiceIamBindingMapOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamBindingMapOutput) ElementType

func (AppEngineServiceIamBindingMapOutput) MapIndex

func (AppEngineServiceIamBindingMapOutput) ToAppEngineServiceIamBindingMapOutput

func (o AppEngineServiceIamBindingMapOutput) ToAppEngineServiceIamBindingMapOutput() AppEngineServiceIamBindingMapOutput

func (AppEngineServiceIamBindingMapOutput) ToAppEngineServiceIamBindingMapOutputWithContext

func (o AppEngineServiceIamBindingMapOutput) ToAppEngineServiceIamBindingMapOutputWithContext(ctx context.Context) AppEngineServiceIamBindingMapOutput

type AppEngineServiceIamBindingOutput

type AppEngineServiceIamBindingOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamBindingOutput) AppId added in v6.23.0

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (AppEngineServiceIamBindingOutput) Condition added in v6.23.0

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (AppEngineServiceIamBindingOutput) ElementType

func (AppEngineServiceIamBindingOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (AppEngineServiceIamBindingOutput) Members added in v6.23.0

func (AppEngineServiceIamBindingOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (AppEngineServiceIamBindingOutput) Role added in v6.23.0

The role that should be applied. Only one `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (AppEngineServiceIamBindingOutput) Service added in v6.23.0

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

func (AppEngineServiceIamBindingOutput) ToAppEngineServiceIamBindingOutput

func (o AppEngineServiceIamBindingOutput) ToAppEngineServiceIamBindingOutput() AppEngineServiceIamBindingOutput

func (AppEngineServiceIamBindingOutput) ToAppEngineServiceIamBindingOutputWithContext

func (o AppEngineServiceIamBindingOutput) ToAppEngineServiceIamBindingOutputWithContext(ctx context.Context) AppEngineServiceIamBindingOutput

type AppEngineServiceIamBindingState

type AppEngineServiceIamBindingState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineServiceIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag    pulumi.StringPtrInput
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringPtrInput
}

func (AppEngineServiceIamBindingState) ElementType

type AppEngineServiceIamMember

type AppEngineServiceIamMember struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineServiceIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag   pulumi.StringOutput `pulumi:"etag"`
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringOutput `pulumi:"service"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineService. Each of these resources serves a different use case:

* `iap.AppEngineServiceIamPolicy`: Authoritative. Sets the IAM policy for the appengineservice and replaces any existing policy already attached. * `iap.AppEngineServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineservice are preserved. * `iap.AppEngineServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineServiceIamPolicy`: Retrieves the IAM policy for the appengineservice

> **Note:** `iap.AppEngineServiceIamPolicy` **cannot** be used in conjunction with `iap.AppEngineServiceIamBinding` and `iap.AppEngineServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineServiceIamBinding` resources **can be** used in conjunction with `iap.AppEngineServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_app\_engine\_service\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			AppId:      pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Service:    pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			AppId:      pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Service:    pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_app\_engine\_service\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			AppId: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Project: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Service: pulumi.Any(google_app_engine_standard_app_version.Version.Service),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			AppId: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Condition: &iap.AppEngineServiceIamBindingConditionArgs{
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
				Title:       pulumi.String("expires_after_2019_12_31"),
			},
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Project: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Service: pulumi.Any(google_app_engine_standard_app_version.Version.Service),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_app\_engine\_service\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			AppId:   pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Member:  pulumi.String("user:jane@example.com"),
			Project: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Service: pulumi.Any(google_app_engine_standard_app_version.Version.Service),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			AppId: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Condition: &iap.AppEngineServiceIamMemberConditionArgs{
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
				Title:       pulumi.String("expires_after_2019_12_31"),
			},
			Member:  pulumi.String("user:jane@example.com"),
			Project: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Service: pulumi.Any(google_app_engine_standard_app_version.Version.Service),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} * {{project}}/{{appId}}/{{service}} * {{appId}}/{{service}} * {{service}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy appengineservice IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/appEngineServiceIamMember:AppEngineServiceIamMember editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} roles/iap.httpsResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/appEngineServiceIamMember:AppEngineServiceIamMember editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} roles/iap.httpsResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/appEngineServiceIamMember:AppEngineServiceIamMember editor projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetAppEngineServiceIamMember

func GetAppEngineServiceIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AppEngineServiceIamMemberState, opts ...pulumi.ResourceOption) (*AppEngineServiceIamMember, error)

GetAppEngineServiceIamMember gets an existing AppEngineServiceIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAppEngineServiceIamMember

func NewAppEngineServiceIamMember(ctx *pulumi.Context,
	name string, args *AppEngineServiceIamMemberArgs, opts ...pulumi.ResourceOption) (*AppEngineServiceIamMember, error)

NewAppEngineServiceIamMember registers a new resource with the given unique name, arguments, and options.

func (*AppEngineServiceIamMember) ElementType

func (*AppEngineServiceIamMember) ElementType() reflect.Type

func (*AppEngineServiceIamMember) ToAppEngineServiceIamMemberOutput

func (i *AppEngineServiceIamMember) ToAppEngineServiceIamMemberOutput() AppEngineServiceIamMemberOutput

func (*AppEngineServiceIamMember) ToAppEngineServiceIamMemberOutputWithContext

func (i *AppEngineServiceIamMember) ToAppEngineServiceIamMemberOutputWithContext(ctx context.Context) AppEngineServiceIamMemberOutput

type AppEngineServiceIamMemberArgs

type AppEngineServiceIamMemberArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineServiceIamMemberConditionPtrInput
	Member    pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput
}

The set of arguments for constructing a AppEngineServiceIamMember resource.

func (AppEngineServiceIamMemberArgs) ElementType

type AppEngineServiceIamMemberArray

type AppEngineServiceIamMemberArray []AppEngineServiceIamMemberInput

func (AppEngineServiceIamMemberArray) ElementType

func (AppEngineServiceIamMemberArray) ToAppEngineServiceIamMemberArrayOutput

func (i AppEngineServiceIamMemberArray) ToAppEngineServiceIamMemberArrayOutput() AppEngineServiceIamMemberArrayOutput

func (AppEngineServiceIamMemberArray) ToAppEngineServiceIamMemberArrayOutputWithContext

func (i AppEngineServiceIamMemberArray) ToAppEngineServiceIamMemberArrayOutputWithContext(ctx context.Context) AppEngineServiceIamMemberArrayOutput

type AppEngineServiceIamMemberArrayInput

type AppEngineServiceIamMemberArrayInput interface {
	pulumi.Input

	ToAppEngineServiceIamMemberArrayOutput() AppEngineServiceIamMemberArrayOutput
	ToAppEngineServiceIamMemberArrayOutputWithContext(context.Context) AppEngineServiceIamMemberArrayOutput
}

AppEngineServiceIamMemberArrayInput is an input type that accepts AppEngineServiceIamMemberArray and AppEngineServiceIamMemberArrayOutput values. You can construct a concrete instance of `AppEngineServiceIamMemberArrayInput` via:

AppEngineServiceIamMemberArray{ AppEngineServiceIamMemberArgs{...} }

type AppEngineServiceIamMemberArrayOutput

type AppEngineServiceIamMemberArrayOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamMemberArrayOutput) ElementType

func (AppEngineServiceIamMemberArrayOutput) Index

func (AppEngineServiceIamMemberArrayOutput) ToAppEngineServiceIamMemberArrayOutput

func (o AppEngineServiceIamMemberArrayOutput) ToAppEngineServiceIamMemberArrayOutput() AppEngineServiceIamMemberArrayOutput

func (AppEngineServiceIamMemberArrayOutput) ToAppEngineServiceIamMemberArrayOutputWithContext

func (o AppEngineServiceIamMemberArrayOutput) ToAppEngineServiceIamMemberArrayOutputWithContext(ctx context.Context) AppEngineServiceIamMemberArrayOutput

type AppEngineServiceIamMemberCondition

type AppEngineServiceIamMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type AppEngineServiceIamMemberConditionArgs

type AppEngineServiceIamMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (AppEngineServiceIamMemberConditionArgs) ElementType

func (AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionOutput

func (i AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionOutput() AppEngineServiceIamMemberConditionOutput

func (AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionOutputWithContext

func (i AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionOutputWithContext(ctx context.Context) AppEngineServiceIamMemberConditionOutput

func (AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionPtrOutput

func (i AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionPtrOutput() AppEngineServiceIamMemberConditionPtrOutput

func (AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionPtrOutputWithContext

func (i AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) AppEngineServiceIamMemberConditionPtrOutput

type AppEngineServiceIamMemberConditionInput

type AppEngineServiceIamMemberConditionInput interface {
	pulumi.Input

	ToAppEngineServiceIamMemberConditionOutput() AppEngineServiceIamMemberConditionOutput
	ToAppEngineServiceIamMemberConditionOutputWithContext(context.Context) AppEngineServiceIamMemberConditionOutput
}

AppEngineServiceIamMemberConditionInput is an input type that accepts AppEngineServiceIamMemberConditionArgs and AppEngineServiceIamMemberConditionOutput values. You can construct a concrete instance of `AppEngineServiceIamMemberConditionInput` via:

AppEngineServiceIamMemberConditionArgs{...}

type AppEngineServiceIamMemberConditionOutput

type AppEngineServiceIamMemberConditionOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamMemberConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineServiceIamMemberConditionOutput) ElementType

func (AppEngineServiceIamMemberConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineServiceIamMemberConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionOutput

func (o AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionOutput() AppEngineServiceIamMemberConditionOutput

func (AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionOutputWithContext

func (o AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionOutputWithContext(ctx context.Context) AppEngineServiceIamMemberConditionOutput

func (AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionPtrOutput

func (o AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionPtrOutput() AppEngineServiceIamMemberConditionPtrOutput

func (AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionPtrOutputWithContext

func (o AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) AppEngineServiceIamMemberConditionPtrOutput

type AppEngineServiceIamMemberConditionPtrInput

type AppEngineServiceIamMemberConditionPtrInput interface {
	pulumi.Input

	ToAppEngineServiceIamMemberConditionPtrOutput() AppEngineServiceIamMemberConditionPtrOutput
	ToAppEngineServiceIamMemberConditionPtrOutputWithContext(context.Context) AppEngineServiceIamMemberConditionPtrOutput
}

AppEngineServiceIamMemberConditionPtrInput is an input type that accepts AppEngineServiceIamMemberConditionArgs, AppEngineServiceIamMemberConditionPtr and AppEngineServiceIamMemberConditionPtrOutput values. You can construct a concrete instance of `AppEngineServiceIamMemberConditionPtrInput` via:

        AppEngineServiceIamMemberConditionArgs{...}

or:

        nil

type AppEngineServiceIamMemberConditionPtrOutput

type AppEngineServiceIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamMemberConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineServiceIamMemberConditionPtrOutput) Elem

func (AppEngineServiceIamMemberConditionPtrOutput) ElementType

func (AppEngineServiceIamMemberConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineServiceIamMemberConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineServiceIamMemberConditionPtrOutput) ToAppEngineServiceIamMemberConditionPtrOutput

func (o AppEngineServiceIamMemberConditionPtrOutput) ToAppEngineServiceIamMemberConditionPtrOutput() AppEngineServiceIamMemberConditionPtrOutput

func (AppEngineServiceIamMemberConditionPtrOutput) ToAppEngineServiceIamMemberConditionPtrOutputWithContext

func (o AppEngineServiceIamMemberConditionPtrOutput) ToAppEngineServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) AppEngineServiceIamMemberConditionPtrOutput

type AppEngineServiceIamMemberInput

type AppEngineServiceIamMemberInput interface {
	pulumi.Input

	ToAppEngineServiceIamMemberOutput() AppEngineServiceIamMemberOutput
	ToAppEngineServiceIamMemberOutputWithContext(ctx context.Context) AppEngineServiceIamMemberOutput
}

type AppEngineServiceIamMemberMap

type AppEngineServiceIamMemberMap map[string]AppEngineServiceIamMemberInput

func (AppEngineServiceIamMemberMap) ElementType

func (AppEngineServiceIamMemberMap) ToAppEngineServiceIamMemberMapOutput

func (i AppEngineServiceIamMemberMap) ToAppEngineServiceIamMemberMapOutput() AppEngineServiceIamMemberMapOutput

func (AppEngineServiceIamMemberMap) ToAppEngineServiceIamMemberMapOutputWithContext

func (i AppEngineServiceIamMemberMap) ToAppEngineServiceIamMemberMapOutputWithContext(ctx context.Context) AppEngineServiceIamMemberMapOutput

type AppEngineServiceIamMemberMapInput

type AppEngineServiceIamMemberMapInput interface {
	pulumi.Input

	ToAppEngineServiceIamMemberMapOutput() AppEngineServiceIamMemberMapOutput
	ToAppEngineServiceIamMemberMapOutputWithContext(context.Context) AppEngineServiceIamMemberMapOutput
}

AppEngineServiceIamMemberMapInput is an input type that accepts AppEngineServiceIamMemberMap and AppEngineServiceIamMemberMapOutput values. You can construct a concrete instance of `AppEngineServiceIamMemberMapInput` via:

AppEngineServiceIamMemberMap{ "key": AppEngineServiceIamMemberArgs{...} }

type AppEngineServiceIamMemberMapOutput

type AppEngineServiceIamMemberMapOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamMemberMapOutput) ElementType

func (AppEngineServiceIamMemberMapOutput) MapIndex

func (AppEngineServiceIamMemberMapOutput) ToAppEngineServiceIamMemberMapOutput

func (o AppEngineServiceIamMemberMapOutput) ToAppEngineServiceIamMemberMapOutput() AppEngineServiceIamMemberMapOutput

func (AppEngineServiceIamMemberMapOutput) ToAppEngineServiceIamMemberMapOutputWithContext

func (o AppEngineServiceIamMemberMapOutput) ToAppEngineServiceIamMemberMapOutputWithContext(ctx context.Context) AppEngineServiceIamMemberMapOutput

type AppEngineServiceIamMemberOutput

type AppEngineServiceIamMemberOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamMemberOutput) AppId added in v6.23.0

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (AppEngineServiceIamMemberOutput) Condition added in v6.23.0

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (AppEngineServiceIamMemberOutput) ElementType

func (AppEngineServiceIamMemberOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (AppEngineServiceIamMemberOutput) Member added in v6.23.0

func (AppEngineServiceIamMemberOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (AppEngineServiceIamMemberOutput) Role added in v6.23.0

The role that should be applied. Only one `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (AppEngineServiceIamMemberOutput) Service added in v6.23.0

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

func (AppEngineServiceIamMemberOutput) ToAppEngineServiceIamMemberOutput

func (o AppEngineServiceIamMemberOutput) ToAppEngineServiceIamMemberOutput() AppEngineServiceIamMemberOutput

func (AppEngineServiceIamMemberOutput) ToAppEngineServiceIamMemberOutputWithContext

func (o AppEngineServiceIamMemberOutput) ToAppEngineServiceIamMemberOutputWithContext(ctx context.Context) AppEngineServiceIamMemberOutput

type AppEngineServiceIamMemberState

type AppEngineServiceIamMemberState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineServiceIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag   pulumi.StringPtrInput
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringPtrInput
}

func (AppEngineServiceIamMemberState) ElementType

type AppEngineServiceIamPolicy

type AppEngineServiceIamPolicy struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringOutput `pulumi:"service"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineService. Each of these resources serves a different use case:

* `iap.AppEngineServiceIamPolicy`: Authoritative. Sets the IAM policy for the appengineservice and replaces any existing policy already attached. * `iap.AppEngineServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineservice are preserved. * `iap.AppEngineServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineServiceIamPolicy`: Retrieves the IAM policy for the appengineservice

> **Note:** `iap.AppEngineServiceIamPolicy` **cannot** be used in conjunction with `iap.AppEngineServiceIamBinding` and `iap.AppEngineServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineServiceIamBinding` resources **can be** used in conjunction with `iap.AppEngineServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_app\_engine\_service\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			AppId:      pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Service:    pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			AppId:      pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Service:    pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_app\_engine\_service\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			AppId: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Project: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Service: pulumi.Any(google_app_engine_standard_app_version.Version.Service),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			AppId: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Condition: &iap.AppEngineServiceIamBindingConditionArgs{
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
				Title:       pulumi.String("expires_after_2019_12_31"),
			},
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Project: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Service: pulumi.Any(google_app_engine_standard_app_version.Version.Service),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_app\_engine\_service\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			AppId:   pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Member:  pulumi.String("user:jane@example.com"),
			Project: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Service: pulumi.Any(google_app_engine_standard_app_version.Version.Service),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			AppId: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Condition: &iap.AppEngineServiceIamMemberConditionArgs{
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
				Title:       pulumi.String("expires_after_2019_12_31"),
			},
			Member:  pulumi.String("user:jane@example.com"),
			Project: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Service: pulumi.Any(google_app_engine_standard_app_version.Version.Service),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} * {{project}}/{{appId}}/{{service}} * {{appId}}/{{service}} * {{service}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy appengineservice IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/appEngineServiceIamPolicy:AppEngineServiceIamPolicy editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} roles/iap.httpsResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/appEngineServiceIamPolicy:AppEngineServiceIamPolicy editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} roles/iap.httpsResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/appEngineServiceIamPolicy:AppEngineServiceIamPolicy editor projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetAppEngineServiceIamPolicy

func GetAppEngineServiceIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AppEngineServiceIamPolicyState, opts ...pulumi.ResourceOption) (*AppEngineServiceIamPolicy, error)

GetAppEngineServiceIamPolicy gets an existing AppEngineServiceIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAppEngineServiceIamPolicy

func NewAppEngineServiceIamPolicy(ctx *pulumi.Context,
	name string, args *AppEngineServiceIamPolicyArgs, opts ...pulumi.ResourceOption) (*AppEngineServiceIamPolicy, error)

NewAppEngineServiceIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*AppEngineServiceIamPolicy) ElementType

func (*AppEngineServiceIamPolicy) ElementType() reflect.Type

func (*AppEngineServiceIamPolicy) ToAppEngineServiceIamPolicyOutput

func (i *AppEngineServiceIamPolicy) ToAppEngineServiceIamPolicyOutput() AppEngineServiceIamPolicyOutput

func (*AppEngineServiceIamPolicy) ToAppEngineServiceIamPolicyOutputWithContext

func (i *AppEngineServiceIamPolicy) ToAppEngineServiceIamPolicyOutputWithContext(ctx context.Context) AppEngineServiceIamPolicyOutput

type AppEngineServiceIamPolicyArgs

type AppEngineServiceIamPolicyArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput
}

The set of arguments for constructing a AppEngineServiceIamPolicy resource.

func (AppEngineServiceIamPolicyArgs) ElementType

type AppEngineServiceIamPolicyArray

type AppEngineServiceIamPolicyArray []AppEngineServiceIamPolicyInput

func (AppEngineServiceIamPolicyArray) ElementType

func (AppEngineServiceIamPolicyArray) ToAppEngineServiceIamPolicyArrayOutput

func (i AppEngineServiceIamPolicyArray) ToAppEngineServiceIamPolicyArrayOutput() AppEngineServiceIamPolicyArrayOutput

func (AppEngineServiceIamPolicyArray) ToAppEngineServiceIamPolicyArrayOutputWithContext

func (i AppEngineServiceIamPolicyArray) ToAppEngineServiceIamPolicyArrayOutputWithContext(ctx context.Context) AppEngineServiceIamPolicyArrayOutput

type AppEngineServiceIamPolicyArrayInput

type AppEngineServiceIamPolicyArrayInput interface {
	pulumi.Input

	ToAppEngineServiceIamPolicyArrayOutput() AppEngineServiceIamPolicyArrayOutput
	ToAppEngineServiceIamPolicyArrayOutputWithContext(context.Context) AppEngineServiceIamPolicyArrayOutput
}

AppEngineServiceIamPolicyArrayInput is an input type that accepts AppEngineServiceIamPolicyArray and AppEngineServiceIamPolicyArrayOutput values. You can construct a concrete instance of `AppEngineServiceIamPolicyArrayInput` via:

AppEngineServiceIamPolicyArray{ AppEngineServiceIamPolicyArgs{...} }

type AppEngineServiceIamPolicyArrayOutput

type AppEngineServiceIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamPolicyArrayOutput) ElementType

func (AppEngineServiceIamPolicyArrayOutput) Index

func (AppEngineServiceIamPolicyArrayOutput) ToAppEngineServiceIamPolicyArrayOutput

func (o AppEngineServiceIamPolicyArrayOutput) ToAppEngineServiceIamPolicyArrayOutput() AppEngineServiceIamPolicyArrayOutput

func (AppEngineServiceIamPolicyArrayOutput) ToAppEngineServiceIamPolicyArrayOutputWithContext

func (o AppEngineServiceIamPolicyArrayOutput) ToAppEngineServiceIamPolicyArrayOutputWithContext(ctx context.Context) AppEngineServiceIamPolicyArrayOutput

type AppEngineServiceIamPolicyInput

type AppEngineServiceIamPolicyInput interface {
	pulumi.Input

	ToAppEngineServiceIamPolicyOutput() AppEngineServiceIamPolicyOutput
	ToAppEngineServiceIamPolicyOutputWithContext(ctx context.Context) AppEngineServiceIamPolicyOutput
}

type AppEngineServiceIamPolicyMap

type AppEngineServiceIamPolicyMap map[string]AppEngineServiceIamPolicyInput

func (AppEngineServiceIamPolicyMap) ElementType

func (AppEngineServiceIamPolicyMap) ToAppEngineServiceIamPolicyMapOutput

func (i AppEngineServiceIamPolicyMap) ToAppEngineServiceIamPolicyMapOutput() AppEngineServiceIamPolicyMapOutput

func (AppEngineServiceIamPolicyMap) ToAppEngineServiceIamPolicyMapOutputWithContext

func (i AppEngineServiceIamPolicyMap) ToAppEngineServiceIamPolicyMapOutputWithContext(ctx context.Context) AppEngineServiceIamPolicyMapOutput

type AppEngineServiceIamPolicyMapInput

type AppEngineServiceIamPolicyMapInput interface {
	pulumi.Input

	ToAppEngineServiceIamPolicyMapOutput() AppEngineServiceIamPolicyMapOutput
	ToAppEngineServiceIamPolicyMapOutputWithContext(context.Context) AppEngineServiceIamPolicyMapOutput
}

AppEngineServiceIamPolicyMapInput is an input type that accepts AppEngineServiceIamPolicyMap and AppEngineServiceIamPolicyMapOutput values. You can construct a concrete instance of `AppEngineServiceIamPolicyMapInput` via:

AppEngineServiceIamPolicyMap{ "key": AppEngineServiceIamPolicyArgs{...} }

type AppEngineServiceIamPolicyMapOutput

type AppEngineServiceIamPolicyMapOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamPolicyMapOutput) ElementType

func (AppEngineServiceIamPolicyMapOutput) MapIndex

func (AppEngineServiceIamPolicyMapOutput) ToAppEngineServiceIamPolicyMapOutput

func (o AppEngineServiceIamPolicyMapOutput) ToAppEngineServiceIamPolicyMapOutput() AppEngineServiceIamPolicyMapOutput

func (AppEngineServiceIamPolicyMapOutput) ToAppEngineServiceIamPolicyMapOutputWithContext

func (o AppEngineServiceIamPolicyMapOutput) ToAppEngineServiceIamPolicyMapOutputWithContext(ctx context.Context) AppEngineServiceIamPolicyMapOutput

type AppEngineServiceIamPolicyOutput

type AppEngineServiceIamPolicyOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamPolicyOutput) AppId added in v6.23.0

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (AppEngineServiceIamPolicyOutput) ElementType

func (AppEngineServiceIamPolicyOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (AppEngineServiceIamPolicyOutput) PolicyData added in v6.23.0

The policy data generated by a `organizations.getIAMPolicy` data source.

func (AppEngineServiceIamPolicyOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (AppEngineServiceIamPolicyOutput) Service added in v6.23.0

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

func (AppEngineServiceIamPolicyOutput) ToAppEngineServiceIamPolicyOutput

func (o AppEngineServiceIamPolicyOutput) ToAppEngineServiceIamPolicyOutput() AppEngineServiceIamPolicyOutput

func (AppEngineServiceIamPolicyOutput) ToAppEngineServiceIamPolicyOutputWithContext

func (o AppEngineServiceIamPolicyOutput) ToAppEngineServiceIamPolicyOutputWithContext(ctx context.Context) AppEngineServiceIamPolicyOutput

type AppEngineServiceIamPolicyState

type AppEngineServiceIamPolicyState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringPtrInput
}

func (AppEngineServiceIamPolicyState) ElementType

type AppEngineVersionIamBinding

type AppEngineVersionIamBinding struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineVersionIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag    pulumi.StringOutput      `pulumi:"etag"`
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringOutput `pulumi:"service"`
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringOutput `pulumi:"versionId"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineVersion. Each of these resources serves a different use case:

* `iap.AppEngineVersionIamPolicy`: Authoritative. Sets the IAM policy for the appengineversion and replaces any existing policy already attached. * `iap.AppEngineVersionIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineversion are preserved. * `iap.AppEngineVersionIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineversion are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineVersionIamPolicy`: Retrieves the IAM policy for the appengineversion

> **Note:** `iap.AppEngineVersionIamPolicy` **cannot** be used in conjunction with `iap.AppEngineVersionIamBinding` and `iap.AppEngineVersionIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineVersionIamBinding` resources **can be** used in conjunction with `iap.AppEngineVersionIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_app\_engine\_version\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			AppId:      pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Service:    pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			VersionId:  pulumi.Any(google_app_engine_standard_app_version.Version.Version_id),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			AppId:      pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Service:    pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			VersionId:  pulumi.Any(google_app_engine_standard_app_version.Version.Version_id),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_app\_engine\_version\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			AppId: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Project:   pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Service:   pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			VersionId: pulumi.Any(google_app_engine_standard_app_version.Version.Version_id),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			AppId: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Condition: &iap.AppEngineVersionIamBindingConditionArgs{
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
				Title:       pulumi.String("expires_after_2019_12_31"),
			},
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Project:   pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Service:   pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			VersionId: pulumi.Any(google_app_engine_standard_app_version.Version.Version_id),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_app\_engine\_version\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			AppId:     pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Member:    pulumi.String("user:jane@example.com"),
			Project:   pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Service:   pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			VersionId: pulumi.Any(google_app_engine_standard_app_version.Version.Version_id),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			AppId: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Condition: &iap.AppEngineVersionIamMemberConditionArgs{
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
				Title:       pulumi.String("expires_after_2019_12_31"),
			},
			Member:    pulumi.String("user:jane@example.com"),
			Project:   pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Service:   pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			VersionId: pulumi.Any(google_app_engine_standard_app_version.Version.Version_id),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} * {{project}}/{{appId}}/{{service}}/{{versionId}} * {{appId}}/{{service}}/{{versionId}} * {{version}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy appengineversion IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/appEngineVersionIamBinding:AppEngineVersionIamBinding editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} roles/iap.httpsResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/appEngineVersionIamBinding:AppEngineVersionIamBinding editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} roles/iap.httpsResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/appEngineVersionIamBinding:AppEngineVersionIamBinding editor projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}}

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetAppEngineVersionIamBinding

func GetAppEngineVersionIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AppEngineVersionIamBindingState, opts ...pulumi.ResourceOption) (*AppEngineVersionIamBinding, error)

GetAppEngineVersionIamBinding gets an existing AppEngineVersionIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAppEngineVersionIamBinding

func NewAppEngineVersionIamBinding(ctx *pulumi.Context,
	name string, args *AppEngineVersionIamBindingArgs, opts ...pulumi.ResourceOption) (*AppEngineVersionIamBinding, error)

NewAppEngineVersionIamBinding registers a new resource with the given unique name, arguments, and options.

func (*AppEngineVersionIamBinding) ElementType

func (*AppEngineVersionIamBinding) ElementType() reflect.Type

func (*AppEngineVersionIamBinding) ToAppEngineVersionIamBindingOutput

func (i *AppEngineVersionIamBinding) ToAppEngineVersionIamBindingOutput() AppEngineVersionIamBindingOutput

func (*AppEngineVersionIamBinding) ToAppEngineVersionIamBindingOutputWithContext

func (i *AppEngineVersionIamBinding) ToAppEngineVersionIamBindingOutputWithContext(ctx context.Context) AppEngineVersionIamBindingOutput

type AppEngineVersionIamBindingArgs

type AppEngineVersionIamBindingArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineVersionIamBindingConditionPtrInput
	Members   pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringInput
}

The set of arguments for constructing a AppEngineVersionIamBinding resource.

func (AppEngineVersionIamBindingArgs) ElementType

type AppEngineVersionIamBindingArray

type AppEngineVersionIamBindingArray []AppEngineVersionIamBindingInput

func (AppEngineVersionIamBindingArray) ElementType

func (AppEngineVersionIamBindingArray) ToAppEngineVersionIamBindingArrayOutput

func (i AppEngineVersionIamBindingArray) ToAppEngineVersionIamBindingArrayOutput() AppEngineVersionIamBindingArrayOutput

func (AppEngineVersionIamBindingArray) ToAppEngineVersionIamBindingArrayOutputWithContext

func (i AppEngineVersionIamBindingArray) ToAppEngineVersionIamBindingArrayOutputWithContext(ctx context.Context) AppEngineVersionIamBindingArrayOutput

type AppEngineVersionIamBindingArrayInput

type AppEngineVersionIamBindingArrayInput interface {
	pulumi.Input

	ToAppEngineVersionIamBindingArrayOutput() AppEngineVersionIamBindingArrayOutput
	ToAppEngineVersionIamBindingArrayOutputWithContext(context.Context) AppEngineVersionIamBindingArrayOutput
}

AppEngineVersionIamBindingArrayInput is an input type that accepts AppEngineVersionIamBindingArray and AppEngineVersionIamBindingArrayOutput values. You can construct a concrete instance of `AppEngineVersionIamBindingArrayInput` via:

AppEngineVersionIamBindingArray{ AppEngineVersionIamBindingArgs{...} }

type AppEngineVersionIamBindingArrayOutput

type AppEngineVersionIamBindingArrayOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamBindingArrayOutput) ElementType

func (AppEngineVersionIamBindingArrayOutput) Index

func (AppEngineVersionIamBindingArrayOutput) ToAppEngineVersionIamBindingArrayOutput

func (o AppEngineVersionIamBindingArrayOutput) ToAppEngineVersionIamBindingArrayOutput() AppEngineVersionIamBindingArrayOutput

func (AppEngineVersionIamBindingArrayOutput) ToAppEngineVersionIamBindingArrayOutputWithContext

func (o AppEngineVersionIamBindingArrayOutput) ToAppEngineVersionIamBindingArrayOutputWithContext(ctx context.Context) AppEngineVersionIamBindingArrayOutput

type AppEngineVersionIamBindingCondition

type AppEngineVersionIamBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type AppEngineVersionIamBindingConditionArgs

type AppEngineVersionIamBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (AppEngineVersionIamBindingConditionArgs) ElementType

func (AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionOutput

func (i AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionOutput() AppEngineVersionIamBindingConditionOutput

func (AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionOutputWithContext

func (i AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionOutputWithContext(ctx context.Context) AppEngineVersionIamBindingConditionOutput

func (AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionPtrOutput

func (i AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionPtrOutput() AppEngineVersionIamBindingConditionPtrOutput

func (AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionPtrOutputWithContext

func (i AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionPtrOutputWithContext(ctx context.Context) AppEngineVersionIamBindingConditionPtrOutput

type AppEngineVersionIamBindingConditionInput

type AppEngineVersionIamBindingConditionInput interface {
	pulumi.Input

	ToAppEngineVersionIamBindingConditionOutput() AppEngineVersionIamBindingConditionOutput
	ToAppEngineVersionIamBindingConditionOutputWithContext(context.Context) AppEngineVersionIamBindingConditionOutput
}

AppEngineVersionIamBindingConditionInput is an input type that accepts AppEngineVersionIamBindingConditionArgs and AppEngineVersionIamBindingConditionOutput values. You can construct a concrete instance of `AppEngineVersionIamBindingConditionInput` via:

AppEngineVersionIamBindingConditionArgs{...}

type AppEngineVersionIamBindingConditionOutput

type AppEngineVersionIamBindingConditionOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamBindingConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineVersionIamBindingConditionOutput) ElementType

func (AppEngineVersionIamBindingConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineVersionIamBindingConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionOutput

func (o AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionOutput() AppEngineVersionIamBindingConditionOutput

func (AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionOutputWithContext

func (o AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionOutputWithContext(ctx context.Context) AppEngineVersionIamBindingConditionOutput

func (AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionPtrOutput

func (o AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionPtrOutput() AppEngineVersionIamBindingConditionPtrOutput

func (AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionPtrOutputWithContext

func (o AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionPtrOutputWithContext(ctx context.Context) AppEngineVersionIamBindingConditionPtrOutput

type AppEngineVersionIamBindingConditionPtrInput

type AppEngineVersionIamBindingConditionPtrInput interface {
	pulumi.Input

	ToAppEngineVersionIamBindingConditionPtrOutput() AppEngineVersionIamBindingConditionPtrOutput
	ToAppEngineVersionIamBindingConditionPtrOutputWithContext(context.Context) AppEngineVersionIamBindingConditionPtrOutput
}

AppEngineVersionIamBindingConditionPtrInput is an input type that accepts AppEngineVersionIamBindingConditionArgs, AppEngineVersionIamBindingConditionPtr and AppEngineVersionIamBindingConditionPtrOutput values. You can construct a concrete instance of `AppEngineVersionIamBindingConditionPtrInput` via:

        AppEngineVersionIamBindingConditionArgs{...}

or:

        nil

type AppEngineVersionIamBindingConditionPtrOutput

type AppEngineVersionIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamBindingConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineVersionIamBindingConditionPtrOutput) Elem

func (AppEngineVersionIamBindingConditionPtrOutput) ElementType

func (AppEngineVersionIamBindingConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineVersionIamBindingConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineVersionIamBindingConditionPtrOutput) ToAppEngineVersionIamBindingConditionPtrOutput

func (o AppEngineVersionIamBindingConditionPtrOutput) ToAppEngineVersionIamBindingConditionPtrOutput() AppEngineVersionIamBindingConditionPtrOutput

func (AppEngineVersionIamBindingConditionPtrOutput) ToAppEngineVersionIamBindingConditionPtrOutputWithContext

func (o AppEngineVersionIamBindingConditionPtrOutput) ToAppEngineVersionIamBindingConditionPtrOutputWithContext(ctx context.Context) AppEngineVersionIamBindingConditionPtrOutput

type AppEngineVersionIamBindingInput

type AppEngineVersionIamBindingInput interface {
	pulumi.Input

	ToAppEngineVersionIamBindingOutput() AppEngineVersionIamBindingOutput
	ToAppEngineVersionIamBindingOutputWithContext(ctx context.Context) AppEngineVersionIamBindingOutput
}

type AppEngineVersionIamBindingMap

type AppEngineVersionIamBindingMap map[string]AppEngineVersionIamBindingInput

func (AppEngineVersionIamBindingMap) ElementType

func (AppEngineVersionIamBindingMap) ToAppEngineVersionIamBindingMapOutput

func (i AppEngineVersionIamBindingMap) ToAppEngineVersionIamBindingMapOutput() AppEngineVersionIamBindingMapOutput

func (AppEngineVersionIamBindingMap) ToAppEngineVersionIamBindingMapOutputWithContext

func (i AppEngineVersionIamBindingMap) ToAppEngineVersionIamBindingMapOutputWithContext(ctx context.Context) AppEngineVersionIamBindingMapOutput

type AppEngineVersionIamBindingMapInput

type AppEngineVersionIamBindingMapInput interface {
	pulumi.Input

	ToAppEngineVersionIamBindingMapOutput() AppEngineVersionIamBindingMapOutput
	ToAppEngineVersionIamBindingMapOutputWithContext(context.Context) AppEngineVersionIamBindingMapOutput
}

AppEngineVersionIamBindingMapInput is an input type that accepts AppEngineVersionIamBindingMap and AppEngineVersionIamBindingMapOutput values. You can construct a concrete instance of `AppEngineVersionIamBindingMapInput` via:

AppEngineVersionIamBindingMap{ "key": AppEngineVersionIamBindingArgs{...} }

type AppEngineVersionIamBindingMapOutput

type AppEngineVersionIamBindingMapOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamBindingMapOutput) ElementType

func (AppEngineVersionIamBindingMapOutput) MapIndex

func (AppEngineVersionIamBindingMapOutput) ToAppEngineVersionIamBindingMapOutput

func (o AppEngineVersionIamBindingMapOutput) ToAppEngineVersionIamBindingMapOutput() AppEngineVersionIamBindingMapOutput

func (AppEngineVersionIamBindingMapOutput) ToAppEngineVersionIamBindingMapOutputWithContext

func (o AppEngineVersionIamBindingMapOutput) ToAppEngineVersionIamBindingMapOutputWithContext(ctx context.Context) AppEngineVersionIamBindingMapOutput

type AppEngineVersionIamBindingOutput

type AppEngineVersionIamBindingOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamBindingOutput) AppId added in v6.23.0

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (AppEngineVersionIamBindingOutput) Condition added in v6.23.0

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (AppEngineVersionIamBindingOutput) ElementType

func (AppEngineVersionIamBindingOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (AppEngineVersionIamBindingOutput) Members added in v6.23.0

func (AppEngineVersionIamBindingOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (AppEngineVersionIamBindingOutput) Role added in v6.23.0

The role that should be applied. Only one `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (AppEngineVersionIamBindingOutput) Service added in v6.23.0

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

func (AppEngineVersionIamBindingOutput) ToAppEngineVersionIamBindingOutput

func (o AppEngineVersionIamBindingOutput) ToAppEngineVersionIamBindingOutput() AppEngineVersionIamBindingOutput

func (AppEngineVersionIamBindingOutput) ToAppEngineVersionIamBindingOutputWithContext

func (o AppEngineVersionIamBindingOutput) ToAppEngineVersionIamBindingOutputWithContext(ctx context.Context) AppEngineVersionIamBindingOutput

func (AppEngineVersionIamBindingOutput) VersionId added in v6.23.0

Version id of the App Engine application Used to find the parent resource to bind the IAM policy to

type AppEngineVersionIamBindingState

type AppEngineVersionIamBindingState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineVersionIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag    pulumi.StringPtrInput
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringPtrInput
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringPtrInput
}

func (AppEngineVersionIamBindingState) ElementType

type AppEngineVersionIamMember

type AppEngineVersionIamMember struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineVersionIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag   pulumi.StringOutput `pulumi:"etag"`
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringOutput `pulumi:"service"`
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringOutput `pulumi:"versionId"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineVersion. Each of these resources serves a different use case:

* `iap.AppEngineVersionIamPolicy`: Authoritative. Sets the IAM policy for the appengineversion and replaces any existing policy already attached. * `iap.AppEngineVersionIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineversion are preserved. * `iap.AppEngineVersionIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineversion are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineVersionIamPolicy`: Retrieves the IAM policy for the appengineversion

> **Note:** `iap.AppEngineVersionIamPolicy` **cannot** be used in conjunction with `iap.AppEngineVersionIamBinding` and `iap.AppEngineVersionIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineVersionIamBinding` resources **can be** used in conjunction with `iap.AppEngineVersionIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_app\_engine\_version\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			AppId:      pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Service:    pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			VersionId:  pulumi.Any(google_app_engine_standard_app_version.Version.Version_id),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			AppId:      pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Service:    pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			VersionId:  pulumi.Any(google_app_engine_standard_app_version.Version.Version_id),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_app\_engine\_version\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			AppId: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Project:   pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Service:   pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			VersionId: pulumi.Any(google_app_engine_standard_app_version.Version.Version_id),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			AppId: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Condition: &iap.AppEngineVersionIamBindingConditionArgs{
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
				Title:       pulumi.String("expires_after_2019_12_31"),
			},
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Project:   pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Service:   pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			VersionId: pulumi.Any(google_app_engine_standard_app_version.Version.Version_id),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_app\_engine\_version\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			AppId:     pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Member:    pulumi.String("user:jane@example.com"),
			Project:   pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Service:   pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			VersionId: pulumi.Any(google_app_engine_standard_app_version.Version.Version_id),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			AppId: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Condition: &iap.AppEngineVersionIamMemberConditionArgs{
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
				Title:       pulumi.String("expires_after_2019_12_31"),
			},
			Member:    pulumi.String("user:jane@example.com"),
			Project:   pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Service:   pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			VersionId: pulumi.Any(google_app_engine_standard_app_version.Version.Version_id),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} * {{project}}/{{appId}}/{{service}}/{{versionId}} * {{appId}}/{{service}}/{{versionId}} * {{version}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy appengineversion IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/appEngineVersionIamMember:AppEngineVersionIamMember editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} roles/iap.httpsResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/appEngineVersionIamMember:AppEngineVersionIamMember editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} roles/iap.httpsResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/appEngineVersionIamMember:AppEngineVersionIamMember editor projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}}

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetAppEngineVersionIamMember

func GetAppEngineVersionIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AppEngineVersionIamMemberState, opts ...pulumi.ResourceOption) (*AppEngineVersionIamMember, error)

GetAppEngineVersionIamMember gets an existing AppEngineVersionIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAppEngineVersionIamMember

func NewAppEngineVersionIamMember(ctx *pulumi.Context,
	name string, args *AppEngineVersionIamMemberArgs, opts ...pulumi.ResourceOption) (*AppEngineVersionIamMember, error)

NewAppEngineVersionIamMember registers a new resource with the given unique name, arguments, and options.

func (*AppEngineVersionIamMember) ElementType

func (*AppEngineVersionIamMember) ElementType() reflect.Type

func (*AppEngineVersionIamMember) ToAppEngineVersionIamMemberOutput

func (i *AppEngineVersionIamMember) ToAppEngineVersionIamMemberOutput() AppEngineVersionIamMemberOutput

func (*AppEngineVersionIamMember) ToAppEngineVersionIamMemberOutputWithContext

func (i *AppEngineVersionIamMember) ToAppEngineVersionIamMemberOutputWithContext(ctx context.Context) AppEngineVersionIamMemberOutput

type AppEngineVersionIamMemberArgs

type AppEngineVersionIamMemberArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineVersionIamMemberConditionPtrInput
	Member    pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringInput
}

The set of arguments for constructing a AppEngineVersionIamMember resource.

func (AppEngineVersionIamMemberArgs) ElementType

type AppEngineVersionIamMemberArray

type AppEngineVersionIamMemberArray []AppEngineVersionIamMemberInput

func (AppEngineVersionIamMemberArray) ElementType

func (AppEngineVersionIamMemberArray) ToAppEngineVersionIamMemberArrayOutput

func (i AppEngineVersionIamMemberArray) ToAppEngineVersionIamMemberArrayOutput() AppEngineVersionIamMemberArrayOutput

func (AppEngineVersionIamMemberArray) ToAppEngineVersionIamMemberArrayOutputWithContext

func (i AppEngineVersionIamMemberArray) ToAppEngineVersionIamMemberArrayOutputWithContext(ctx context.Context) AppEngineVersionIamMemberArrayOutput

type AppEngineVersionIamMemberArrayInput

type AppEngineVersionIamMemberArrayInput interface {
	pulumi.Input

	ToAppEngineVersionIamMemberArrayOutput() AppEngineVersionIamMemberArrayOutput
	ToAppEngineVersionIamMemberArrayOutputWithContext(context.Context) AppEngineVersionIamMemberArrayOutput
}

AppEngineVersionIamMemberArrayInput is an input type that accepts AppEngineVersionIamMemberArray and AppEngineVersionIamMemberArrayOutput values. You can construct a concrete instance of `AppEngineVersionIamMemberArrayInput` via:

AppEngineVersionIamMemberArray{ AppEngineVersionIamMemberArgs{...} }

type AppEngineVersionIamMemberArrayOutput

type AppEngineVersionIamMemberArrayOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamMemberArrayOutput) ElementType

func (AppEngineVersionIamMemberArrayOutput) Index

func (AppEngineVersionIamMemberArrayOutput) ToAppEngineVersionIamMemberArrayOutput

func (o AppEngineVersionIamMemberArrayOutput) ToAppEngineVersionIamMemberArrayOutput() AppEngineVersionIamMemberArrayOutput

func (AppEngineVersionIamMemberArrayOutput) ToAppEngineVersionIamMemberArrayOutputWithContext

func (o AppEngineVersionIamMemberArrayOutput) ToAppEngineVersionIamMemberArrayOutputWithContext(ctx context.Context) AppEngineVersionIamMemberArrayOutput

type AppEngineVersionIamMemberCondition

type AppEngineVersionIamMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type AppEngineVersionIamMemberConditionArgs

type AppEngineVersionIamMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (AppEngineVersionIamMemberConditionArgs) ElementType

func (AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionOutput

func (i AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionOutput() AppEngineVersionIamMemberConditionOutput

func (AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionOutputWithContext

func (i AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionOutputWithContext(ctx context.Context) AppEngineVersionIamMemberConditionOutput

func (AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionPtrOutput

func (i AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionPtrOutput() AppEngineVersionIamMemberConditionPtrOutput

func (AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionPtrOutputWithContext

func (i AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionPtrOutputWithContext(ctx context.Context) AppEngineVersionIamMemberConditionPtrOutput

type AppEngineVersionIamMemberConditionInput

type AppEngineVersionIamMemberConditionInput interface {
	pulumi.Input

	ToAppEngineVersionIamMemberConditionOutput() AppEngineVersionIamMemberConditionOutput
	ToAppEngineVersionIamMemberConditionOutputWithContext(context.Context) AppEngineVersionIamMemberConditionOutput
}

AppEngineVersionIamMemberConditionInput is an input type that accepts AppEngineVersionIamMemberConditionArgs and AppEngineVersionIamMemberConditionOutput values. You can construct a concrete instance of `AppEngineVersionIamMemberConditionInput` via:

AppEngineVersionIamMemberConditionArgs{...}

type AppEngineVersionIamMemberConditionOutput

type AppEngineVersionIamMemberConditionOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamMemberConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineVersionIamMemberConditionOutput) ElementType

func (AppEngineVersionIamMemberConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineVersionIamMemberConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionOutput

func (o AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionOutput() AppEngineVersionIamMemberConditionOutput

func (AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionOutputWithContext

func (o AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionOutputWithContext(ctx context.Context) AppEngineVersionIamMemberConditionOutput

func (AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionPtrOutput

func (o AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionPtrOutput() AppEngineVersionIamMemberConditionPtrOutput

func (AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionPtrOutputWithContext

func (o AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionPtrOutputWithContext(ctx context.Context) AppEngineVersionIamMemberConditionPtrOutput

type AppEngineVersionIamMemberConditionPtrInput

type AppEngineVersionIamMemberConditionPtrInput interface {
	pulumi.Input

	ToAppEngineVersionIamMemberConditionPtrOutput() AppEngineVersionIamMemberConditionPtrOutput
	ToAppEngineVersionIamMemberConditionPtrOutputWithContext(context.Context) AppEngineVersionIamMemberConditionPtrOutput
}

AppEngineVersionIamMemberConditionPtrInput is an input type that accepts AppEngineVersionIamMemberConditionArgs, AppEngineVersionIamMemberConditionPtr and AppEngineVersionIamMemberConditionPtrOutput values. You can construct a concrete instance of `AppEngineVersionIamMemberConditionPtrInput` via:

        AppEngineVersionIamMemberConditionArgs{...}

or:

        nil

type AppEngineVersionIamMemberConditionPtrOutput

type AppEngineVersionIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamMemberConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineVersionIamMemberConditionPtrOutput) Elem

func (AppEngineVersionIamMemberConditionPtrOutput) ElementType

func (AppEngineVersionIamMemberConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineVersionIamMemberConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineVersionIamMemberConditionPtrOutput) ToAppEngineVersionIamMemberConditionPtrOutput

func (o AppEngineVersionIamMemberConditionPtrOutput) ToAppEngineVersionIamMemberConditionPtrOutput() AppEngineVersionIamMemberConditionPtrOutput

func (AppEngineVersionIamMemberConditionPtrOutput) ToAppEngineVersionIamMemberConditionPtrOutputWithContext

func (o AppEngineVersionIamMemberConditionPtrOutput) ToAppEngineVersionIamMemberConditionPtrOutputWithContext(ctx context.Context) AppEngineVersionIamMemberConditionPtrOutput

type AppEngineVersionIamMemberInput

type AppEngineVersionIamMemberInput interface {
	pulumi.Input

	ToAppEngineVersionIamMemberOutput() AppEngineVersionIamMemberOutput
	ToAppEngineVersionIamMemberOutputWithContext(ctx context.Context) AppEngineVersionIamMemberOutput
}

type AppEngineVersionIamMemberMap

type AppEngineVersionIamMemberMap map[string]AppEngineVersionIamMemberInput

func (AppEngineVersionIamMemberMap) ElementType

func (AppEngineVersionIamMemberMap) ToAppEngineVersionIamMemberMapOutput

func (i AppEngineVersionIamMemberMap) ToAppEngineVersionIamMemberMapOutput() AppEngineVersionIamMemberMapOutput

func (AppEngineVersionIamMemberMap) ToAppEngineVersionIamMemberMapOutputWithContext

func (i AppEngineVersionIamMemberMap) ToAppEngineVersionIamMemberMapOutputWithContext(ctx context.Context) AppEngineVersionIamMemberMapOutput

type AppEngineVersionIamMemberMapInput

type AppEngineVersionIamMemberMapInput interface {
	pulumi.Input

	ToAppEngineVersionIamMemberMapOutput() AppEngineVersionIamMemberMapOutput
	ToAppEngineVersionIamMemberMapOutputWithContext(context.Context) AppEngineVersionIamMemberMapOutput
}

AppEngineVersionIamMemberMapInput is an input type that accepts AppEngineVersionIamMemberMap and AppEngineVersionIamMemberMapOutput values. You can construct a concrete instance of `AppEngineVersionIamMemberMapInput` via:

AppEngineVersionIamMemberMap{ "key": AppEngineVersionIamMemberArgs{...} }

type AppEngineVersionIamMemberMapOutput

type AppEngineVersionIamMemberMapOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamMemberMapOutput) ElementType

func (AppEngineVersionIamMemberMapOutput) MapIndex

func (AppEngineVersionIamMemberMapOutput) ToAppEngineVersionIamMemberMapOutput

func (o AppEngineVersionIamMemberMapOutput) ToAppEngineVersionIamMemberMapOutput() AppEngineVersionIamMemberMapOutput

func (AppEngineVersionIamMemberMapOutput) ToAppEngineVersionIamMemberMapOutputWithContext

func (o AppEngineVersionIamMemberMapOutput) ToAppEngineVersionIamMemberMapOutputWithContext(ctx context.Context) AppEngineVersionIamMemberMapOutput

type AppEngineVersionIamMemberOutput

type AppEngineVersionIamMemberOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamMemberOutput) AppId added in v6.23.0

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (AppEngineVersionIamMemberOutput) Condition added in v6.23.0

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (AppEngineVersionIamMemberOutput) ElementType

func (AppEngineVersionIamMemberOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (AppEngineVersionIamMemberOutput) Member added in v6.23.0

func (AppEngineVersionIamMemberOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (AppEngineVersionIamMemberOutput) Role added in v6.23.0

The role that should be applied. Only one `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (AppEngineVersionIamMemberOutput) Service added in v6.23.0

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

func (AppEngineVersionIamMemberOutput) ToAppEngineVersionIamMemberOutput

func (o AppEngineVersionIamMemberOutput) ToAppEngineVersionIamMemberOutput() AppEngineVersionIamMemberOutput

func (AppEngineVersionIamMemberOutput) ToAppEngineVersionIamMemberOutputWithContext

func (o AppEngineVersionIamMemberOutput) ToAppEngineVersionIamMemberOutputWithContext(ctx context.Context) AppEngineVersionIamMemberOutput

func (AppEngineVersionIamMemberOutput) VersionId added in v6.23.0

Version id of the App Engine application Used to find the parent resource to bind the IAM policy to

type AppEngineVersionIamMemberState

type AppEngineVersionIamMemberState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineVersionIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag   pulumi.StringPtrInput
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringPtrInput
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringPtrInput
}

func (AppEngineVersionIamMemberState) ElementType

type AppEngineVersionIamPolicy

type AppEngineVersionIamPolicy struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringOutput `pulumi:"service"`
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringOutput `pulumi:"versionId"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineVersion. Each of these resources serves a different use case:

* `iap.AppEngineVersionIamPolicy`: Authoritative. Sets the IAM policy for the appengineversion and replaces any existing policy already attached. * `iap.AppEngineVersionIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineversion are preserved. * `iap.AppEngineVersionIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineversion are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineVersionIamPolicy`: Retrieves the IAM policy for the appengineversion

> **Note:** `iap.AppEngineVersionIamPolicy` **cannot** be used in conjunction with `iap.AppEngineVersionIamBinding` and `iap.AppEngineVersionIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineVersionIamBinding` resources **can be** used in conjunction with `iap.AppEngineVersionIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_app\_engine\_version\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			AppId:      pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Service:    pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			VersionId:  pulumi.Any(google_app_engine_standard_app_version.Version.Version_id),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			AppId:      pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Service:    pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			VersionId:  pulumi.Any(google_app_engine_standard_app_version.Version.Version_id),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_app\_engine\_version\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			AppId: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Project:   pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Service:   pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			VersionId: pulumi.Any(google_app_engine_standard_app_version.Version.Version_id),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			AppId: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Condition: &iap.AppEngineVersionIamBindingConditionArgs{
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
				Title:       pulumi.String("expires_after_2019_12_31"),
			},
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Project:   pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Service:   pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			VersionId: pulumi.Any(google_app_engine_standard_app_version.Version.Version_id),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_app\_engine\_version\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			AppId:     pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Member:    pulumi.String("user:jane@example.com"),
			Project:   pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Service:   pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			VersionId: pulumi.Any(google_app_engine_standard_app_version.Version.Version_id),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			AppId: pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Condition: &iap.AppEngineVersionIamMemberConditionArgs{
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
				Title:       pulumi.String("expires_after_2019_12_31"),
			},
			Member:    pulumi.String("user:jane@example.com"),
			Project:   pulumi.Any(google_app_engine_standard_app_version.Version.Project),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Service:   pulumi.Any(google_app_engine_standard_app_version.Version.Service),
			VersionId: pulumi.Any(google_app_engine_standard_app_version.Version.Version_id),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} * {{project}}/{{appId}}/{{service}}/{{versionId}} * {{appId}}/{{service}}/{{versionId}} * {{version}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy appengineversion IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/appEngineVersionIamPolicy:AppEngineVersionIamPolicy editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} roles/iap.httpsResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/appEngineVersionIamPolicy:AppEngineVersionIamPolicy editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} roles/iap.httpsResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/appEngineVersionIamPolicy:AppEngineVersionIamPolicy editor projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}}

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetAppEngineVersionIamPolicy

func GetAppEngineVersionIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AppEngineVersionIamPolicyState, opts ...pulumi.ResourceOption) (*AppEngineVersionIamPolicy, error)

GetAppEngineVersionIamPolicy gets an existing AppEngineVersionIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAppEngineVersionIamPolicy

func NewAppEngineVersionIamPolicy(ctx *pulumi.Context,
	name string, args *AppEngineVersionIamPolicyArgs, opts ...pulumi.ResourceOption) (*AppEngineVersionIamPolicy, error)

NewAppEngineVersionIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*AppEngineVersionIamPolicy) ElementType

func (*AppEngineVersionIamPolicy) ElementType() reflect.Type

func (*AppEngineVersionIamPolicy) ToAppEngineVersionIamPolicyOutput

func (i *AppEngineVersionIamPolicy) ToAppEngineVersionIamPolicyOutput() AppEngineVersionIamPolicyOutput

func (*AppEngineVersionIamPolicy) ToAppEngineVersionIamPolicyOutputWithContext

func (i *AppEngineVersionIamPolicy) ToAppEngineVersionIamPolicyOutputWithContext(ctx context.Context) AppEngineVersionIamPolicyOutput

type AppEngineVersionIamPolicyArgs

type AppEngineVersionIamPolicyArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringInput
}

The set of arguments for constructing a AppEngineVersionIamPolicy resource.

func (AppEngineVersionIamPolicyArgs) ElementType

type AppEngineVersionIamPolicyArray

type AppEngineVersionIamPolicyArray []AppEngineVersionIamPolicyInput

func (AppEngineVersionIamPolicyArray) ElementType

func (AppEngineVersionIamPolicyArray) ToAppEngineVersionIamPolicyArrayOutput

func (i AppEngineVersionIamPolicyArray) ToAppEngineVersionIamPolicyArrayOutput() AppEngineVersionIamPolicyArrayOutput

func (AppEngineVersionIamPolicyArray) ToAppEngineVersionIamPolicyArrayOutputWithContext

func (i AppEngineVersionIamPolicyArray) ToAppEngineVersionIamPolicyArrayOutputWithContext(ctx context.Context) AppEngineVersionIamPolicyArrayOutput

type AppEngineVersionIamPolicyArrayInput

type AppEngineVersionIamPolicyArrayInput interface {
	pulumi.Input

	ToAppEngineVersionIamPolicyArrayOutput() AppEngineVersionIamPolicyArrayOutput
	ToAppEngineVersionIamPolicyArrayOutputWithContext(context.Context) AppEngineVersionIamPolicyArrayOutput
}

AppEngineVersionIamPolicyArrayInput is an input type that accepts AppEngineVersionIamPolicyArray and AppEngineVersionIamPolicyArrayOutput values. You can construct a concrete instance of `AppEngineVersionIamPolicyArrayInput` via:

AppEngineVersionIamPolicyArray{ AppEngineVersionIamPolicyArgs{...} }

type AppEngineVersionIamPolicyArrayOutput

type AppEngineVersionIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamPolicyArrayOutput) ElementType

func (AppEngineVersionIamPolicyArrayOutput) Index

func (AppEngineVersionIamPolicyArrayOutput) ToAppEngineVersionIamPolicyArrayOutput

func (o AppEngineVersionIamPolicyArrayOutput) ToAppEngineVersionIamPolicyArrayOutput() AppEngineVersionIamPolicyArrayOutput

func (AppEngineVersionIamPolicyArrayOutput) ToAppEngineVersionIamPolicyArrayOutputWithContext

func (o AppEngineVersionIamPolicyArrayOutput) ToAppEngineVersionIamPolicyArrayOutputWithContext(ctx context.Context) AppEngineVersionIamPolicyArrayOutput

type AppEngineVersionIamPolicyInput

type AppEngineVersionIamPolicyInput interface {
	pulumi.Input

	ToAppEngineVersionIamPolicyOutput() AppEngineVersionIamPolicyOutput
	ToAppEngineVersionIamPolicyOutputWithContext(ctx context.Context) AppEngineVersionIamPolicyOutput
}

type AppEngineVersionIamPolicyMap

type AppEngineVersionIamPolicyMap map[string]AppEngineVersionIamPolicyInput

func (AppEngineVersionIamPolicyMap) ElementType

func (AppEngineVersionIamPolicyMap) ToAppEngineVersionIamPolicyMapOutput

func (i AppEngineVersionIamPolicyMap) ToAppEngineVersionIamPolicyMapOutput() AppEngineVersionIamPolicyMapOutput

func (AppEngineVersionIamPolicyMap) ToAppEngineVersionIamPolicyMapOutputWithContext

func (i AppEngineVersionIamPolicyMap) ToAppEngineVersionIamPolicyMapOutputWithContext(ctx context.Context) AppEngineVersionIamPolicyMapOutput

type AppEngineVersionIamPolicyMapInput

type AppEngineVersionIamPolicyMapInput interface {
	pulumi.Input

	ToAppEngineVersionIamPolicyMapOutput() AppEngineVersionIamPolicyMapOutput
	ToAppEngineVersionIamPolicyMapOutputWithContext(context.Context) AppEngineVersionIamPolicyMapOutput
}

AppEngineVersionIamPolicyMapInput is an input type that accepts AppEngineVersionIamPolicyMap and AppEngineVersionIamPolicyMapOutput values. You can construct a concrete instance of `AppEngineVersionIamPolicyMapInput` via:

AppEngineVersionIamPolicyMap{ "key": AppEngineVersionIamPolicyArgs{...} }

type AppEngineVersionIamPolicyMapOutput

type AppEngineVersionIamPolicyMapOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamPolicyMapOutput) ElementType

func (AppEngineVersionIamPolicyMapOutput) MapIndex

func (AppEngineVersionIamPolicyMapOutput) ToAppEngineVersionIamPolicyMapOutput

func (o AppEngineVersionIamPolicyMapOutput) ToAppEngineVersionIamPolicyMapOutput() AppEngineVersionIamPolicyMapOutput

func (AppEngineVersionIamPolicyMapOutput) ToAppEngineVersionIamPolicyMapOutputWithContext

func (o AppEngineVersionIamPolicyMapOutput) ToAppEngineVersionIamPolicyMapOutputWithContext(ctx context.Context) AppEngineVersionIamPolicyMapOutput

type AppEngineVersionIamPolicyOutput

type AppEngineVersionIamPolicyOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamPolicyOutput) AppId added in v6.23.0

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (AppEngineVersionIamPolicyOutput) ElementType

func (AppEngineVersionIamPolicyOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (AppEngineVersionIamPolicyOutput) PolicyData added in v6.23.0

The policy data generated by a `organizations.getIAMPolicy` data source.

func (AppEngineVersionIamPolicyOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (AppEngineVersionIamPolicyOutput) Service added in v6.23.0

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

func (AppEngineVersionIamPolicyOutput) ToAppEngineVersionIamPolicyOutput

func (o AppEngineVersionIamPolicyOutput) ToAppEngineVersionIamPolicyOutput() AppEngineVersionIamPolicyOutput

func (AppEngineVersionIamPolicyOutput) ToAppEngineVersionIamPolicyOutputWithContext

func (o AppEngineVersionIamPolicyOutput) ToAppEngineVersionIamPolicyOutputWithContext(ctx context.Context) AppEngineVersionIamPolicyOutput

func (AppEngineVersionIamPolicyOutput) VersionId added in v6.23.0

Version id of the App Engine application Used to find the parent resource to bind the IAM policy to

type AppEngineVersionIamPolicyState

type AppEngineVersionIamPolicyState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringPtrInput
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringPtrInput
}

func (AppEngineVersionIamPolicyState) ElementType

type Brand

type Brand struct {
	pulumi.CustomResourceState

	// Application name displayed on OAuth consent screen.
	//
	// ***
	ApplicationTitle pulumi.StringOutput `pulumi:"applicationTitle"`
	// Output only. Identifier of the brand, in the format `projects/{project_number}/brands/{brand_id}`
	// NOTE: The name can also be expressed as `projects/{project_id}/brands/{brand_id}`, e.g. when importing.
	// NOTE: The brand identification corresponds to the project number as only one
	// brand can be created per project.
	Name pulumi.StringOutput `pulumi:"name"`
	// Whether the brand is only intended for usage inside the GSuite organization only.
	OrgInternalOnly pulumi.BoolOutput `pulumi:"orgInternalOnly"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// Support email displayed on the OAuth consent screen. Can be either a
	// user or group email. When a user email is specified, the caller must
	// be the user with the associated email address. When a group email is
	// specified, the caller can be either a user or a service account which
	// is an owner of the specified group in Cloud Identity.
	SupportEmail pulumi.StringOutput `pulumi:"supportEmail"`
}

## Example Usage ### Iap Brand

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/projects"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		project, err := organizations.NewProject(ctx, "project", &organizations.ProjectArgs{
			ProjectId: pulumi.String("my-project"),
			OrgId:     pulumi.String("123456789"),
		})
		if err != nil {
			return err
		}
		projectService, err := projects.NewService(ctx, "projectService", &projects.ServiceArgs{
			Project: project.ProjectId,
			Service: pulumi.String("iap.googleapis.com"),
		})
		if err != nil {
			return err
		}
		_, err = iap.NewBrand(ctx, "projectBrand", &iap.BrandArgs{
			SupportEmail:     pulumi.String("support@example.com"),
			ApplicationTitle: pulumi.String("Cloud IAP protected Application"),
			Project:          projectService.Project,
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Brand can be imported using any of these accepted formats

```sh

$ pulumi import gcp:iap/brand:Brand default projects/{{project_id}}/brands/{{brand_id}}

```

```sh

$ pulumi import gcp:iap/brand:Brand default projects/{{project_number}}/brands/{{brand_id}}

```

```sh

$ pulumi import gcp:iap/brand:Brand default {{project_number}}/{{brand_id}}

```

func GetBrand

func GetBrand(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *BrandState, opts ...pulumi.ResourceOption) (*Brand, error)

GetBrand gets an existing Brand resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewBrand

func NewBrand(ctx *pulumi.Context,
	name string, args *BrandArgs, opts ...pulumi.ResourceOption) (*Brand, error)

NewBrand registers a new resource with the given unique name, arguments, and options.

func (*Brand) ElementType

func (*Brand) ElementType() reflect.Type

func (*Brand) ToBrandOutput

func (i *Brand) ToBrandOutput() BrandOutput

func (*Brand) ToBrandOutputWithContext

func (i *Brand) ToBrandOutputWithContext(ctx context.Context) BrandOutput

type BrandArgs

type BrandArgs struct {
	// Application name displayed on OAuth consent screen.
	//
	// ***
	ApplicationTitle pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	Project pulumi.StringPtrInput
	// Support email displayed on the OAuth consent screen. Can be either a
	// user or group email. When a user email is specified, the caller must
	// be the user with the associated email address. When a group email is
	// specified, the caller can be either a user or a service account which
	// is an owner of the specified group in Cloud Identity.
	SupportEmail pulumi.StringInput
}

The set of arguments for constructing a Brand resource.

func (BrandArgs) ElementType

func (BrandArgs) ElementType() reflect.Type

type BrandArray

type BrandArray []BrandInput

func (BrandArray) ElementType

func (BrandArray) ElementType() reflect.Type

func (BrandArray) ToBrandArrayOutput

func (i BrandArray) ToBrandArrayOutput() BrandArrayOutput

func (BrandArray) ToBrandArrayOutputWithContext

func (i BrandArray) ToBrandArrayOutputWithContext(ctx context.Context) BrandArrayOutput

type BrandArrayInput

type BrandArrayInput interface {
	pulumi.Input

	ToBrandArrayOutput() BrandArrayOutput
	ToBrandArrayOutputWithContext(context.Context) BrandArrayOutput
}

BrandArrayInput is an input type that accepts BrandArray and BrandArrayOutput values. You can construct a concrete instance of `BrandArrayInput` via:

BrandArray{ BrandArgs{...} }

type BrandArrayOutput

type BrandArrayOutput struct{ *pulumi.OutputState }

func (BrandArrayOutput) ElementType

func (BrandArrayOutput) ElementType() reflect.Type

func (BrandArrayOutput) Index

func (BrandArrayOutput) ToBrandArrayOutput

func (o BrandArrayOutput) ToBrandArrayOutput() BrandArrayOutput

func (BrandArrayOutput) ToBrandArrayOutputWithContext

func (o BrandArrayOutput) ToBrandArrayOutputWithContext(ctx context.Context) BrandArrayOutput

type BrandInput

type BrandInput interface {
	pulumi.Input

	ToBrandOutput() BrandOutput
	ToBrandOutputWithContext(ctx context.Context) BrandOutput
}

type BrandMap

type BrandMap map[string]BrandInput

func (BrandMap) ElementType

func (BrandMap) ElementType() reflect.Type

func (BrandMap) ToBrandMapOutput

func (i BrandMap) ToBrandMapOutput() BrandMapOutput

func (BrandMap) ToBrandMapOutputWithContext

func (i BrandMap) ToBrandMapOutputWithContext(ctx context.Context) BrandMapOutput

type BrandMapInput

type BrandMapInput interface {
	pulumi.Input

	ToBrandMapOutput() BrandMapOutput
	ToBrandMapOutputWithContext(context.Context) BrandMapOutput
}

BrandMapInput is an input type that accepts BrandMap and BrandMapOutput values. You can construct a concrete instance of `BrandMapInput` via:

BrandMap{ "key": BrandArgs{...} }

type BrandMapOutput

type BrandMapOutput struct{ *pulumi.OutputState }

func (BrandMapOutput) ElementType

func (BrandMapOutput) ElementType() reflect.Type

func (BrandMapOutput) MapIndex

func (BrandMapOutput) ToBrandMapOutput

func (o BrandMapOutput) ToBrandMapOutput() BrandMapOutput

func (BrandMapOutput) ToBrandMapOutputWithContext

func (o BrandMapOutput) ToBrandMapOutputWithContext(ctx context.Context) BrandMapOutput

type BrandOutput

type BrandOutput struct{ *pulumi.OutputState }

func (BrandOutput) ApplicationTitle added in v6.23.0

func (o BrandOutput) ApplicationTitle() pulumi.StringOutput

Application name displayed on OAuth consent screen.

***

func (BrandOutput) ElementType

func (BrandOutput) ElementType() reflect.Type

func (BrandOutput) Name added in v6.23.0

func (o BrandOutput) Name() pulumi.StringOutput

Output only. Identifier of the brand, in the format `projects/{project_number}/brands/{brand_id}` NOTE: The name can also be expressed as `projects/{project_id}/brands/{brand_id}`, e.g. when importing. NOTE: The brand identification corresponds to the project number as only one brand can be created per project.

func (BrandOutput) OrgInternalOnly added in v6.23.0

func (o BrandOutput) OrgInternalOnly() pulumi.BoolOutput

Whether the brand is only intended for usage inside the GSuite organization only.

func (BrandOutput) Project added in v6.23.0

func (o BrandOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

func (BrandOutput) SupportEmail added in v6.23.0

func (o BrandOutput) SupportEmail() pulumi.StringOutput

Support email displayed on the OAuth consent screen. Can be either a user or group email. When a user email is specified, the caller must be the user with the associated email address. When a group email is specified, the caller can be either a user or a service account which is an owner of the specified group in Cloud Identity.

func (BrandOutput) ToBrandOutput

func (o BrandOutput) ToBrandOutput() BrandOutput

func (BrandOutput) ToBrandOutputWithContext

func (o BrandOutput) ToBrandOutputWithContext(ctx context.Context) BrandOutput

type BrandState

type BrandState struct {
	// Application name displayed on OAuth consent screen.
	//
	// ***
	ApplicationTitle pulumi.StringPtrInput
	// Output only. Identifier of the brand, in the format `projects/{project_number}/brands/{brand_id}`
	// NOTE: The name can also be expressed as `projects/{project_id}/brands/{brand_id}`, e.g. when importing.
	// NOTE: The brand identification corresponds to the project number as only one
	// brand can be created per project.
	Name pulumi.StringPtrInput
	// Whether the brand is only intended for usage inside the GSuite organization only.
	OrgInternalOnly pulumi.BoolPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	Project pulumi.StringPtrInput
	// Support email displayed on the OAuth consent screen. Can be either a
	// user or group email. When a user email is specified, the caller must
	// be the user with the associated email address. When a group email is
	// specified, the caller can be either a user or a service account which
	// is an owner of the specified group in Cloud Identity.
	SupportEmail pulumi.StringPtrInput
}

func (BrandState) ElementType

func (BrandState) ElementType() reflect.Type

type Client

type Client struct {
	pulumi.CustomResourceState

	// Identifier of the brand to which this client
	// is attached to. The format is
	// `projects/{project_number}/brands/{brand_id}/identityAwareProxyClients/{client_id}`.
	//
	// ***
	Brand pulumi.StringOutput `pulumi:"brand"`
	// The OAuth2 ID of the client.
	ClientId pulumi.StringOutput `pulumi:"clientId"`
	// Human-friendly name given to the OAuth client.
	DisplayName pulumi.StringOutput `pulumi:"displayName"`
	// Output only. Client secret of the OAuth client.
	// **Note**: This property is sensitive and will not be displayed in the plan.
	Secret pulumi.StringOutput `pulumi:"secret"`
}

Contains the data that describes an Identity Aware Proxy owned client.

> **Note:** Only internal org clients can be created via declarative tools. External clients must be manually created via the GCP console. This restriction is due to the existing APIs and not lack of support in this tool.

To get more information about Client, see:

* [API documentation](https://cloud.google.com/iap/docs/reference/rest/v1/projects.brands.identityAwareProxyClients) * How-to Guides

> **Warning:** All arguments including `secret` will be stored in the raw state as plain-text.

## Example Usage ### Iap Client

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/projects"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		project, err := organizations.NewProject(ctx, "project", &organizations.ProjectArgs{
			ProjectId: pulumi.String("my-project"),
			OrgId:     pulumi.String("123456789"),
		})
		if err != nil {
			return err
		}
		projectService, err := projects.NewService(ctx, "projectService", &projects.ServiceArgs{
			Project: project.ProjectId,
			Service: pulumi.String("iap.googleapis.com"),
		})
		if err != nil {
			return err
		}
		projectBrand, err := iap.NewBrand(ctx, "projectBrand", &iap.BrandArgs{
			SupportEmail:     pulumi.String("support@example.com"),
			ApplicationTitle: pulumi.String("Cloud IAP protected Application"),
			Project:          projectService.Project,
		})
		if err != nil {
			return err
		}
		_, err = iap.NewClient(ctx, "projectClient", &iap.ClientArgs{
			DisplayName: pulumi.String("Test Client"),
			Brand:       projectBrand.Name,
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Client can be imported using any of these accepted formats

```sh

$ pulumi import gcp:iap/client:Client default {{brand}}/identityAwareProxyClients/{{client_id}}

```

```sh

$ pulumi import gcp:iap/client:Client default {{brand}}/{{client_id}}

```

func GetClient

func GetClient(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *ClientState, opts ...pulumi.ResourceOption) (*Client, error)

GetClient gets an existing Client resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewClient

func NewClient(ctx *pulumi.Context,
	name string, args *ClientArgs, opts ...pulumi.ResourceOption) (*Client, error)

NewClient registers a new resource with the given unique name, arguments, and options.

func (*Client) ElementType

func (*Client) ElementType() reflect.Type

func (*Client) ToClientOutput

func (i *Client) ToClientOutput() ClientOutput

func (*Client) ToClientOutputWithContext

func (i *Client) ToClientOutputWithContext(ctx context.Context) ClientOutput

type ClientArgs

type ClientArgs struct {
	// Identifier of the brand to which this client
	// is attached to. The format is
	// `projects/{project_number}/brands/{brand_id}/identityAwareProxyClients/{client_id}`.
	//
	// ***
	Brand pulumi.StringInput
	// Human-friendly name given to the OAuth client.
	DisplayName pulumi.StringInput
}

The set of arguments for constructing a Client resource.

func (ClientArgs) ElementType

func (ClientArgs) ElementType() reflect.Type

type ClientArray

type ClientArray []ClientInput

func (ClientArray) ElementType

func (ClientArray) ElementType() reflect.Type

func (ClientArray) ToClientArrayOutput

func (i ClientArray) ToClientArrayOutput() ClientArrayOutput

func (ClientArray) ToClientArrayOutputWithContext

func (i ClientArray) ToClientArrayOutputWithContext(ctx context.Context) ClientArrayOutput

type ClientArrayInput

type ClientArrayInput interface {
	pulumi.Input

	ToClientArrayOutput() ClientArrayOutput
	ToClientArrayOutputWithContext(context.Context) ClientArrayOutput
}

ClientArrayInput is an input type that accepts ClientArray and ClientArrayOutput values. You can construct a concrete instance of `ClientArrayInput` via:

ClientArray{ ClientArgs{...} }

type ClientArrayOutput

type ClientArrayOutput struct{ *pulumi.OutputState }

func (ClientArrayOutput) ElementType

func (ClientArrayOutput) ElementType() reflect.Type

func (ClientArrayOutput) Index

func (ClientArrayOutput) ToClientArrayOutput

func (o ClientArrayOutput) ToClientArrayOutput() ClientArrayOutput

func (ClientArrayOutput) ToClientArrayOutputWithContext

func (o ClientArrayOutput) ToClientArrayOutputWithContext(ctx context.Context) ClientArrayOutput

type ClientInput

type ClientInput interface {
	pulumi.Input

	ToClientOutput() ClientOutput
	ToClientOutputWithContext(ctx context.Context) ClientOutput
}

type ClientMap

type ClientMap map[string]ClientInput

func (ClientMap) ElementType

func (ClientMap) ElementType() reflect.Type

func (ClientMap) ToClientMapOutput

func (i ClientMap) ToClientMapOutput() ClientMapOutput

func (ClientMap) ToClientMapOutputWithContext

func (i ClientMap) ToClientMapOutputWithContext(ctx context.Context) ClientMapOutput

type ClientMapInput

type ClientMapInput interface {
	pulumi.Input

	ToClientMapOutput() ClientMapOutput
	ToClientMapOutputWithContext(context.Context) ClientMapOutput
}

ClientMapInput is an input type that accepts ClientMap and ClientMapOutput values. You can construct a concrete instance of `ClientMapInput` via:

ClientMap{ "key": ClientArgs{...} }

type ClientMapOutput

type ClientMapOutput struct{ *pulumi.OutputState }

func (ClientMapOutput) ElementType

func (ClientMapOutput) ElementType() reflect.Type

func (ClientMapOutput) MapIndex

func (ClientMapOutput) ToClientMapOutput

func (o ClientMapOutput) ToClientMapOutput() ClientMapOutput

func (ClientMapOutput) ToClientMapOutputWithContext

func (o ClientMapOutput) ToClientMapOutputWithContext(ctx context.Context) ClientMapOutput

type ClientOutput

type ClientOutput struct{ *pulumi.OutputState }

func (ClientOutput) Brand added in v6.23.0

func (o ClientOutput) Brand() pulumi.StringOutput

Identifier of the brand to which this client is attached to. The format is `projects/{project_number}/brands/{brand_id}/identityAwareProxyClients/{client_id}`.

***

func (ClientOutput) ClientId added in v6.23.0

func (o ClientOutput) ClientId() pulumi.StringOutput

The OAuth2 ID of the client.

func (ClientOutput) DisplayName added in v6.23.0

func (o ClientOutput) DisplayName() pulumi.StringOutput

Human-friendly name given to the OAuth client.

func (ClientOutput) ElementType

func (ClientOutput) ElementType() reflect.Type

func (ClientOutput) Secret added in v6.23.0

func (o ClientOutput) Secret() pulumi.StringOutput

Output only. Client secret of the OAuth client. **Note**: This property is sensitive and will not be displayed in the plan.

func (ClientOutput) ToClientOutput

func (o ClientOutput) ToClientOutput() ClientOutput

func (ClientOutput) ToClientOutputWithContext

func (o ClientOutput) ToClientOutputWithContext(ctx context.Context) ClientOutput

type ClientState

type ClientState struct {
	// Identifier of the brand to which this client
	// is attached to. The format is
	// `projects/{project_number}/brands/{brand_id}/identityAwareProxyClients/{client_id}`.
	//
	// ***
	Brand pulumi.StringPtrInput
	// The OAuth2 ID of the client.
	ClientId pulumi.StringPtrInput
	// Human-friendly name given to the OAuth client.
	DisplayName pulumi.StringPtrInput
	// Output only. Client secret of the OAuth client.
	// **Note**: This property is sensitive and will not be displayed in the plan.
	Secret pulumi.StringPtrInput
}

func (ClientState) ElementType

func (ClientState) ElementType() reflect.Type

type GetTunnelInstanceIamPolicyArgs added in v6.59.0

type GetTunnelInstanceIamPolicyArgs struct {
	// Used to find the parent resource to bind the IAM policy to
	Instance string `pulumi:"instance"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
	Zone    *string `pulumi:"zone"`
}

A collection of arguments for invoking getTunnelInstanceIamPolicy.

type GetTunnelInstanceIamPolicyOutputArgs added in v6.59.0

type GetTunnelInstanceIamPolicyOutputArgs struct {
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringInput `pulumi:"instance"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
	Zone    pulumi.StringPtrInput `pulumi:"zone"`
}

A collection of arguments for invoking getTunnelInstanceIamPolicy.

func (GetTunnelInstanceIamPolicyOutputArgs) ElementType added in v6.59.0

type GetTunnelInstanceIamPolicyResult added in v6.59.0

type GetTunnelInstanceIamPolicyResult struct {
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id       string `pulumi:"id"`
	Instance string `pulumi:"instance"`
	// (Required only by `iap.TunnelInstanceIAMPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
	Zone       string `pulumi:"zone"`
}

A collection of values returned by getTunnelInstanceIamPolicy.

func GetTunnelInstanceIamPolicy added in v6.59.0

func GetTunnelInstanceIamPolicy(ctx *pulumi.Context, args *GetTunnelInstanceIamPolicyArgs, opts ...pulumi.InvokeOption) (*GetTunnelInstanceIamPolicyResult, error)

Retrieves the current IAM policy data for tunnelinstance

## example

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.GetTunnelInstanceIamPolicy(ctx, &iap.GetTunnelInstanceIamPolicyArgs{
			Project:  pulumi.StringRef(google_compute_instance.Tunnelvm.Project),
			Zone:     pulumi.StringRef(google_compute_instance.Tunnelvm.Zone),
			Instance: google_compute_instance.Tunnelvm.Name,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type GetTunnelInstanceIamPolicyResultOutput added in v6.59.0

type GetTunnelInstanceIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getTunnelInstanceIamPolicy.

func (GetTunnelInstanceIamPolicyResultOutput) ElementType added in v6.59.0

func (GetTunnelInstanceIamPolicyResultOutput) Etag added in v6.59.0

(Computed) The etag of the IAM policy.

func (GetTunnelInstanceIamPolicyResultOutput) Id added in v6.59.0

The provider-assigned unique ID for this managed resource.

func (GetTunnelInstanceIamPolicyResultOutput) Instance added in v6.59.0

func (GetTunnelInstanceIamPolicyResultOutput) PolicyData added in v6.59.0

(Required only by `iap.TunnelInstanceIAMPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (GetTunnelInstanceIamPolicyResultOutput) Project added in v6.59.0

func (GetTunnelInstanceIamPolicyResultOutput) ToGetTunnelInstanceIamPolicyResultOutput added in v6.59.0

func (o GetTunnelInstanceIamPolicyResultOutput) ToGetTunnelInstanceIamPolicyResultOutput() GetTunnelInstanceIamPolicyResultOutput

func (GetTunnelInstanceIamPolicyResultOutput) ToGetTunnelInstanceIamPolicyResultOutputWithContext added in v6.59.0

func (o GetTunnelInstanceIamPolicyResultOutput) ToGetTunnelInstanceIamPolicyResultOutputWithContext(ctx context.Context) GetTunnelInstanceIamPolicyResultOutput

func (GetTunnelInstanceIamPolicyResultOutput) Zone added in v6.59.0

type GetWebTypeAppEngineIamPolicyArgs added in v6.59.0

type GetWebTypeAppEngineIamPolicyArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId string `pulumi:"appId"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
}

A collection of arguments for invoking getWebTypeAppEngineIamPolicy.

type GetWebTypeAppEngineIamPolicyOutputArgs added in v6.59.0

type GetWebTypeAppEngineIamPolicyOutputArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput `pulumi:"appId"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
}

A collection of arguments for invoking getWebTypeAppEngineIamPolicy.

func (GetWebTypeAppEngineIamPolicyOutputArgs) ElementType added in v6.59.0

type GetWebTypeAppEngineIamPolicyResult added in v6.59.0

type GetWebTypeAppEngineIamPolicyResult struct {
	AppId string `pulumi:"appId"`
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.WebTypeAppEngingIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
}

A collection of values returned by getWebTypeAppEngineIamPolicy.

func GetWebTypeAppEngineIamPolicy added in v6.59.0

func GetWebTypeAppEngineIamPolicy(ctx *pulumi.Context, args *GetWebTypeAppEngineIamPolicyArgs, opts ...pulumi.InvokeOption) (*GetWebTypeAppEngineIamPolicyResult, error)

Retrieves the current IAM policy data for webtypeappengine

## example

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.GetWebTypeAppEngineIamPolicy(ctx, &iap.GetWebTypeAppEngineIamPolicyArgs{
			Project: pulumi.StringRef(google_app_engine_application.App.Project),
			AppId:   google_app_engine_application.App.App_id,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type GetWebTypeAppEngineIamPolicyResultOutput added in v6.59.0

type GetWebTypeAppEngineIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getWebTypeAppEngineIamPolicy.

func (GetWebTypeAppEngineIamPolicyResultOutput) AppId added in v6.59.0

func (GetWebTypeAppEngineIamPolicyResultOutput) ElementType added in v6.59.0

func (GetWebTypeAppEngineIamPolicyResultOutput) Etag added in v6.59.0

(Computed) The etag of the IAM policy.

func (GetWebTypeAppEngineIamPolicyResultOutput) Id added in v6.59.0

The provider-assigned unique ID for this managed resource.

func (GetWebTypeAppEngineIamPolicyResultOutput) PolicyData added in v6.59.0

(Required only by `iap.WebTypeAppEngingIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (GetWebTypeAppEngineIamPolicyResultOutput) Project added in v6.59.0

func (GetWebTypeAppEngineIamPolicyResultOutput) ToGetWebTypeAppEngineIamPolicyResultOutput added in v6.59.0

func (o GetWebTypeAppEngineIamPolicyResultOutput) ToGetWebTypeAppEngineIamPolicyResultOutput() GetWebTypeAppEngineIamPolicyResultOutput

func (GetWebTypeAppEngineIamPolicyResultOutput) ToGetWebTypeAppEngineIamPolicyResultOutputWithContext added in v6.59.0

func (o GetWebTypeAppEngineIamPolicyResultOutput) ToGetWebTypeAppEngineIamPolicyResultOutputWithContext(ctx context.Context) GetWebTypeAppEngineIamPolicyResultOutput

type LookupAppEngineServiceIamPolicyArgs added in v6.59.0

type LookupAppEngineServiceIamPolicyArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId string `pulumi:"appId"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service string `pulumi:"service"`
}

A collection of arguments for invoking getAppEngineServiceIamPolicy.

type LookupAppEngineServiceIamPolicyOutputArgs added in v6.59.0

type LookupAppEngineServiceIamPolicyOutputArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput `pulumi:"appId"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput `pulumi:"service"`
}

A collection of arguments for invoking getAppEngineServiceIamPolicy.

func (LookupAppEngineServiceIamPolicyOutputArgs) ElementType added in v6.59.0

type LookupAppEngineServiceIamPolicyResult added in v6.59.0

type LookupAppEngineServiceIamPolicyResult struct {
	AppId string `pulumi:"appId"`
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.AppEngineServiceIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
	Service    string `pulumi:"service"`
}

A collection of values returned by getAppEngineServiceIamPolicy.

func LookupAppEngineServiceIamPolicy added in v6.59.0

Retrieves the current IAM policy data for appengineservice

## example

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.LookupAppEngineServiceIamPolicy(ctx, &iap.LookupAppEngineServiceIamPolicyArgs{
			AppId:   google_app_engine_standard_app_version.Version.Project,
			Project: pulumi.StringRef(google_app_engine_standard_app_version.Version.Project),
			Service: google_app_engine_standard_app_version.Version.Service,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupAppEngineServiceIamPolicyResultOutput added in v6.59.0

type LookupAppEngineServiceIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getAppEngineServiceIamPolicy.

func (LookupAppEngineServiceIamPolicyResultOutput) AppId added in v6.59.0

func (LookupAppEngineServiceIamPolicyResultOutput) ElementType added in v6.59.0

func (LookupAppEngineServiceIamPolicyResultOutput) Etag added in v6.59.0

(Computed) The etag of the IAM policy.

func (LookupAppEngineServiceIamPolicyResultOutput) Id added in v6.59.0

The provider-assigned unique ID for this managed resource.

func (LookupAppEngineServiceIamPolicyResultOutput) PolicyData added in v6.59.0

(Required only by `iap.AppEngineServiceIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupAppEngineServiceIamPolicyResultOutput) Project added in v6.59.0

func (LookupAppEngineServiceIamPolicyResultOutput) Service added in v6.59.0

func (LookupAppEngineServiceIamPolicyResultOutput) ToLookupAppEngineServiceIamPolicyResultOutput added in v6.59.0

func (o LookupAppEngineServiceIamPolicyResultOutput) ToLookupAppEngineServiceIamPolicyResultOutput() LookupAppEngineServiceIamPolicyResultOutput

func (LookupAppEngineServiceIamPolicyResultOutput) ToLookupAppEngineServiceIamPolicyResultOutputWithContext added in v6.59.0

func (o LookupAppEngineServiceIamPolicyResultOutput) ToLookupAppEngineServiceIamPolicyResultOutputWithContext(ctx context.Context) LookupAppEngineServiceIamPolicyResultOutput

type LookupAppEngineVersionIamPolicyArgs added in v6.59.0

type LookupAppEngineVersionIamPolicyArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId string `pulumi:"appId"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service string `pulumi:"service"`
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId string `pulumi:"versionId"`
}

A collection of arguments for invoking getAppEngineVersionIamPolicy.

type LookupAppEngineVersionIamPolicyOutputArgs added in v6.59.0

type LookupAppEngineVersionIamPolicyOutputArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput `pulumi:"appId"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput `pulumi:"service"`
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringInput `pulumi:"versionId"`
}

A collection of arguments for invoking getAppEngineVersionIamPolicy.

func (LookupAppEngineVersionIamPolicyOutputArgs) ElementType added in v6.59.0

type LookupAppEngineVersionIamPolicyResult added in v6.59.0

type LookupAppEngineVersionIamPolicyResult struct {
	AppId string `pulumi:"appId"`
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.AppEngineVersionIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
	Service    string `pulumi:"service"`
	VersionId  string `pulumi:"versionId"`
}

A collection of values returned by getAppEngineVersionIamPolicy.

func LookupAppEngineVersionIamPolicy added in v6.59.0

Retrieves the current IAM policy data for appengineversion

## example

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.LookupAppEngineVersionIamPolicy(ctx, &iap.LookupAppEngineVersionIamPolicyArgs{
			AppId:     google_app_engine_standard_app_version.Version.Project,
			Project:   pulumi.StringRef(google_app_engine_standard_app_version.Version.Project),
			Service:   google_app_engine_standard_app_version.Version.Service,
			VersionId: google_app_engine_standard_app_version.Version.Version_id,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupAppEngineVersionIamPolicyResultOutput added in v6.59.0

type LookupAppEngineVersionIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getAppEngineVersionIamPolicy.

func (LookupAppEngineVersionIamPolicyResultOutput) AppId added in v6.59.0

func (LookupAppEngineVersionIamPolicyResultOutput) ElementType added in v6.59.0

func (LookupAppEngineVersionIamPolicyResultOutput) Etag added in v6.59.0

(Computed) The etag of the IAM policy.

func (LookupAppEngineVersionIamPolicyResultOutput) Id added in v6.59.0

The provider-assigned unique ID for this managed resource.

func (LookupAppEngineVersionIamPolicyResultOutput) PolicyData added in v6.59.0

(Required only by `iap.AppEngineVersionIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupAppEngineVersionIamPolicyResultOutput) Project added in v6.59.0

func (LookupAppEngineVersionIamPolicyResultOutput) Service added in v6.59.0

func (LookupAppEngineVersionIamPolicyResultOutput) ToLookupAppEngineVersionIamPolicyResultOutput added in v6.59.0

func (o LookupAppEngineVersionIamPolicyResultOutput) ToLookupAppEngineVersionIamPolicyResultOutput() LookupAppEngineVersionIamPolicyResultOutput

func (LookupAppEngineVersionIamPolicyResultOutput) ToLookupAppEngineVersionIamPolicyResultOutputWithContext added in v6.59.0

func (o LookupAppEngineVersionIamPolicyResultOutput) ToLookupAppEngineVersionIamPolicyResultOutputWithContext(ctx context.Context) LookupAppEngineVersionIamPolicyResultOutput

func (LookupAppEngineVersionIamPolicyResultOutput) VersionId added in v6.59.0

type LookupClientArgs

type LookupClientArgs struct {
	// The name of the brand.
	Brand string `pulumi:"brand"`
	// The clientId of the brand.
	ClientId string `pulumi:"clientId"`
}

A collection of arguments for invoking getClient.

type LookupClientOutputArgs

type LookupClientOutputArgs struct {
	// The name of the brand.
	Brand pulumi.StringInput `pulumi:"brand"`
	// The clientId of the brand.
	ClientId pulumi.StringInput `pulumi:"clientId"`
}

A collection of arguments for invoking getClient.

func (LookupClientOutputArgs) ElementType

func (LookupClientOutputArgs) ElementType() reflect.Type

type LookupClientResult

type LookupClientResult struct {
	Brand       string `pulumi:"brand"`
	ClientId    string `pulumi:"clientId"`
	DisplayName string `pulumi:"displayName"`
	// The provider-assigned unique ID for this managed resource.
	Id     string `pulumi:"id"`
	Secret string `pulumi:"secret"`
}

A collection of values returned by getClient.

func LookupClient

func LookupClient(ctx *pulumi.Context, args *LookupClientArgs, opts ...pulumi.InvokeOption) (*LookupClientResult, error)

Get info about a Google Cloud IAP Client.

## Example Usage

```go package main

import (

"fmt"

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		project, err := organizations.LookupProject(ctx, &organizations.LookupProjectArgs{
			ProjectId: pulumi.StringRef("foobar"),
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.LookupClient(ctx, &iap.LookupClientArgs{
			Brand:    fmt.Sprintf("projects/%v/brands/[BRAND_NUMBER]", project.Number),
			ClientId: FOO.Apps.Googleusercontent.Com,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupClientResultOutput

type LookupClientResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getClient.

func (LookupClientResultOutput) Brand

func (LookupClientResultOutput) ClientId

func (LookupClientResultOutput) DisplayName

func (LookupClientResultOutput) ElementType

func (LookupClientResultOutput) ElementType() reflect.Type

func (LookupClientResultOutput) Id

The provider-assigned unique ID for this managed resource.

func (LookupClientResultOutput) Secret

func (LookupClientResultOutput) ToLookupClientResultOutput

func (o LookupClientResultOutput) ToLookupClientResultOutput() LookupClientResultOutput

func (LookupClientResultOutput) ToLookupClientResultOutputWithContext

func (o LookupClientResultOutput) ToLookupClientResultOutputWithContext(ctx context.Context) LookupClientResultOutput

type LookupTunnelIamPolicyArgs added in v6.59.0

type LookupTunnelIamPolicyArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
}

A collection of arguments for invoking getTunnelIamPolicy.

type LookupTunnelIamPolicyOutputArgs added in v6.59.0

type LookupTunnelIamPolicyOutputArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
}

A collection of arguments for invoking getTunnelIamPolicy.

func (LookupTunnelIamPolicyOutputArgs) ElementType added in v6.59.0

type LookupTunnelIamPolicyResult added in v6.59.0

type LookupTunnelIamPolicyResult struct {
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.TunnelIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
}

A collection of values returned by getTunnelIamPolicy.

func LookupTunnelIamPolicy added in v6.59.0

func LookupTunnelIamPolicy(ctx *pulumi.Context, args *LookupTunnelIamPolicyArgs, opts ...pulumi.InvokeOption) (*LookupTunnelIamPolicyResult, error)

Retrieves the current IAM policy data for tunnel

## example

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.LookupTunnelIamPolicy(ctx, &iap.LookupTunnelIamPolicyArgs{
			Project: pulumi.StringRef(google_project_service.Project_service.Project),
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupTunnelIamPolicyResultOutput added in v6.59.0

type LookupTunnelIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getTunnelIamPolicy.

func LookupTunnelIamPolicyOutput added in v6.59.0

func (LookupTunnelIamPolicyResultOutput) ElementType added in v6.59.0

func (LookupTunnelIamPolicyResultOutput) Etag added in v6.59.0

(Computed) The etag of the IAM policy.

func (LookupTunnelIamPolicyResultOutput) Id added in v6.59.0

The provider-assigned unique ID for this managed resource.

func (LookupTunnelIamPolicyResultOutput) PolicyData added in v6.59.0

(Required only by `iap.TunnelIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupTunnelIamPolicyResultOutput) Project added in v6.59.0

func (LookupTunnelIamPolicyResultOutput) ToLookupTunnelIamPolicyResultOutput added in v6.59.0

func (o LookupTunnelIamPolicyResultOutput) ToLookupTunnelIamPolicyResultOutput() LookupTunnelIamPolicyResultOutput

func (LookupTunnelIamPolicyResultOutput) ToLookupTunnelIamPolicyResultOutputWithContext added in v6.59.0

func (o LookupTunnelIamPolicyResultOutput) ToLookupTunnelIamPolicyResultOutputWithContext(ctx context.Context) LookupTunnelIamPolicyResultOutput

type LookupWebBackendServiceIamPolicyArgs added in v6.59.0

type LookupWebBackendServiceIamPolicyArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService string `pulumi:"webBackendService"`
}

A collection of arguments for invoking getWebBackendServiceIamPolicy.

type LookupWebBackendServiceIamPolicyOutputArgs added in v6.59.0

type LookupWebBackendServiceIamPolicyOutputArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringInput `pulumi:"webBackendService"`
}

A collection of arguments for invoking getWebBackendServiceIamPolicy.

func (LookupWebBackendServiceIamPolicyOutputArgs) ElementType added in v6.59.0

type LookupWebBackendServiceIamPolicyResult added in v6.59.0

type LookupWebBackendServiceIamPolicyResult struct {
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.WebBackendServiceIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData        string `pulumi:"policyData"`
	Project           string `pulumi:"project"`
	WebBackendService string `pulumi:"webBackendService"`
}

A collection of values returned by getWebBackendServiceIamPolicy.

func LookupWebBackendServiceIamPolicy added in v6.59.0

Retrieves the current IAM policy data for webbackendservice

## example

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.LookupWebBackendServiceIamPolicy(ctx, &iap.LookupWebBackendServiceIamPolicyArgs{
			Project:           pulumi.StringRef(google_compute_backend_service.Default.Project),
			WebBackendService: google_compute_backend_service.Default.Name,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupWebBackendServiceIamPolicyResultOutput added in v6.59.0

type LookupWebBackendServiceIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getWebBackendServiceIamPolicy.

func (LookupWebBackendServiceIamPolicyResultOutput) ElementType added in v6.59.0

func (LookupWebBackendServiceIamPolicyResultOutput) Etag added in v6.59.0

(Computed) The etag of the IAM policy.

func (LookupWebBackendServiceIamPolicyResultOutput) Id added in v6.59.0

The provider-assigned unique ID for this managed resource.

func (LookupWebBackendServiceIamPolicyResultOutput) PolicyData added in v6.59.0

(Required only by `iap.WebBackendServiceIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupWebBackendServiceIamPolicyResultOutput) Project added in v6.59.0

func (LookupWebBackendServiceIamPolicyResultOutput) ToLookupWebBackendServiceIamPolicyResultOutput added in v6.59.0

func (o LookupWebBackendServiceIamPolicyResultOutput) ToLookupWebBackendServiceIamPolicyResultOutput() LookupWebBackendServiceIamPolicyResultOutput

func (LookupWebBackendServiceIamPolicyResultOutput) ToLookupWebBackendServiceIamPolicyResultOutputWithContext added in v6.59.0

func (o LookupWebBackendServiceIamPolicyResultOutput) ToLookupWebBackendServiceIamPolicyResultOutputWithContext(ctx context.Context) LookupWebBackendServiceIamPolicyResultOutput

func (LookupWebBackendServiceIamPolicyResultOutput) WebBackendService added in v6.59.0

type LookupWebIamPolicyArgs added in v6.59.0

type LookupWebIamPolicyArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
}

A collection of arguments for invoking getWebIamPolicy.

type LookupWebIamPolicyOutputArgs added in v6.59.0

type LookupWebIamPolicyOutputArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
}

A collection of arguments for invoking getWebIamPolicy.

func (LookupWebIamPolicyOutputArgs) ElementType added in v6.59.0

type LookupWebIamPolicyResult added in v6.59.0

type LookupWebIamPolicyResult struct {
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.WebIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
}

A collection of values returned by getWebIamPolicy.

func LookupWebIamPolicy added in v6.59.0

func LookupWebIamPolicy(ctx *pulumi.Context, args *LookupWebIamPolicyArgs, opts ...pulumi.InvokeOption) (*LookupWebIamPolicyResult, error)

Retrieves the current IAM policy data for web

## example

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.LookupWebIamPolicy(ctx, &iap.LookupWebIamPolicyArgs{
			Project: pulumi.StringRef(google_project_service.Project_service.Project),
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupWebIamPolicyResultOutput added in v6.59.0

type LookupWebIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getWebIamPolicy.

func LookupWebIamPolicyOutput added in v6.59.0

func (LookupWebIamPolicyResultOutput) ElementType added in v6.59.0

func (LookupWebIamPolicyResultOutput) Etag added in v6.59.0

(Computed) The etag of the IAM policy.

func (LookupWebIamPolicyResultOutput) Id added in v6.59.0

The provider-assigned unique ID for this managed resource.

func (LookupWebIamPolicyResultOutput) PolicyData added in v6.59.0

(Required only by `iap.WebIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupWebIamPolicyResultOutput) Project added in v6.59.0

func (LookupWebIamPolicyResultOutput) ToLookupWebIamPolicyResultOutput added in v6.59.0

func (o LookupWebIamPolicyResultOutput) ToLookupWebIamPolicyResultOutput() LookupWebIamPolicyResultOutput

func (LookupWebIamPolicyResultOutput) ToLookupWebIamPolicyResultOutputWithContext added in v6.59.0

func (o LookupWebIamPolicyResultOutput) ToLookupWebIamPolicyResultOutputWithContext(ctx context.Context) LookupWebIamPolicyResultOutput

type LookupWebTypeComputeIamPolicyArgs added in v6.59.0

type LookupWebTypeComputeIamPolicyArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
}

A collection of arguments for invoking getWebTypeComputeIamPolicy.

type LookupWebTypeComputeIamPolicyOutputArgs added in v6.59.0

type LookupWebTypeComputeIamPolicyOutputArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
}

A collection of arguments for invoking getWebTypeComputeIamPolicy.

func (LookupWebTypeComputeIamPolicyOutputArgs) ElementType added in v6.59.0

type LookupWebTypeComputeIamPolicyResult added in v6.59.0

type LookupWebTypeComputeIamPolicyResult struct {
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.WebTypeComputeIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
}

A collection of values returned by getWebTypeComputeIamPolicy.

func LookupWebTypeComputeIamPolicy added in v6.59.0

Retrieves the current IAM policy data for webtypecompute

## example

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.LookupWebTypeComputeIamPolicy(ctx, &iap.LookupWebTypeComputeIamPolicyArgs{
			Project: pulumi.StringRef(google_project_service.Project_service.Project),
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupWebTypeComputeIamPolicyResultOutput added in v6.59.0

type LookupWebTypeComputeIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getWebTypeComputeIamPolicy.

func (LookupWebTypeComputeIamPolicyResultOutput) ElementType added in v6.59.0

func (LookupWebTypeComputeIamPolicyResultOutput) Etag added in v6.59.0

(Computed) The etag of the IAM policy.

func (LookupWebTypeComputeIamPolicyResultOutput) Id added in v6.59.0

The provider-assigned unique ID for this managed resource.

func (LookupWebTypeComputeIamPolicyResultOutput) PolicyData added in v6.59.0

(Required only by `iap.WebTypeComputeIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupWebTypeComputeIamPolicyResultOutput) Project added in v6.59.0

func (LookupWebTypeComputeIamPolicyResultOutput) ToLookupWebTypeComputeIamPolicyResultOutput added in v6.59.0

func (o LookupWebTypeComputeIamPolicyResultOutput) ToLookupWebTypeComputeIamPolicyResultOutput() LookupWebTypeComputeIamPolicyResultOutput

func (LookupWebTypeComputeIamPolicyResultOutput) ToLookupWebTypeComputeIamPolicyResultOutputWithContext added in v6.59.0

func (o LookupWebTypeComputeIamPolicyResultOutput) ToLookupWebTypeComputeIamPolicyResultOutputWithContext(ctx context.Context) LookupWebTypeComputeIamPolicyResultOutput

type TunnelIamBinding

type TunnelIamBinding struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag    pulumi.StringOutput      `pulumi:"etag"`
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy Tunnel. Each of these resources serves a different use case:

* `iap.TunnelIamPolicy`: Authoritative. Sets the IAM policy for the tunnel and replaces any existing policy already attached. * `iap.TunnelIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnel are preserved. * `iap.TunnelIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnel are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelIamPolicy`: Retrieves the IAM policy for the tunnel

> **Note:** `iap.TunnelIamPolicy` **cannot** be used in conjunction with `iap.TunnelIamBinding` and `iap.TunnelIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelIamBinding` resources **can be** used in conjunction with `iap.TunnelIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_tunnel\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(google_project_service.Project_service.Project),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(google_project_service.Project_service.Project),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_tunnel\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_tunnel\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_tunnel * {{project}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy tunnel IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/tunnelIamBinding:TunnelIamBinding editor "projects/{{project}}/iap_tunnel roles/iap.tunnelResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/tunnelIamBinding:TunnelIamBinding editor "projects/{{project}}/iap_tunnel roles/iap.tunnelResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/tunnelIamBinding:TunnelIamBinding editor projects/{{project}}/iap_tunnel

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelIamBinding

func GetTunnelIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelIamBindingState, opts ...pulumi.ResourceOption) (*TunnelIamBinding, error)

GetTunnelIamBinding gets an existing TunnelIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelIamBinding

func NewTunnelIamBinding(ctx *pulumi.Context,
	name string, args *TunnelIamBindingArgs, opts ...pulumi.ResourceOption) (*TunnelIamBinding, error)

NewTunnelIamBinding registers a new resource with the given unique name, arguments, and options.

func (*TunnelIamBinding) ElementType

func (*TunnelIamBinding) ElementType() reflect.Type

func (*TunnelIamBinding) ToTunnelIamBindingOutput

func (i *TunnelIamBinding) ToTunnelIamBindingOutput() TunnelIamBindingOutput

func (*TunnelIamBinding) ToTunnelIamBindingOutputWithContext

func (i *TunnelIamBinding) ToTunnelIamBindingOutputWithContext(ctx context.Context) TunnelIamBindingOutput

type TunnelIamBindingArgs

type TunnelIamBindingArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelIamBindingConditionPtrInput
	Members   pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a TunnelIamBinding resource.

func (TunnelIamBindingArgs) ElementType

func (TunnelIamBindingArgs) ElementType() reflect.Type

type TunnelIamBindingArray

type TunnelIamBindingArray []TunnelIamBindingInput

func (TunnelIamBindingArray) ElementType

func (TunnelIamBindingArray) ElementType() reflect.Type

func (TunnelIamBindingArray) ToTunnelIamBindingArrayOutput

func (i TunnelIamBindingArray) ToTunnelIamBindingArrayOutput() TunnelIamBindingArrayOutput

func (TunnelIamBindingArray) ToTunnelIamBindingArrayOutputWithContext

func (i TunnelIamBindingArray) ToTunnelIamBindingArrayOutputWithContext(ctx context.Context) TunnelIamBindingArrayOutput

type TunnelIamBindingArrayInput

type TunnelIamBindingArrayInput interface {
	pulumi.Input

	ToTunnelIamBindingArrayOutput() TunnelIamBindingArrayOutput
	ToTunnelIamBindingArrayOutputWithContext(context.Context) TunnelIamBindingArrayOutput
}

TunnelIamBindingArrayInput is an input type that accepts TunnelIamBindingArray and TunnelIamBindingArrayOutput values. You can construct a concrete instance of `TunnelIamBindingArrayInput` via:

TunnelIamBindingArray{ TunnelIamBindingArgs{...} }

type TunnelIamBindingArrayOutput

type TunnelIamBindingArrayOutput struct{ *pulumi.OutputState }

func (TunnelIamBindingArrayOutput) ElementType

func (TunnelIamBindingArrayOutput) Index

func (TunnelIamBindingArrayOutput) ToTunnelIamBindingArrayOutput

func (o TunnelIamBindingArrayOutput) ToTunnelIamBindingArrayOutput() TunnelIamBindingArrayOutput

func (TunnelIamBindingArrayOutput) ToTunnelIamBindingArrayOutputWithContext

func (o TunnelIamBindingArrayOutput) ToTunnelIamBindingArrayOutputWithContext(ctx context.Context) TunnelIamBindingArrayOutput

type TunnelIamBindingCondition

type TunnelIamBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type TunnelIamBindingConditionArgs

type TunnelIamBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (TunnelIamBindingConditionArgs) ElementType

func (TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionOutput

func (i TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionOutput() TunnelIamBindingConditionOutput

func (TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionOutputWithContext

func (i TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionOutputWithContext(ctx context.Context) TunnelIamBindingConditionOutput

func (TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionPtrOutput

func (i TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionPtrOutput() TunnelIamBindingConditionPtrOutput

func (TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionPtrOutputWithContext

func (i TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionPtrOutputWithContext(ctx context.Context) TunnelIamBindingConditionPtrOutput

type TunnelIamBindingConditionInput

type TunnelIamBindingConditionInput interface {
	pulumi.Input

	ToTunnelIamBindingConditionOutput() TunnelIamBindingConditionOutput
	ToTunnelIamBindingConditionOutputWithContext(context.Context) TunnelIamBindingConditionOutput
}

TunnelIamBindingConditionInput is an input type that accepts TunnelIamBindingConditionArgs and TunnelIamBindingConditionOutput values. You can construct a concrete instance of `TunnelIamBindingConditionInput` via:

TunnelIamBindingConditionArgs{...}

type TunnelIamBindingConditionOutput

type TunnelIamBindingConditionOutput struct{ *pulumi.OutputState }

func (TunnelIamBindingConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

func (TunnelIamBindingConditionOutput) ElementType

func (TunnelIamBindingConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (TunnelIamBindingConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionOutput

func (o TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionOutput() TunnelIamBindingConditionOutput

func (TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionOutputWithContext

func (o TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionOutputWithContext(ctx context.Context) TunnelIamBindingConditionOutput

func (TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionPtrOutput

func (o TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionPtrOutput() TunnelIamBindingConditionPtrOutput

func (TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionPtrOutputWithContext

func (o TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionPtrOutputWithContext(ctx context.Context) TunnelIamBindingConditionPtrOutput

type TunnelIamBindingConditionPtrInput

type TunnelIamBindingConditionPtrInput interface {
	pulumi.Input

	ToTunnelIamBindingConditionPtrOutput() TunnelIamBindingConditionPtrOutput
	ToTunnelIamBindingConditionPtrOutputWithContext(context.Context) TunnelIamBindingConditionPtrOutput
}

TunnelIamBindingConditionPtrInput is an input type that accepts TunnelIamBindingConditionArgs, TunnelIamBindingConditionPtr and TunnelIamBindingConditionPtrOutput values. You can construct a concrete instance of `TunnelIamBindingConditionPtrInput` via:

        TunnelIamBindingConditionArgs{...}

or:

        nil

type TunnelIamBindingConditionPtrOutput

type TunnelIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (TunnelIamBindingConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

func (TunnelIamBindingConditionPtrOutput) Elem

func (TunnelIamBindingConditionPtrOutput) ElementType

func (TunnelIamBindingConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (TunnelIamBindingConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (TunnelIamBindingConditionPtrOutput) ToTunnelIamBindingConditionPtrOutput

func (o TunnelIamBindingConditionPtrOutput) ToTunnelIamBindingConditionPtrOutput() TunnelIamBindingConditionPtrOutput

func (TunnelIamBindingConditionPtrOutput) ToTunnelIamBindingConditionPtrOutputWithContext

func (o TunnelIamBindingConditionPtrOutput) ToTunnelIamBindingConditionPtrOutputWithContext(ctx context.Context) TunnelIamBindingConditionPtrOutput

type TunnelIamBindingInput

type TunnelIamBindingInput interface {
	pulumi.Input

	ToTunnelIamBindingOutput() TunnelIamBindingOutput
	ToTunnelIamBindingOutputWithContext(ctx context.Context) TunnelIamBindingOutput
}

type TunnelIamBindingMap

type TunnelIamBindingMap map[string]TunnelIamBindingInput

func (TunnelIamBindingMap) ElementType

func (TunnelIamBindingMap) ElementType() reflect.Type

func (TunnelIamBindingMap) ToTunnelIamBindingMapOutput

func (i TunnelIamBindingMap) ToTunnelIamBindingMapOutput() TunnelIamBindingMapOutput

func (TunnelIamBindingMap) ToTunnelIamBindingMapOutputWithContext

func (i TunnelIamBindingMap) ToTunnelIamBindingMapOutputWithContext(ctx context.Context) TunnelIamBindingMapOutput

type TunnelIamBindingMapInput

type TunnelIamBindingMapInput interface {
	pulumi.Input

	ToTunnelIamBindingMapOutput() TunnelIamBindingMapOutput
	ToTunnelIamBindingMapOutputWithContext(context.Context) TunnelIamBindingMapOutput
}

TunnelIamBindingMapInput is an input type that accepts TunnelIamBindingMap and TunnelIamBindingMapOutput values. You can construct a concrete instance of `TunnelIamBindingMapInput` via:

TunnelIamBindingMap{ "key": TunnelIamBindingArgs{...} }

type TunnelIamBindingMapOutput

type TunnelIamBindingMapOutput struct{ *pulumi.OutputState }

func (TunnelIamBindingMapOutput) ElementType

func (TunnelIamBindingMapOutput) ElementType() reflect.Type

func (TunnelIamBindingMapOutput) MapIndex

func (TunnelIamBindingMapOutput) ToTunnelIamBindingMapOutput

func (o TunnelIamBindingMapOutput) ToTunnelIamBindingMapOutput() TunnelIamBindingMapOutput

func (TunnelIamBindingMapOutput) ToTunnelIamBindingMapOutputWithContext

func (o TunnelIamBindingMapOutput) ToTunnelIamBindingMapOutputWithContext(ctx context.Context) TunnelIamBindingMapOutput

type TunnelIamBindingOutput

type TunnelIamBindingOutput struct{ *pulumi.OutputState }

func (TunnelIamBindingOutput) Condition added in v6.23.0

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (TunnelIamBindingOutput) ElementType

func (TunnelIamBindingOutput) ElementType() reflect.Type

func (TunnelIamBindingOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (TunnelIamBindingOutput) Members added in v6.23.0

func (TunnelIamBindingOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (TunnelIamBindingOutput) Role added in v6.23.0

The role that should be applied. Only one `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (TunnelIamBindingOutput) ToTunnelIamBindingOutput

func (o TunnelIamBindingOutput) ToTunnelIamBindingOutput() TunnelIamBindingOutput

func (TunnelIamBindingOutput) ToTunnelIamBindingOutputWithContext

func (o TunnelIamBindingOutput) ToTunnelIamBindingOutputWithContext(ctx context.Context) TunnelIamBindingOutput

type TunnelIamBindingState

type TunnelIamBindingState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag    pulumi.StringPtrInput
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (TunnelIamBindingState) ElementType

func (TunnelIamBindingState) ElementType() reflect.Type

type TunnelIamMember

type TunnelIamMember struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag   pulumi.StringOutput `pulumi:"etag"`
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy Tunnel. Each of these resources serves a different use case:

* `iap.TunnelIamPolicy`: Authoritative. Sets the IAM policy for the tunnel and replaces any existing policy already attached. * `iap.TunnelIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnel are preserved. * `iap.TunnelIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnel are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelIamPolicy`: Retrieves the IAM policy for the tunnel

> **Note:** `iap.TunnelIamPolicy` **cannot** be used in conjunction with `iap.TunnelIamBinding` and `iap.TunnelIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelIamBinding` resources **can be** used in conjunction with `iap.TunnelIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_tunnel\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(google_project_service.Project_service.Project),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(google_project_service.Project_service.Project),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_tunnel\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_tunnel\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_tunnel * {{project}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy tunnel IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/tunnelIamMember:TunnelIamMember editor "projects/{{project}}/iap_tunnel roles/iap.tunnelResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/tunnelIamMember:TunnelIamMember editor "projects/{{project}}/iap_tunnel roles/iap.tunnelResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/tunnelIamMember:TunnelIamMember editor projects/{{project}}/iap_tunnel

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelIamMember

func GetTunnelIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelIamMemberState, opts ...pulumi.ResourceOption) (*TunnelIamMember, error)

GetTunnelIamMember gets an existing TunnelIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelIamMember

func NewTunnelIamMember(ctx *pulumi.Context,
	name string, args *TunnelIamMemberArgs, opts ...pulumi.ResourceOption) (*TunnelIamMember, error)

NewTunnelIamMember registers a new resource with the given unique name, arguments, and options.

func (*TunnelIamMember) ElementType

func (*TunnelIamMember) ElementType() reflect.Type

func (*TunnelIamMember) ToTunnelIamMemberOutput

func (i *TunnelIamMember) ToTunnelIamMemberOutput() TunnelIamMemberOutput

func (*TunnelIamMember) ToTunnelIamMemberOutputWithContext

func (i *TunnelIamMember) ToTunnelIamMemberOutputWithContext(ctx context.Context) TunnelIamMemberOutput

type TunnelIamMemberArgs

type TunnelIamMemberArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelIamMemberConditionPtrInput
	Member    pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a TunnelIamMember resource.

func (TunnelIamMemberArgs) ElementType

func (TunnelIamMemberArgs) ElementType() reflect.Type

type TunnelIamMemberArray

type TunnelIamMemberArray []TunnelIamMemberInput

func (TunnelIamMemberArray) ElementType

func (TunnelIamMemberArray) ElementType() reflect.Type

func (TunnelIamMemberArray) ToTunnelIamMemberArrayOutput

func (i TunnelIamMemberArray) ToTunnelIamMemberArrayOutput() TunnelIamMemberArrayOutput

func (TunnelIamMemberArray) ToTunnelIamMemberArrayOutputWithContext

func (i TunnelIamMemberArray) ToTunnelIamMemberArrayOutputWithContext(ctx context.Context) TunnelIamMemberArrayOutput

type TunnelIamMemberArrayInput

type TunnelIamMemberArrayInput interface {
	pulumi.Input

	ToTunnelIamMemberArrayOutput() TunnelIamMemberArrayOutput
	ToTunnelIamMemberArrayOutputWithContext(context.Context) TunnelIamMemberArrayOutput
}

TunnelIamMemberArrayInput is an input type that accepts TunnelIamMemberArray and TunnelIamMemberArrayOutput values. You can construct a concrete instance of `TunnelIamMemberArrayInput` via:

TunnelIamMemberArray{ TunnelIamMemberArgs{...} }

type TunnelIamMemberArrayOutput

type TunnelIamMemberArrayOutput struct{ *pulumi.OutputState }

func (TunnelIamMemberArrayOutput) ElementType

func (TunnelIamMemberArrayOutput) ElementType() reflect.Type

func (TunnelIamMemberArrayOutput) Index

func (TunnelIamMemberArrayOutput) ToTunnelIamMemberArrayOutput

func (o TunnelIamMemberArrayOutput) ToTunnelIamMemberArrayOutput() TunnelIamMemberArrayOutput

func (TunnelIamMemberArrayOutput) ToTunnelIamMemberArrayOutputWithContext

func (o TunnelIamMemberArrayOutput) ToTunnelIamMemberArrayOutputWithContext(ctx context.Context) TunnelIamMemberArrayOutput

type TunnelIamMemberCondition

type TunnelIamMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type TunnelIamMemberConditionArgs

type TunnelIamMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (TunnelIamMemberConditionArgs) ElementType

func (TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionOutput

func (i TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionOutput() TunnelIamMemberConditionOutput

func (TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionOutputWithContext

func (i TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionOutputWithContext(ctx context.Context) TunnelIamMemberConditionOutput

func (TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionPtrOutput

func (i TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionPtrOutput() TunnelIamMemberConditionPtrOutput

func (TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionPtrOutputWithContext

func (i TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionPtrOutputWithContext(ctx context.Context) TunnelIamMemberConditionPtrOutput

type TunnelIamMemberConditionInput

type TunnelIamMemberConditionInput interface {
	pulumi.Input

	ToTunnelIamMemberConditionOutput() TunnelIamMemberConditionOutput
	ToTunnelIamMemberConditionOutputWithContext(context.Context) TunnelIamMemberConditionOutput
}

TunnelIamMemberConditionInput is an input type that accepts TunnelIamMemberConditionArgs and TunnelIamMemberConditionOutput values. You can construct a concrete instance of `TunnelIamMemberConditionInput` via:

TunnelIamMemberConditionArgs{...}

type TunnelIamMemberConditionOutput

type TunnelIamMemberConditionOutput struct{ *pulumi.OutputState }

func (TunnelIamMemberConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

func (TunnelIamMemberConditionOutput) ElementType

func (TunnelIamMemberConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (TunnelIamMemberConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionOutput

func (o TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionOutput() TunnelIamMemberConditionOutput

func (TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionOutputWithContext

func (o TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionOutputWithContext(ctx context.Context) TunnelIamMemberConditionOutput

func (TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionPtrOutput

func (o TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionPtrOutput() TunnelIamMemberConditionPtrOutput

func (TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionPtrOutputWithContext

func (o TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionPtrOutputWithContext(ctx context.Context) TunnelIamMemberConditionPtrOutput

type TunnelIamMemberConditionPtrInput

type TunnelIamMemberConditionPtrInput interface {
	pulumi.Input

	ToTunnelIamMemberConditionPtrOutput() TunnelIamMemberConditionPtrOutput
	ToTunnelIamMemberConditionPtrOutputWithContext(context.Context) TunnelIamMemberConditionPtrOutput
}

TunnelIamMemberConditionPtrInput is an input type that accepts TunnelIamMemberConditionArgs, TunnelIamMemberConditionPtr and TunnelIamMemberConditionPtrOutput values. You can construct a concrete instance of `TunnelIamMemberConditionPtrInput` via:

        TunnelIamMemberConditionArgs{...}

or:

        nil

type TunnelIamMemberConditionPtrOutput

type TunnelIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (TunnelIamMemberConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

func (TunnelIamMemberConditionPtrOutput) Elem

func (TunnelIamMemberConditionPtrOutput) ElementType

func (TunnelIamMemberConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (TunnelIamMemberConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (TunnelIamMemberConditionPtrOutput) ToTunnelIamMemberConditionPtrOutput

func (o TunnelIamMemberConditionPtrOutput) ToTunnelIamMemberConditionPtrOutput() TunnelIamMemberConditionPtrOutput

func (TunnelIamMemberConditionPtrOutput) ToTunnelIamMemberConditionPtrOutputWithContext

func (o TunnelIamMemberConditionPtrOutput) ToTunnelIamMemberConditionPtrOutputWithContext(ctx context.Context) TunnelIamMemberConditionPtrOutput

type TunnelIamMemberInput

type TunnelIamMemberInput interface {
	pulumi.Input

	ToTunnelIamMemberOutput() TunnelIamMemberOutput
	ToTunnelIamMemberOutputWithContext(ctx context.Context) TunnelIamMemberOutput
}

type TunnelIamMemberMap

type TunnelIamMemberMap map[string]TunnelIamMemberInput

func (TunnelIamMemberMap) ElementType

func (TunnelIamMemberMap) ElementType() reflect.Type

func (TunnelIamMemberMap) ToTunnelIamMemberMapOutput

func (i TunnelIamMemberMap) ToTunnelIamMemberMapOutput() TunnelIamMemberMapOutput

func (TunnelIamMemberMap) ToTunnelIamMemberMapOutputWithContext

func (i TunnelIamMemberMap) ToTunnelIamMemberMapOutputWithContext(ctx context.Context) TunnelIamMemberMapOutput

type TunnelIamMemberMapInput

type TunnelIamMemberMapInput interface {
	pulumi.Input

	ToTunnelIamMemberMapOutput() TunnelIamMemberMapOutput
	ToTunnelIamMemberMapOutputWithContext(context.Context) TunnelIamMemberMapOutput
}

TunnelIamMemberMapInput is an input type that accepts TunnelIamMemberMap and TunnelIamMemberMapOutput values. You can construct a concrete instance of `TunnelIamMemberMapInput` via:

TunnelIamMemberMap{ "key": TunnelIamMemberArgs{...} }

type TunnelIamMemberMapOutput

type TunnelIamMemberMapOutput struct{ *pulumi.OutputState }

func (TunnelIamMemberMapOutput) ElementType

func (TunnelIamMemberMapOutput) ElementType() reflect.Type

func (TunnelIamMemberMapOutput) MapIndex

func (TunnelIamMemberMapOutput) ToTunnelIamMemberMapOutput

func (o TunnelIamMemberMapOutput) ToTunnelIamMemberMapOutput() TunnelIamMemberMapOutput

func (TunnelIamMemberMapOutput) ToTunnelIamMemberMapOutputWithContext

func (o TunnelIamMemberMapOutput) ToTunnelIamMemberMapOutputWithContext(ctx context.Context) TunnelIamMemberMapOutput

type TunnelIamMemberOutput

type TunnelIamMemberOutput struct{ *pulumi.OutputState }

func (TunnelIamMemberOutput) Condition added in v6.23.0

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (TunnelIamMemberOutput) ElementType

func (TunnelIamMemberOutput) ElementType() reflect.Type

func (TunnelIamMemberOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (TunnelIamMemberOutput) Member added in v6.23.0

func (TunnelIamMemberOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (TunnelIamMemberOutput) Role added in v6.23.0

The role that should be applied. Only one `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (TunnelIamMemberOutput) ToTunnelIamMemberOutput

func (o TunnelIamMemberOutput) ToTunnelIamMemberOutput() TunnelIamMemberOutput

func (TunnelIamMemberOutput) ToTunnelIamMemberOutputWithContext

func (o TunnelIamMemberOutput) ToTunnelIamMemberOutputWithContext(ctx context.Context) TunnelIamMemberOutput

type TunnelIamMemberState

type TunnelIamMemberState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag   pulumi.StringPtrInput
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (TunnelIamMemberState) ElementType

func (TunnelIamMemberState) ElementType() reflect.Type

type TunnelIamPolicy

type TunnelIamPolicy struct {
	pulumi.CustomResourceState

	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy Tunnel. Each of these resources serves a different use case:

* `iap.TunnelIamPolicy`: Authoritative. Sets the IAM policy for the tunnel and replaces any existing policy already attached. * `iap.TunnelIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnel are preserved. * `iap.TunnelIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnel are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelIamPolicy`: Retrieves the IAM policy for the tunnel

> **Note:** `iap.TunnelIamPolicy` **cannot** be used in conjunction with `iap.TunnelIamBinding` and `iap.TunnelIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelIamBinding` resources **can be** used in conjunction with `iap.TunnelIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_tunnel\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(google_project_service.Project_service.Project),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(google_project_service.Project_service.Project),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_tunnel\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_tunnel\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_tunnel * {{project}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy tunnel IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/tunnelIamPolicy:TunnelIamPolicy editor "projects/{{project}}/iap_tunnel roles/iap.tunnelResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/tunnelIamPolicy:TunnelIamPolicy editor "projects/{{project}}/iap_tunnel roles/iap.tunnelResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/tunnelIamPolicy:TunnelIamPolicy editor projects/{{project}}/iap_tunnel

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelIamPolicy

func GetTunnelIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelIamPolicyState, opts ...pulumi.ResourceOption) (*TunnelIamPolicy, error)

GetTunnelIamPolicy gets an existing TunnelIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelIamPolicy

func NewTunnelIamPolicy(ctx *pulumi.Context,
	name string, args *TunnelIamPolicyArgs, opts ...pulumi.ResourceOption) (*TunnelIamPolicy, error)

NewTunnelIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*TunnelIamPolicy) ElementType

func (*TunnelIamPolicy) ElementType() reflect.Type

func (*TunnelIamPolicy) ToTunnelIamPolicyOutput

func (i *TunnelIamPolicy) ToTunnelIamPolicyOutput() TunnelIamPolicyOutput

func (*TunnelIamPolicy) ToTunnelIamPolicyOutputWithContext

func (i *TunnelIamPolicy) ToTunnelIamPolicyOutputWithContext(ctx context.Context) TunnelIamPolicyOutput

type TunnelIamPolicyArgs

type TunnelIamPolicyArgs struct {
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
}

The set of arguments for constructing a TunnelIamPolicy resource.

func (TunnelIamPolicyArgs) ElementType

func (TunnelIamPolicyArgs) ElementType() reflect.Type

type TunnelIamPolicyArray

type TunnelIamPolicyArray []TunnelIamPolicyInput

func (TunnelIamPolicyArray) ElementType

func (TunnelIamPolicyArray) ElementType() reflect.Type

func (TunnelIamPolicyArray) ToTunnelIamPolicyArrayOutput

func (i TunnelIamPolicyArray) ToTunnelIamPolicyArrayOutput() TunnelIamPolicyArrayOutput

func (TunnelIamPolicyArray) ToTunnelIamPolicyArrayOutputWithContext

func (i TunnelIamPolicyArray) ToTunnelIamPolicyArrayOutputWithContext(ctx context.Context) TunnelIamPolicyArrayOutput

type TunnelIamPolicyArrayInput

type TunnelIamPolicyArrayInput interface {
	pulumi.Input

	ToTunnelIamPolicyArrayOutput() TunnelIamPolicyArrayOutput
	ToTunnelIamPolicyArrayOutputWithContext(context.Context) TunnelIamPolicyArrayOutput
}

TunnelIamPolicyArrayInput is an input type that accepts TunnelIamPolicyArray and TunnelIamPolicyArrayOutput values. You can construct a concrete instance of `TunnelIamPolicyArrayInput` via:

TunnelIamPolicyArray{ TunnelIamPolicyArgs{...} }

type TunnelIamPolicyArrayOutput

type TunnelIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (TunnelIamPolicyArrayOutput) ElementType

func (TunnelIamPolicyArrayOutput) ElementType() reflect.Type

func (TunnelIamPolicyArrayOutput) Index

func (TunnelIamPolicyArrayOutput) ToTunnelIamPolicyArrayOutput

func (o TunnelIamPolicyArrayOutput) ToTunnelIamPolicyArrayOutput() TunnelIamPolicyArrayOutput

func (TunnelIamPolicyArrayOutput) ToTunnelIamPolicyArrayOutputWithContext

func (o TunnelIamPolicyArrayOutput) ToTunnelIamPolicyArrayOutputWithContext(ctx context.Context) TunnelIamPolicyArrayOutput

type TunnelIamPolicyInput

type TunnelIamPolicyInput interface {
	pulumi.Input

	ToTunnelIamPolicyOutput() TunnelIamPolicyOutput
	ToTunnelIamPolicyOutputWithContext(ctx context.Context) TunnelIamPolicyOutput
}

type TunnelIamPolicyMap

type TunnelIamPolicyMap map[string]TunnelIamPolicyInput

func (TunnelIamPolicyMap) ElementType

func (TunnelIamPolicyMap) ElementType() reflect.Type

func (TunnelIamPolicyMap) ToTunnelIamPolicyMapOutput

func (i TunnelIamPolicyMap) ToTunnelIamPolicyMapOutput() TunnelIamPolicyMapOutput

func (TunnelIamPolicyMap) ToTunnelIamPolicyMapOutputWithContext

func (i TunnelIamPolicyMap) ToTunnelIamPolicyMapOutputWithContext(ctx context.Context) TunnelIamPolicyMapOutput

type TunnelIamPolicyMapInput

type TunnelIamPolicyMapInput interface {
	pulumi.Input

	ToTunnelIamPolicyMapOutput() TunnelIamPolicyMapOutput
	ToTunnelIamPolicyMapOutputWithContext(context.Context) TunnelIamPolicyMapOutput
}

TunnelIamPolicyMapInput is an input type that accepts TunnelIamPolicyMap and TunnelIamPolicyMapOutput values. You can construct a concrete instance of `TunnelIamPolicyMapInput` via:

TunnelIamPolicyMap{ "key": TunnelIamPolicyArgs{...} }

type TunnelIamPolicyMapOutput

type TunnelIamPolicyMapOutput struct{ *pulumi.OutputState }

func (TunnelIamPolicyMapOutput) ElementType

func (TunnelIamPolicyMapOutput) ElementType() reflect.Type

func (TunnelIamPolicyMapOutput) MapIndex

func (TunnelIamPolicyMapOutput) ToTunnelIamPolicyMapOutput

func (o TunnelIamPolicyMapOutput) ToTunnelIamPolicyMapOutput() TunnelIamPolicyMapOutput

func (TunnelIamPolicyMapOutput) ToTunnelIamPolicyMapOutputWithContext

func (o TunnelIamPolicyMapOutput) ToTunnelIamPolicyMapOutputWithContext(ctx context.Context) TunnelIamPolicyMapOutput

type TunnelIamPolicyOutput

type TunnelIamPolicyOutput struct{ *pulumi.OutputState }

func (TunnelIamPolicyOutput) ElementType

func (TunnelIamPolicyOutput) ElementType() reflect.Type

func (TunnelIamPolicyOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (TunnelIamPolicyOutput) PolicyData added in v6.23.0

func (o TunnelIamPolicyOutput) PolicyData() pulumi.StringOutput

The policy data generated by a `organizations.getIAMPolicy` data source.

func (TunnelIamPolicyOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (TunnelIamPolicyOutput) ToTunnelIamPolicyOutput

func (o TunnelIamPolicyOutput) ToTunnelIamPolicyOutput() TunnelIamPolicyOutput

func (TunnelIamPolicyOutput) ToTunnelIamPolicyOutputWithContext

func (o TunnelIamPolicyOutput) ToTunnelIamPolicyOutputWithContext(ctx context.Context) TunnelIamPolicyOutput

type TunnelIamPolicyState

type TunnelIamPolicyState struct {
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
}

func (TunnelIamPolicyState) ElementType

func (TunnelIamPolicyState) ElementType() reflect.Type

type TunnelInstanceIAMBinding

type TunnelInstanceIAMBinding struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelInstanceIAMBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringOutput      `pulumi:"instance"`
	Members  pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	Zone pulumi.StringOutput `pulumi:"zone"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelInstance. Each of these resources serves a different use case:

* `iap.TunnelInstanceIAMPolicy`: Authoritative. Sets the IAM policy for the tunnelinstance and replaces any existing policy already attached. * `iap.TunnelInstanceIAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnelinstance are preserved. * `iap.TunnelInstanceIAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnelinstance are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelInstanceIAMPolicy`: Retrieves the IAM policy for the tunnelinstance

> **Note:** `iap.TunnelInstanceIAMPolicy` **cannot** be used in conjunction with `iap.TunnelInstanceIAMBinding` and `iap.TunnelInstanceIAMMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelInstanceIAMBinding` resources **can be** used in conjunction with `iap.TunnelInstanceIAMMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_tunnel\_instance\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(google_compute_instance.Tunnelvm.Project),
			Zone:       pulumi.Any(google_compute_instance.Tunnelvm.Zone),
			Instance:   pulumi.Any(google_compute_instance.Tunnelvm.Name),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(google_compute_instance.Tunnelvm.Project),
			Zone:       pulumi.Any(google_compute_instance.Tunnelvm.Zone),
			Instance:   pulumi.Any(google_compute_instance.Tunnelvm.Name),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_tunnel\_instance\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(google_compute_instance.Tunnelvm.Project),
			Zone:     pulumi.Any(google_compute_instance.Tunnelvm.Zone),
			Instance: pulumi.Any(google_compute_instance.Tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(google_compute_instance.Tunnelvm.Project),
			Zone:     pulumi.Any(google_compute_instance.Tunnelvm.Zone),
			Instance: pulumi.Any(google_compute_instance.Tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelInstanceIAMBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_tunnel\_instance\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(google_compute_instance.Tunnelvm.Project),
			Zone:     pulumi.Any(google_compute_instance.Tunnelvm.Zone),
			Instance: pulumi.Any(google_compute_instance.Tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(google_compute_instance.Tunnelvm.Project),
			Zone:     pulumi.Any(google_compute_instance.Tunnelvm.Zone),
			Instance: pulumi.Any(google_compute_instance.Tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelInstanceIAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{name}} * projects/{{project}}/zones/{{zone}}/instances/{{name}} * {{project}}/{{zone}}/{{name}} * {{zone}}/{{name}} * {{name}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy tunnelinstance IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/tunnelInstanceIAMBinding:TunnelInstanceIAMBinding editor "projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} roles/iap.tunnelResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/tunnelInstanceIAMBinding:TunnelInstanceIAMBinding editor "projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} roles/iap.tunnelResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/tunnelInstanceIAMBinding:TunnelInstanceIAMBinding editor projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}}

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelInstanceIAMBinding

func GetTunnelInstanceIAMBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelInstanceIAMBindingState, opts ...pulumi.ResourceOption) (*TunnelInstanceIAMBinding, error)

GetTunnelInstanceIAMBinding gets an existing TunnelInstanceIAMBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelInstanceIAMBinding

func NewTunnelInstanceIAMBinding(ctx *pulumi.Context,
	name string, args *TunnelInstanceIAMBindingArgs, opts ...pulumi.ResourceOption) (*TunnelInstanceIAMBinding, error)

NewTunnelInstanceIAMBinding registers a new resource with the given unique name, arguments, and options.

func (*TunnelInstanceIAMBinding) ElementType

func (*TunnelInstanceIAMBinding) ElementType() reflect.Type

func (*TunnelInstanceIAMBinding) ToTunnelInstanceIAMBindingOutput

func (i *TunnelInstanceIAMBinding) ToTunnelInstanceIAMBindingOutput() TunnelInstanceIAMBindingOutput

func (*TunnelInstanceIAMBinding) ToTunnelInstanceIAMBindingOutputWithContext

func (i *TunnelInstanceIAMBinding) ToTunnelInstanceIAMBindingOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingOutput

type TunnelInstanceIAMBindingArgs

type TunnelInstanceIAMBindingArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelInstanceIAMBindingConditionPtrInput
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringInput
	Members  pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	Zone pulumi.StringPtrInput
}

The set of arguments for constructing a TunnelInstanceIAMBinding resource.

func (TunnelInstanceIAMBindingArgs) ElementType

type TunnelInstanceIAMBindingArray

type TunnelInstanceIAMBindingArray []TunnelInstanceIAMBindingInput

func (TunnelInstanceIAMBindingArray) ElementType

func (TunnelInstanceIAMBindingArray) ToTunnelInstanceIAMBindingArrayOutput

func (i TunnelInstanceIAMBindingArray) ToTunnelInstanceIAMBindingArrayOutput() TunnelInstanceIAMBindingArrayOutput

func (TunnelInstanceIAMBindingArray) ToTunnelInstanceIAMBindingArrayOutputWithContext

func (i TunnelInstanceIAMBindingArray) ToTunnelInstanceIAMBindingArrayOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingArrayOutput

type TunnelInstanceIAMBindingArrayInput

type TunnelInstanceIAMBindingArrayInput interface {
	pulumi.Input

	ToTunnelInstanceIAMBindingArrayOutput() TunnelInstanceIAMBindingArrayOutput
	ToTunnelInstanceIAMBindingArrayOutputWithContext(context.Context) TunnelInstanceIAMBindingArrayOutput
}

TunnelInstanceIAMBindingArrayInput is an input type that accepts TunnelInstanceIAMBindingArray and TunnelInstanceIAMBindingArrayOutput values. You can construct a concrete instance of `TunnelInstanceIAMBindingArrayInput` via:

TunnelInstanceIAMBindingArray{ TunnelInstanceIAMBindingArgs{...} }

type TunnelInstanceIAMBindingArrayOutput

type TunnelInstanceIAMBindingArrayOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMBindingArrayOutput) ElementType

func (TunnelInstanceIAMBindingArrayOutput) Index

func (TunnelInstanceIAMBindingArrayOutput) ToTunnelInstanceIAMBindingArrayOutput

func (o TunnelInstanceIAMBindingArrayOutput) ToTunnelInstanceIAMBindingArrayOutput() TunnelInstanceIAMBindingArrayOutput

func (TunnelInstanceIAMBindingArrayOutput) ToTunnelInstanceIAMBindingArrayOutputWithContext

func (o TunnelInstanceIAMBindingArrayOutput) ToTunnelInstanceIAMBindingArrayOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingArrayOutput

type TunnelInstanceIAMBindingCondition

type TunnelInstanceIAMBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type TunnelInstanceIAMBindingConditionArgs

type TunnelInstanceIAMBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (TunnelInstanceIAMBindingConditionArgs) ElementType

func (TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionOutput

func (i TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionOutput() TunnelInstanceIAMBindingConditionOutput

func (TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionOutputWithContext

func (i TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingConditionOutput

func (TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionPtrOutput

func (i TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionPtrOutput() TunnelInstanceIAMBindingConditionPtrOutput

func (TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionPtrOutputWithContext

func (i TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionPtrOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingConditionPtrOutput

type TunnelInstanceIAMBindingConditionInput

type TunnelInstanceIAMBindingConditionInput interface {
	pulumi.Input

	ToTunnelInstanceIAMBindingConditionOutput() TunnelInstanceIAMBindingConditionOutput
	ToTunnelInstanceIAMBindingConditionOutputWithContext(context.Context) TunnelInstanceIAMBindingConditionOutput
}

TunnelInstanceIAMBindingConditionInput is an input type that accepts TunnelInstanceIAMBindingConditionArgs and TunnelInstanceIAMBindingConditionOutput values. You can construct a concrete instance of `TunnelInstanceIAMBindingConditionInput` via:

TunnelInstanceIAMBindingConditionArgs{...}

type TunnelInstanceIAMBindingConditionOutput

type TunnelInstanceIAMBindingConditionOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMBindingConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (TunnelInstanceIAMBindingConditionOutput) ElementType

func (TunnelInstanceIAMBindingConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (TunnelInstanceIAMBindingConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionOutput

func (o TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionOutput() TunnelInstanceIAMBindingConditionOutput

func (TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionOutputWithContext

func (o TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingConditionOutput

func (TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionPtrOutput

func (o TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionPtrOutput() TunnelInstanceIAMBindingConditionPtrOutput

func (TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionPtrOutputWithContext

func (o TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionPtrOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingConditionPtrOutput

type TunnelInstanceIAMBindingConditionPtrInput

type TunnelInstanceIAMBindingConditionPtrInput interface {
	pulumi.Input

	ToTunnelInstanceIAMBindingConditionPtrOutput() TunnelInstanceIAMBindingConditionPtrOutput
	ToTunnelInstanceIAMBindingConditionPtrOutputWithContext(context.Context) TunnelInstanceIAMBindingConditionPtrOutput
}

TunnelInstanceIAMBindingConditionPtrInput is an input type that accepts TunnelInstanceIAMBindingConditionArgs, TunnelInstanceIAMBindingConditionPtr and TunnelInstanceIAMBindingConditionPtrOutput values. You can construct a concrete instance of `TunnelInstanceIAMBindingConditionPtrInput` via:

        TunnelInstanceIAMBindingConditionArgs{...}

or:

        nil

type TunnelInstanceIAMBindingConditionPtrOutput

type TunnelInstanceIAMBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMBindingConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (TunnelInstanceIAMBindingConditionPtrOutput) Elem

func (TunnelInstanceIAMBindingConditionPtrOutput) ElementType

func (TunnelInstanceIAMBindingConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (TunnelInstanceIAMBindingConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (TunnelInstanceIAMBindingConditionPtrOutput) ToTunnelInstanceIAMBindingConditionPtrOutput

func (o TunnelInstanceIAMBindingConditionPtrOutput) ToTunnelInstanceIAMBindingConditionPtrOutput() TunnelInstanceIAMBindingConditionPtrOutput

func (TunnelInstanceIAMBindingConditionPtrOutput) ToTunnelInstanceIAMBindingConditionPtrOutputWithContext

func (o TunnelInstanceIAMBindingConditionPtrOutput) ToTunnelInstanceIAMBindingConditionPtrOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingConditionPtrOutput

type TunnelInstanceIAMBindingInput

type TunnelInstanceIAMBindingInput interface {
	pulumi.Input

	ToTunnelInstanceIAMBindingOutput() TunnelInstanceIAMBindingOutput
	ToTunnelInstanceIAMBindingOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingOutput
}

type TunnelInstanceIAMBindingMap

type TunnelInstanceIAMBindingMap map[string]TunnelInstanceIAMBindingInput

func (TunnelInstanceIAMBindingMap) ElementType

func (TunnelInstanceIAMBindingMap) ToTunnelInstanceIAMBindingMapOutput

func (i TunnelInstanceIAMBindingMap) ToTunnelInstanceIAMBindingMapOutput() TunnelInstanceIAMBindingMapOutput

func (TunnelInstanceIAMBindingMap) ToTunnelInstanceIAMBindingMapOutputWithContext

func (i TunnelInstanceIAMBindingMap) ToTunnelInstanceIAMBindingMapOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingMapOutput

type TunnelInstanceIAMBindingMapInput

type TunnelInstanceIAMBindingMapInput interface {
	pulumi.Input

	ToTunnelInstanceIAMBindingMapOutput() TunnelInstanceIAMBindingMapOutput
	ToTunnelInstanceIAMBindingMapOutputWithContext(context.Context) TunnelInstanceIAMBindingMapOutput
}

TunnelInstanceIAMBindingMapInput is an input type that accepts TunnelInstanceIAMBindingMap and TunnelInstanceIAMBindingMapOutput values. You can construct a concrete instance of `TunnelInstanceIAMBindingMapInput` via:

TunnelInstanceIAMBindingMap{ "key": TunnelInstanceIAMBindingArgs{...} }

type TunnelInstanceIAMBindingMapOutput

type TunnelInstanceIAMBindingMapOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMBindingMapOutput) ElementType

func (TunnelInstanceIAMBindingMapOutput) MapIndex

func (TunnelInstanceIAMBindingMapOutput) ToTunnelInstanceIAMBindingMapOutput

func (o TunnelInstanceIAMBindingMapOutput) ToTunnelInstanceIAMBindingMapOutput() TunnelInstanceIAMBindingMapOutput

func (TunnelInstanceIAMBindingMapOutput) ToTunnelInstanceIAMBindingMapOutputWithContext

func (o TunnelInstanceIAMBindingMapOutput) ToTunnelInstanceIAMBindingMapOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingMapOutput

type TunnelInstanceIAMBindingOutput

type TunnelInstanceIAMBindingOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMBindingOutput) Condition added in v6.23.0

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (TunnelInstanceIAMBindingOutput) ElementType

func (TunnelInstanceIAMBindingOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (TunnelInstanceIAMBindingOutput) Instance added in v6.23.0

Used to find the parent resource to bind the IAM policy to

func (TunnelInstanceIAMBindingOutput) Members added in v6.23.0

func (TunnelInstanceIAMBindingOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (TunnelInstanceIAMBindingOutput) Role added in v6.23.0

The role that should be applied. Only one `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (TunnelInstanceIAMBindingOutput) ToTunnelInstanceIAMBindingOutput

func (o TunnelInstanceIAMBindingOutput) ToTunnelInstanceIAMBindingOutput() TunnelInstanceIAMBindingOutput

func (TunnelInstanceIAMBindingOutput) ToTunnelInstanceIAMBindingOutputWithContext

func (o TunnelInstanceIAMBindingOutput) ToTunnelInstanceIAMBindingOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingOutput

func (TunnelInstanceIAMBindingOutput) Zone added in v6.23.0

type TunnelInstanceIAMBindingState

type TunnelInstanceIAMBindingState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelInstanceIAMBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringPtrInput
	Members  pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	Zone pulumi.StringPtrInput
}

func (TunnelInstanceIAMBindingState) ElementType

type TunnelInstanceIAMMember

type TunnelInstanceIAMMember struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelInstanceIAMMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringOutput `pulumi:"instance"`
	Member   pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	Zone pulumi.StringOutput `pulumi:"zone"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelInstance. Each of these resources serves a different use case:

* `iap.TunnelInstanceIAMPolicy`: Authoritative. Sets the IAM policy for the tunnelinstance and replaces any existing policy already attached. * `iap.TunnelInstanceIAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnelinstance are preserved. * `iap.TunnelInstanceIAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnelinstance are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelInstanceIAMPolicy`: Retrieves the IAM policy for the tunnelinstance

> **Note:** `iap.TunnelInstanceIAMPolicy` **cannot** be used in conjunction with `iap.TunnelInstanceIAMBinding` and `iap.TunnelInstanceIAMMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelInstanceIAMBinding` resources **can be** used in conjunction with `iap.TunnelInstanceIAMMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_tunnel\_instance\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(google_compute_instance.Tunnelvm.Project),
			Zone:       pulumi.Any(google_compute_instance.Tunnelvm.Zone),
			Instance:   pulumi.Any(google_compute_instance.Tunnelvm.Name),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(google_compute_instance.Tunnelvm.Project),
			Zone:       pulumi.Any(google_compute_instance.Tunnelvm.Zone),
			Instance:   pulumi.Any(google_compute_instance.Tunnelvm.Name),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_tunnel\_instance\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(google_compute_instance.Tunnelvm.Project),
			Zone:     pulumi.Any(google_compute_instance.Tunnelvm.Zone),
			Instance: pulumi.Any(google_compute_instance.Tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(google_compute_instance.Tunnelvm.Project),
			Zone:     pulumi.Any(google_compute_instance.Tunnelvm.Zone),
			Instance: pulumi.Any(google_compute_instance.Tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelInstanceIAMBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_tunnel\_instance\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(google_compute_instance.Tunnelvm.Project),
			Zone:     pulumi.Any(google_compute_instance.Tunnelvm.Zone),
			Instance: pulumi.Any(google_compute_instance.Tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(google_compute_instance.Tunnelvm.Project),
			Zone:     pulumi.Any(google_compute_instance.Tunnelvm.Zone),
			Instance: pulumi.Any(google_compute_instance.Tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelInstanceIAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{name}} * projects/{{project}}/zones/{{zone}}/instances/{{name}} * {{project}}/{{zone}}/{{name}} * {{zone}}/{{name}} * {{name}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy tunnelinstance IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/tunnelInstanceIAMMember:TunnelInstanceIAMMember editor "projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} roles/iap.tunnelResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/tunnelInstanceIAMMember:TunnelInstanceIAMMember editor "projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} roles/iap.tunnelResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/tunnelInstanceIAMMember:TunnelInstanceIAMMember editor projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}}

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelInstanceIAMMember

func GetTunnelInstanceIAMMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelInstanceIAMMemberState, opts ...pulumi.ResourceOption) (*TunnelInstanceIAMMember, error)

GetTunnelInstanceIAMMember gets an existing TunnelInstanceIAMMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelInstanceIAMMember

func NewTunnelInstanceIAMMember(ctx *pulumi.Context,
	name string, args *TunnelInstanceIAMMemberArgs, opts ...pulumi.ResourceOption) (*TunnelInstanceIAMMember, error)

NewTunnelInstanceIAMMember registers a new resource with the given unique name, arguments, and options.

func (*TunnelInstanceIAMMember) ElementType

func (*TunnelInstanceIAMMember) ElementType() reflect.Type

func (*TunnelInstanceIAMMember) ToTunnelInstanceIAMMemberOutput

func (i *TunnelInstanceIAMMember) ToTunnelInstanceIAMMemberOutput() TunnelInstanceIAMMemberOutput

func (*TunnelInstanceIAMMember) ToTunnelInstanceIAMMemberOutputWithContext

func (i *TunnelInstanceIAMMember) ToTunnelInstanceIAMMemberOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberOutput

type TunnelInstanceIAMMemberArgs

type TunnelInstanceIAMMemberArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelInstanceIAMMemberConditionPtrInput
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringInput
	Member   pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	Zone pulumi.StringPtrInput
}

The set of arguments for constructing a TunnelInstanceIAMMember resource.

func (TunnelInstanceIAMMemberArgs) ElementType

type TunnelInstanceIAMMemberArray

type TunnelInstanceIAMMemberArray []TunnelInstanceIAMMemberInput

func (TunnelInstanceIAMMemberArray) ElementType

func (TunnelInstanceIAMMemberArray) ToTunnelInstanceIAMMemberArrayOutput

func (i TunnelInstanceIAMMemberArray) ToTunnelInstanceIAMMemberArrayOutput() TunnelInstanceIAMMemberArrayOutput

func (TunnelInstanceIAMMemberArray) ToTunnelInstanceIAMMemberArrayOutputWithContext

func (i TunnelInstanceIAMMemberArray) ToTunnelInstanceIAMMemberArrayOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberArrayOutput

type TunnelInstanceIAMMemberArrayInput

type TunnelInstanceIAMMemberArrayInput interface {
	pulumi.Input

	ToTunnelInstanceIAMMemberArrayOutput() TunnelInstanceIAMMemberArrayOutput
	ToTunnelInstanceIAMMemberArrayOutputWithContext(context.Context) TunnelInstanceIAMMemberArrayOutput
}

TunnelInstanceIAMMemberArrayInput is an input type that accepts TunnelInstanceIAMMemberArray and TunnelInstanceIAMMemberArrayOutput values. You can construct a concrete instance of `TunnelInstanceIAMMemberArrayInput` via:

TunnelInstanceIAMMemberArray{ TunnelInstanceIAMMemberArgs{...} }

type TunnelInstanceIAMMemberArrayOutput

type TunnelInstanceIAMMemberArrayOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMMemberArrayOutput) ElementType

func (TunnelInstanceIAMMemberArrayOutput) Index

func (TunnelInstanceIAMMemberArrayOutput) ToTunnelInstanceIAMMemberArrayOutput

func (o TunnelInstanceIAMMemberArrayOutput) ToTunnelInstanceIAMMemberArrayOutput() TunnelInstanceIAMMemberArrayOutput

func (TunnelInstanceIAMMemberArrayOutput) ToTunnelInstanceIAMMemberArrayOutputWithContext

func (o TunnelInstanceIAMMemberArrayOutput) ToTunnelInstanceIAMMemberArrayOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberArrayOutput

type TunnelInstanceIAMMemberCondition

type TunnelInstanceIAMMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type TunnelInstanceIAMMemberConditionArgs

type TunnelInstanceIAMMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (TunnelInstanceIAMMemberConditionArgs) ElementType

func (TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionOutput

func (i TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionOutput() TunnelInstanceIAMMemberConditionOutput

func (TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionOutputWithContext

func (i TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberConditionOutput

func (TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionPtrOutput

func (i TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionPtrOutput() TunnelInstanceIAMMemberConditionPtrOutput

func (TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionPtrOutputWithContext

func (i TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionPtrOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberConditionPtrOutput

type TunnelInstanceIAMMemberConditionInput

type TunnelInstanceIAMMemberConditionInput interface {
	pulumi.Input

	ToTunnelInstanceIAMMemberConditionOutput() TunnelInstanceIAMMemberConditionOutput
	ToTunnelInstanceIAMMemberConditionOutputWithContext(context.Context) TunnelInstanceIAMMemberConditionOutput
}

TunnelInstanceIAMMemberConditionInput is an input type that accepts TunnelInstanceIAMMemberConditionArgs and TunnelInstanceIAMMemberConditionOutput values. You can construct a concrete instance of `TunnelInstanceIAMMemberConditionInput` via:

TunnelInstanceIAMMemberConditionArgs{...}

type TunnelInstanceIAMMemberConditionOutput

type TunnelInstanceIAMMemberConditionOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMMemberConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (TunnelInstanceIAMMemberConditionOutput) ElementType

func (TunnelInstanceIAMMemberConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (TunnelInstanceIAMMemberConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionOutput

func (o TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionOutput() TunnelInstanceIAMMemberConditionOutput

func (TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionOutputWithContext

func (o TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberConditionOutput

func (TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionPtrOutput

func (o TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionPtrOutput() TunnelInstanceIAMMemberConditionPtrOutput

func (TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionPtrOutputWithContext

func (o TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionPtrOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberConditionPtrOutput

type TunnelInstanceIAMMemberConditionPtrInput

type TunnelInstanceIAMMemberConditionPtrInput interface {
	pulumi.Input

	ToTunnelInstanceIAMMemberConditionPtrOutput() TunnelInstanceIAMMemberConditionPtrOutput
	ToTunnelInstanceIAMMemberConditionPtrOutputWithContext(context.Context) TunnelInstanceIAMMemberConditionPtrOutput
}

TunnelInstanceIAMMemberConditionPtrInput is an input type that accepts TunnelInstanceIAMMemberConditionArgs, TunnelInstanceIAMMemberConditionPtr and TunnelInstanceIAMMemberConditionPtrOutput values. You can construct a concrete instance of `TunnelInstanceIAMMemberConditionPtrInput` via:

        TunnelInstanceIAMMemberConditionArgs{...}

or:

        nil

type TunnelInstanceIAMMemberConditionPtrOutput

type TunnelInstanceIAMMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMMemberConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (TunnelInstanceIAMMemberConditionPtrOutput) Elem

func (TunnelInstanceIAMMemberConditionPtrOutput) ElementType

func (TunnelInstanceIAMMemberConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (TunnelInstanceIAMMemberConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (TunnelInstanceIAMMemberConditionPtrOutput) ToTunnelInstanceIAMMemberConditionPtrOutput

func (o TunnelInstanceIAMMemberConditionPtrOutput) ToTunnelInstanceIAMMemberConditionPtrOutput() TunnelInstanceIAMMemberConditionPtrOutput

func (TunnelInstanceIAMMemberConditionPtrOutput) ToTunnelInstanceIAMMemberConditionPtrOutputWithContext

func (o TunnelInstanceIAMMemberConditionPtrOutput) ToTunnelInstanceIAMMemberConditionPtrOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberConditionPtrOutput

type TunnelInstanceIAMMemberInput

type TunnelInstanceIAMMemberInput interface {
	pulumi.Input

	ToTunnelInstanceIAMMemberOutput() TunnelInstanceIAMMemberOutput
	ToTunnelInstanceIAMMemberOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberOutput
}

type TunnelInstanceIAMMemberMap

type TunnelInstanceIAMMemberMap map[string]TunnelInstanceIAMMemberInput

func (TunnelInstanceIAMMemberMap) ElementType

func (TunnelInstanceIAMMemberMap) ElementType() reflect.Type

func (TunnelInstanceIAMMemberMap) ToTunnelInstanceIAMMemberMapOutput

func (i TunnelInstanceIAMMemberMap) ToTunnelInstanceIAMMemberMapOutput() TunnelInstanceIAMMemberMapOutput

func (TunnelInstanceIAMMemberMap) ToTunnelInstanceIAMMemberMapOutputWithContext

func (i TunnelInstanceIAMMemberMap) ToTunnelInstanceIAMMemberMapOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberMapOutput

type TunnelInstanceIAMMemberMapInput

type TunnelInstanceIAMMemberMapInput interface {
	pulumi.Input

	ToTunnelInstanceIAMMemberMapOutput() TunnelInstanceIAMMemberMapOutput
	ToTunnelInstanceIAMMemberMapOutputWithContext(context.Context) TunnelInstanceIAMMemberMapOutput
}

TunnelInstanceIAMMemberMapInput is an input type that accepts TunnelInstanceIAMMemberMap and TunnelInstanceIAMMemberMapOutput values. You can construct a concrete instance of `TunnelInstanceIAMMemberMapInput` via:

TunnelInstanceIAMMemberMap{ "key": TunnelInstanceIAMMemberArgs{...} }

type TunnelInstanceIAMMemberMapOutput

type TunnelInstanceIAMMemberMapOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMMemberMapOutput) ElementType

func (TunnelInstanceIAMMemberMapOutput) MapIndex

func (TunnelInstanceIAMMemberMapOutput) ToTunnelInstanceIAMMemberMapOutput

func (o TunnelInstanceIAMMemberMapOutput) ToTunnelInstanceIAMMemberMapOutput() TunnelInstanceIAMMemberMapOutput

func (TunnelInstanceIAMMemberMapOutput) ToTunnelInstanceIAMMemberMapOutputWithContext

func (o TunnelInstanceIAMMemberMapOutput) ToTunnelInstanceIAMMemberMapOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberMapOutput

type TunnelInstanceIAMMemberOutput

type TunnelInstanceIAMMemberOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMMemberOutput) Condition added in v6.23.0

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (TunnelInstanceIAMMemberOutput) ElementType

func (TunnelInstanceIAMMemberOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (TunnelInstanceIAMMemberOutput) Instance added in v6.23.0

Used to find the parent resource to bind the IAM policy to

func (TunnelInstanceIAMMemberOutput) Member added in v6.23.0

func (TunnelInstanceIAMMemberOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (TunnelInstanceIAMMemberOutput) Role added in v6.23.0

The role that should be applied. Only one `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (TunnelInstanceIAMMemberOutput) ToTunnelInstanceIAMMemberOutput

func (o TunnelInstanceIAMMemberOutput) ToTunnelInstanceIAMMemberOutput() TunnelInstanceIAMMemberOutput

func (TunnelInstanceIAMMemberOutput) ToTunnelInstanceIAMMemberOutputWithContext

func (o TunnelInstanceIAMMemberOutput) ToTunnelInstanceIAMMemberOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberOutput

func (TunnelInstanceIAMMemberOutput) Zone added in v6.23.0

type TunnelInstanceIAMMemberState

type TunnelInstanceIAMMemberState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelInstanceIAMMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringPtrInput
	Member   pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	Zone pulumi.StringPtrInput
}

func (TunnelInstanceIAMMemberState) ElementType

type TunnelInstanceIAMPolicy

type TunnelInstanceIAMPolicy struct {
	pulumi.CustomResourceState

	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringOutput `pulumi:"instance"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
	Zone    pulumi.StringOutput `pulumi:"zone"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelInstance. Each of these resources serves a different use case:

* `iap.TunnelInstanceIAMPolicy`: Authoritative. Sets the IAM policy for the tunnelinstance and replaces any existing policy already attached. * `iap.TunnelInstanceIAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnelinstance are preserved. * `iap.TunnelInstanceIAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnelinstance are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelInstanceIAMPolicy`: Retrieves the IAM policy for the tunnelinstance

> **Note:** `iap.TunnelInstanceIAMPolicy` **cannot** be used in conjunction with `iap.TunnelInstanceIAMBinding` and `iap.TunnelInstanceIAMMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelInstanceIAMBinding` resources **can be** used in conjunction with `iap.TunnelInstanceIAMMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_tunnel\_instance\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(google_compute_instance.Tunnelvm.Project),
			Zone:       pulumi.Any(google_compute_instance.Tunnelvm.Zone),
			Instance:   pulumi.Any(google_compute_instance.Tunnelvm.Name),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(google_compute_instance.Tunnelvm.Project),
			Zone:       pulumi.Any(google_compute_instance.Tunnelvm.Zone),
			Instance:   pulumi.Any(google_compute_instance.Tunnelvm.Name),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_tunnel\_instance\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(google_compute_instance.Tunnelvm.Project),
			Zone:     pulumi.Any(google_compute_instance.Tunnelvm.Zone),
			Instance: pulumi.Any(google_compute_instance.Tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(google_compute_instance.Tunnelvm.Project),
			Zone:     pulumi.Any(google_compute_instance.Tunnelvm.Zone),
			Instance: pulumi.Any(google_compute_instance.Tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelInstanceIAMBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_tunnel\_instance\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(google_compute_instance.Tunnelvm.Project),
			Zone:     pulumi.Any(google_compute_instance.Tunnelvm.Zone),
			Instance: pulumi.Any(google_compute_instance.Tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(google_compute_instance.Tunnelvm.Project),
			Zone:     pulumi.Any(google_compute_instance.Tunnelvm.Zone),
			Instance: pulumi.Any(google_compute_instance.Tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelInstanceIAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{name}} * projects/{{project}}/zones/{{zone}}/instances/{{name}} * {{project}}/{{zone}}/{{name}} * {{zone}}/{{name}} * {{name}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy tunnelinstance IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/tunnelInstanceIAMPolicy:TunnelInstanceIAMPolicy editor "projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} roles/iap.tunnelResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/tunnelInstanceIAMPolicy:TunnelInstanceIAMPolicy editor "projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} roles/iap.tunnelResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/tunnelInstanceIAMPolicy:TunnelInstanceIAMPolicy editor projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}}

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelInstanceIAMPolicy

func GetTunnelInstanceIAMPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelInstanceIAMPolicyState, opts ...pulumi.ResourceOption) (*TunnelInstanceIAMPolicy, error)

GetTunnelInstanceIAMPolicy gets an existing TunnelInstanceIAMPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelInstanceIAMPolicy

func NewTunnelInstanceIAMPolicy(ctx *pulumi.Context,
	name string, args *TunnelInstanceIAMPolicyArgs, opts ...pulumi.ResourceOption) (*TunnelInstanceIAMPolicy, error)

NewTunnelInstanceIAMPolicy registers a new resource with the given unique name, arguments, and options.

func (*TunnelInstanceIAMPolicy) ElementType

func (*TunnelInstanceIAMPolicy) ElementType() reflect.Type

func (*TunnelInstanceIAMPolicy) ToTunnelInstanceIAMPolicyOutput

func (i *TunnelInstanceIAMPolicy) ToTunnelInstanceIAMPolicyOutput() TunnelInstanceIAMPolicyOutput

func (*TunnelInstanceIAMPolicy) ToTunnelInstanceIAMPolicyOutputWithContext

func (i *TunnelInstanceIAMPolicy) ToTunnelInstanceIAMPolicyOutputWithContext(ctx context.Context) TunnelInstanceIAMPolicyOutput

type TunnelInstanceIAMPolicyArgs

type TunnelInstanceIAMPolicyArgs struct {
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	Zone    pulumi.StringPtrInput
}

The set of arguments for constructing a TunnelInstanceIAMPolicy resource.

func (TunnelInstanceIAMPolicyArgs) ElementType

type TunnelInstanceIAMPolicyArray

type TunnelInstanceIAMPolicyArray []TunnelInstanceIAMPolicyInput

func (TunnelInstanceIAMPolicyArray) ElementType

func (TunnelInstanceIAMPolicyArray) ToTunnelInstanceIAMPolicyArrayOutput

func (i TunnelInstanceIAMPolicyArray) ToTunnelInstanceIAMPolicyArrayOutput() TunnelInstanceIAMPolicyArrayOutput

func (TunnelInstanceIAMPolicyArray) ToTunnelInstanceIAMPolicyArrayOutputWithContext

func (i TunnelInstanceIAMPolicyArray) ToTunnelInstanceIAMPolicyArrayOutputWithContext(ctx context.Context) TunnelInstanceIAMPolicyArrayOutput

type TunnelInstanceIAMPolicyArrayInput

type TunnelInstanceIAMPolicyArrayInput interface {
	pulumi.Input

	ToTunnelInstanceIAMPolicyArrayOutput() TunnelInstanceIAMPolicyArrayOutput
	ToTunnelInstanceIAMPolicyArrayOutputWithContext(context.Context) TunnelInstanceIAMPolicyArrayOutput
}

TunnelInstanceIAMPolicyArrayInput is an input type that accepts TunnelInstanceIAMPolicyArray and TunnelInstanceIAMPolicyArrayOutput values. You can construct a concrete instance of `TunnelInstanceIAMPolicyArrayInput` via:

TunnelInstanceIAMPolicyArray{ TunnelInstanceIAMPolicyArgs{...} }

type TunnelInstanceIAMPolicyArrayOutput

type TunnelInstanceIAMPolicyArrayOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMPolicyArrayOutput) ElementType

func (TunnelInstanceIAMPolicyArrayOutput) Index

func (TunnelInstanceIAMPolicyArrayOutput) ToTunnelInstanceIAMPolicyArrayOutput

func (o TunnelInstanceIAMPolicyArrayOutput) ToTunnelInstanceIAMPolicyArrayOutput() TunnelInstanceIAMPolicyArrayOutput

func (TunnelInstanceIAMPolicyArrayOutput) ToTunnelInstanceIAMPolicyArrayOutputWithContext

func (o TunnelInstanceIAMPolicyArrayOutput) ToTunnelInstanceIAMPolicyArrayOutputWithContext(ctx context.Context) TunnelInstanceIAMPolicyArrayOutput

type TunnelInstanceIAMPolicyInput

type TunnelInstanceIAMPolicyInput interface {
	pulumi.Input

	ToTunnelInstanceIAMPolicyOutput() TunnelInstanceIAMPolicyOutput
	ToTunnelInstanceIAMPolicyOutputWithContext(ctx context.Context) TunnelInstanceIAMPolicyOutput
}

type TunnelInstanceIAMPolicyMap

type TunnelInstanceIAMPolicyMap map[string]TunnelInstanceIAMPolicyInput

func (TunnelInstanceIAMPolicyMap) ElementType

func (TunnelInstanceIAMPolicyMap) ElementType() reflect.Type

func (TunnelInstanceIAMPolicyMap) ToTunnelInstanceIAMPolicyMapOutput

func (i TunnelInstanceIAMPolicyMap) ToTunnelInstanceIAMPolicyMapOutput() TunnelInstanceIAMPolicyMapOutput

func (TunnelInstanceIAMPolicyMap) ToTunnelInstanceIAMPolicyMapOutputWithContext

func (i TunnelInstanceIAMPolicyMap) ToTunnelInstanceIAMPolicyMapOutputWithContext(ctx context.Context) TunnelInstanceIAMPolicyMapOutput

type TunnelInstanceIAMPolicyMapInput

type TunnelInstanceIAMPolicyMapInput interface {
	pulumi.Input

	ToTunnelInstanceIAMPolicyMapOutput() TunnelInstanceIAMPolicyMapOutput
	ToTunnelInstanceIAMPolicyMapOutputWithContext(context.Context) TunnelInstanceIAMPolicyMapOutput
}

TunnelInstanceIAMPolicyMapInput is an input type that accepts TunnelInstanceIAMPolicyMap and TunnelInstanceIAMPolicyMapOutput values. You can construct a concrete instance of `TunnelInstanceIAMPolicyMapInput` via:

TunnelInstanceIAMPolicyMap{ "key": TunnelInstanceIAMPolicyArgs{...} }

type TunnelInstanceIAMPolicyMapOutput

type TunnelInstanceIAMPolicyMapOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMPolicyMapOutput) ElementType

func (TunnelInstanceIAMPolicyMapOutput) MapIndex

func (TunnelInstanceIAMPolicyMapOutput) ToTunnelInstanceIAMPolicyMapOutput

func (o TunnelInstanceIAMPolicyMapOutput) ToTunnelInstanceIAMPolicyMapOutput() TunnelInstanceIAMPolicyMapOutput

func (TunnelInstanceIAMPolicyMapOutput) ToTunnelInstanceIAMPolicyMapOutputWithContext

func (o TunnelInstanceIAMPolicyMapOutput) ToTunnelInstanceIAMPolicyMapOutputWithContext(ctx context.Context) TunnelInstanceIAMPolicyMapOutput

type TunnelInstanceIAMPolicyOutput

type TunnelInstanceIAMPolicyOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMPolicyOutput) ElementType

func (TunnelInstanceIAMPolicyOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (TunnelInstanceIAMPolicyOutput) Instance added in v6.23.0

Used to find the parent resource to bind the IAM policy to

func (TunnelInstanceIAMPolicyOutput) PolicyData added in v6.23.0

The policy data generated by a `organizations.getIAMPolicy` data source.

func (TunnelInstanceIAMPolicyOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (TunnelInstanceIAMPolicyOutput) ToTunnelInstanceIAMPolicyOutput

func (o TunnelInstanceIAMPolicyOutput) ToTunnelInstanceIAMPolicyOutput() TunnelInstanceIAMPolicyOutput

func (TunnelInstanceIAMPolicyOutput) ToTunnelInstanceIAMPolicyOutputWithContext

func (o TunnelInstanceIAMPolicyOutput) ToTunnelInstanceIAMPolicyOutputWithContext(ctx context.Context) TunnelInstanceIAMPolicyOutput

func (TunnelInstanceIAMPolicyOutput) Zone added in v6.23.0

type TunnelInstanceIAMPolicyState

type TunnelInstanceIAMPolicyState struct {
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	Zone    pulumi.StringPtrInput
}

func (TunnelInstanceIAMPolicyState) ElementType

type WebBackendServiceIamBinding

type WebBackendServiceIamBinding struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebBackendServiceIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag    pulumi.StringOutput      `pulumi:"etag"`
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringOutput `pulumi:"webBackendService"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebBackendService. Each of these resources serves a different use case:

* `iap.WebBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webbackendservice and replaces any existing policy already attached. * `iap.WebBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webbackendservice are preserved. * `iap.WebBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebBackendServiceIamPolicy`: Retrieves the IAM policy for the webbackendservice

> **Note:** `iap.WebBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebBackendServiceIamBinding` and `iap.WebBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_web\_backend\_service\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(google_compute_backend_service.Default.Project),
			WebBackendService: pulumi.Any(google_compute_backend_service.Default.Name),
			PolicyData:        *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(google_compute_backend_service.Default.Project),
			WebBackendService: pulumi.Any(google_compute_backend_service.Default.Name),
			PolicyData:        *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_backend\_service\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(google_compute_backend_service.Default.Project),
			WebBackendService: pulumi.Any(google_compute_backend_service.Default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(google_compute_backend_service.Default.Project),
			WebBackendService: pulumi.Any(google_compute_backend_service.Default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_backend\_service\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(google_compute_backend_service.Default.Project),
			WebBackendService: pulumi.Any(google_compute_backend_service.Default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(google_compute_backend_service.Default.Project),
			WebBackendService: pulumi.Any(google_compute_backend_service.Default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
			Condition: &iap.WebBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_web/compute/services/{{name}} * {{project}}/{{name}} * {{name}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy webbackendservice IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/webBackendServiceIamBinding:WebBackendServiceIamBinding editor "projects/{{project}}/iap_web/compute/services/{{web_backend_service}} roles/iap.httpsResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/webBackendServiceIamBinding:WebBackendServiceIamBinding editor "projects/{{project}}/iap_web/compute/services/{{web_backend_service}} roles/iap.httpsResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/webBackendServiceIamBinding:WebBackendServiceIamBinding editor projects/{{project}}/iap_web/compute/services/{{web_backend_service}}

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebBackendServiceIamBinding

func GetWebBackendServiceIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebBackendServiceIamBindingState, opts ...pulumi.ResourceOption) (*WebBackendServiceIamBinding, error)

GetWebBackendServiceIamBinding gets an existing WebBackendServiceIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebBackendServiceIamBinding

func NewWebBackendServiceIamBinding(ctx *pulumi.Context,
	name string, args *WebBackendServiceIamBindingArgs, opts ...pulumi.ResourceOption) (*WebBackendServiceIamBinding, error)

NewWebBackendServiceIamBinding registers a new resource with the given unique name, arguments, and options.

func (*WebBackendServiceIamBinding) ElementType

func (*WebBackendServiceIamBinding) ElementType() reflect.Type

func (*WebBackendServiceIamBinding) ToWebBackendServiceIamBindingOutput

func (i *WebBackendServiceIamBinding) ToWebBackendServiceIamBindingOutput() WebBackendServiceIamBindingOutput

func (*WebBackendServiceIamBinding) ToWebBackendServiceIamBindingOutputWithContext

func (i *WebBackendServiceIamBinding) ToWebBackendServiceIamBindingOutputWithContext(ctx context.Context) WebBackendServiceIamBindingOutput

type WebBackendServiceIamBindingArgs

type WebBackendServiceIamBindingArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebBackendServiceIamBindingConditionPtrInput
	Members   pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringInput
}

The set of arguments for constructing a WebBackendServiceIamBinding resource.

func (WebBackendServiceIamBindingArgs) ElementType

type WebBackendServiceIamBindingArray

type WebBackendServiceIamBindingArray []WebBackendServiceIamBindingInput

func (WebBackendServiceIamBindingArray) ElementType

func (WebBackendServiceIamBindingArray) ToWebBackendServiceIamBindingArrayOutput

func (i WebBackendServiceIamBindingArray) ToWebBackendServiceIamBindingArrayOutput() WebBackendServiceIamBindingArrayOutput

func (WebBackendServiceIamBindingArray) ToWebBackendServiceIamBindingArrayOutputWithContext

func (i WebBackendServiceIamBindingArray) ToWebBackendServiceIamBindingArrayOutputWithContext(ctx context.Context) WebBackendServiceIamBindingArrayOutput

type WebBackendServiceIamBindingArrayInput

type WebBackendServiceIamBindingArrayInput interface {
	pulumi.Input

	ToWebBackendServiceIamBindingArrayOutput() WebBackendServiceIamBindingArrayOutput
	ToWebBackendServiceIamBindingArrayOutputWithContext(context.Context) WebBackendServiceIamBindingArrayOutput
}

WebBackendServiceIamBindingArrayInput is an input type that accepts WebBackendServiceIamBindingArray and WebBackendServiceIamBindingArrayOutput values. You can construct a concrete instance of `WebBackendServiceIamBindingArrayInput` via:

WebBackendServiceIamBindingArray{ WebBackendServiceIamBindingArgs{...} }

type WebBackendServiceIamBindingArrayOutput

type WebBackendServiceIamBindingArrayOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamBindingArrayOutput) ElementType

func (WebBackendServiceIamBindingArrayOutput) Index

func (WebBackendServiceIamBindingArrayOutput) ToWebBackendServiceIamBindingArrayOutput

func (o WebBackendServiceIamBindingArrayOutput) ToWebBackendServiceIamBindingArrayOutput() WebBackendServiceIamBindingArrayOutput

func (WebBackendServiceIamBindingArrayOutput) ToWebBackendServiceIamBindingArrayOutputWithContext

func (o WebBackendServiceIamBindingArrayOutput) ToWebBackendServiceIamBindingArrayOutputWithContext(ctx context.Context) WebBackendServiceIamBindingArrayOutput

type WebBackendServiceIamBindingCondition

type WebBackendServiceIamBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebBackendServiceIamBindingConditionArgs

type WebBackendServiceIamBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebBackendServiceIamBindingConditionArgs) ElementType

func (WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionOutput

func (i WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionOutput() WebBackendServiceIamBindingConditionOutput

func (WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionOutputWithContext

func (i WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionOutputWithContext(ctx context.Context) WebBackendServiceIamBindingConditionOutput

func (WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionPtrOutput

func (i WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionPtrOutput() WebBackendServiceIamBindingConditionPtrOutput

func (WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionPtrOutputWithContext

func (i WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) WebBackendServiceIamBindingConditionPtrOutput

type WebBackendServiceIamBindingConditionInput

type WebBackendServiceIamBindingConditionInput interface {
	pulumi.Input

	ToWebBackendServiceIamBindingConditionOutput() WebBackendServiceIamBindingConditionOutput
	ToWebBackendServiceIamBindingConditionOutputWithContext(context.Context) WebBackendServiceIamBindingConditionOutput
}

WebBackendServiceIamBindingConditionInput is an input type that accepts WebBackendServiceIamBindingConditionArgs and WebBackendServiceIamBindingConditionOutput values. You can construct a concrete instance of `WebBackendServiceIamBindingConditionInput` via:

WebBackendServiceIamBindingConditionArgs{...}

type WebBackendServiceIamBindingConditionOutput

type WebBackendServiceIamBindingConditionOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamBindingConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebBackendServiceIamBindingConditionOutput) ElementType

func (WebBackendServiceIamBindingConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebBackendServiceIamBindingConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionOutput

func (o WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionOutput() WebBackendServiceIamBindingConditionOutput

func (WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionOutputWithContext

func (o WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionOutputWithContext(ctx context.Context) WebBackendServiceIamBindingConditionOutput

func (WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionPtrOutput

func (o WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionPtrOutput() WebBackendServiceIamBindingConditionPtrOutput

func (WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionPtrOutputWithContext

func (o WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) WebBackendServiceIamBindingConditionPtrOutput

type WebBackendServiceIamBindingConditionPtrInput

type WebBackendServiceIamBindingConditionPtrInput interface {
	pulumi.Input

	ToWebBackendServiceIamBindingConditionPtrOutput() WebBackendServiceIamBindingConditionPtrOutput
	ToWebBackendServiceIamBindingConditionPtrOutputWithContext(context.Context) WebBackendServiceIamBindingConditionPtrOutput
}

WebBackendServiceIamBindingConditionPtrInput is an input type that accepts WebBackendServiceIamBindingConditionArgs, WebBackendServiceIamBindingConditionPtr and WebBackendServiceIamBindingConditionPtrOutput values. You can construct a concrete instance of `WebBackendServiceIamBindingConditionPtrInput` via:

        WebBackendServiceIamBindingConditionArgs{...}

or:

        nil

type WebBackendServiceIamBindingConditionPtrOutput

type WebBackendServiceIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamBindingConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebBackendServiceIamBindingConditionPtrOutput) Elem

func (WebBackendServiceIamBindingConditionPtrOutput) ElementType

func (WebBackendServiceIamBindingConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebBackendServiceIamBindingConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebBackendServiceIamBindingConditionPtrOutput) ToWebBackendServiceIamBindingConditionPtrOutput

func (o WebBackendServiceIamBindingConditionPtrOutput) ToWebBackendServiceIamBindingConditionPtrOutput() WebBackendServiceIamBindingConditionPtrOutput

func (WebBackendServiceIamBindingConditionPtrOutput) ToWebBackendServiceIamBindingConditionPtrOutputWithContext

func (o WebBackendServiceIamBindingConditionPtrOutput) ToWebBackendServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) WebBackendServiceIamBindingConditionPtrOutput

type WebBackendServiceIamBindingInput

type WebBackendServiceIamBindingInput interface {
	pulumi.Input

	ToWebBackendServiceIamBindingOutput() WebBackendServiceIamBindingOutput
	ToWebBackendServiceIamBindingOutputWithContext(ctx context.Context) WebBackendServiceIamBindingOutput
}

type WebBackendServiceIamBindingMap

type WebBackendServiceIamBindingMap map[string]WebBackendServiceIamBindingInput

func (WebBackendServiceIamBindingMap) ElementType

func (WebBackendServiceIamBindingMap) ToWebBackendServiceIamBindingMapOutput

func (i WebBackendServiceIamBindingMap) ToWebBackendServiceIamBindingMapOutput() WebBackendServiceIamBindingMapOutput

func (WebBackendServiceIamBindingMap) ToWebBackendServiceIamBindingMapOutputWithContext

func (i WebBackendServiceIamBindingMap) ToWebBackendServiceIamBindingMapOutputWithContext(ctx context.Context) WebBackendServiceIamBindingMapOutput

type WebBackendServiceIamBindingMapInput

type WebBackendServiceIamBindingMapInput interface {
	pulumi.Input

	ToWebBackendServiceIamBindingMapOutput() WebBackendServiceIamBindingMapOutput
	ToWebBackendServiceIamBindingMapOutputWithContext(context.Context) WebBackendServiceIamBindingMapOutput
}

WebBackendServiceIamBindingMapInput is an input type that accepts WebBackendServiceIamBindingMap and WebBackendServiceIamBindingMapOutput values. You can construct a concrete instance of `WebBackendServiceIamBindingMapInput` via:

WebBackendServiceIamBindingMap{ "key": WebBackendServiceIamBindingArgs{...} }

type WebBackendServiceIamBindingMapOutput

type WebBackendServiceIamBindingMapOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamBindingMapOutput) ElementType

func (WebBackendServiceIamBindingMapOutput) MapIndex

func (WebBackendServiceIamBindingMapOutput) ToWebBackendServiceIamBindingMapOutput

func (o WebBackendServiceIamBindingMapOutput) ToWebBackendServiceIamBindingMapOutput() WebBackendServiceIamBindingMapOutput

func (WebBackendServiceIamBindingMapOutput) ToWebBackendServiceIamBindingMapOutputWithContext

func (o WebBackendServiceIamBindingMapOutput) ToWebBackendServiceIamBindingMapOutputWithContext(ctx context.Context) WebBackendServiceIamBindingMapOutput

type WebBackendServiceIamBindingOutput

type WebBackendServiceIamBindingOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamBindingOutput) Condition added in v6.23.0

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebBackendServiceIamBindingOutput) ElementType

func (WebBackendServiceIamBindingOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (WebBackendServiceIamBindingOutput) Members added in v6.23.0

func (WebBackendServiceIamBindingOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebBackendServiceIamBindingOutput) Role added in v6.23.0

The role that should be applied. Only one `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebBackendServiceIamBindingOutput) ToWebBackendServiceIamBindingOutput

func (o WebBackendServiceIamBindingOutput) ToWebBackendServiceIamBindingOutput() WebBackendServiceIamBindingOutput

func (WebBackendServiceIamBindingOutput) ToWebBackendServiceIamBindingOutputWithContext

func (o WebBackendServiceIamBindingOutput) ToWebBackendServiceIamBindingOutputWithContext(ctx context.Context) WebBackendServiceIamBindingOutput

func (WebBackendServiceIamBindingOutput) WebBackendService added in v6.23.0

Used to find the parent resource to bind the IAM policy to

type WebBackendServiceIamBindingState

type WebBackendServiceIamBindingState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebBackendServiceIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag    pulumi.StringPtrInput
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringPtrInput
}

func (WebBackendServiceIamBindingState) ElementType

type WebBackendServiceIamMember

type WebBackendServiceIamMember struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebBackendServiceIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag   pulumi.StringOutput `pulumi:"etag"`
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringOutput `pulumi:"webBackendService"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebBackendService. Each of these resources serves a different use case:

* `iap.WebBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webbackendservice and replaces any existing policy already attached. * `iap.WebBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webbackendservice are preserved. * `iap.WebBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebBackendServiceIamPolicy`: Retrieves the IAM policy for the webbackendservice

> **Note:** `iap.WebBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebBackendServiceIamBinding` and `iap.WebBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_web\_backend\_service\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(google_compute_backend_service.Default.Project),
			WebBackendService: pulumi.Any(google_compute_backend_service.Default.Name),
			PolicyData:        *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(google_compute_backend_service.Default.Project),
			WebBackendService: pulumi.Any(google_compute_backend_service.Default.Name),
			PolicyData:        *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_backend\_service\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(google_compute_backend_service.Default.Project),
			WebBackendService: pulumi.Any(google_compute_backend_service.Default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(google_compute_backend_service.Default.Project),
			WebBackendService: pulumi.Any(google_compute_backend_service.Default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_backend\_service\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(google_compute_backend_service.Default.Project),
			WebBackendService: pulumi.Any(google_compute_backend_service.Default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(google_compute_backend_service.Default.Project),
			WebBackendService: pulumi.Any(google_compute_backend_service.Default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
			Condition: &iap.WebBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_web/compute/services/{{name}} * {{project}}/{{name}} * {{name}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy webbackendservice IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/webBackendServiceIamMember:WebBackendServiceIamMember editor "projects/{{project}}/iap_web/compute/services/{{web_backend_service}} roles/iap.httpsResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/webBackendServiceIamMember:WebBackendServiceIamMember editor "projects/{{project}}/iap_web/compute/services/{{web_backend_service}} roles/iap.httpsResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/webBackendServiceIamMember:WebBackendServiceIamMember editor projects/{{project}}/iap_web/compute/services/{{web_backend_service}}

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebBackendServiceIamMember

func GetWebBackendServiceIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebBackendServiceIamMemberState, opts ...pulumi.ResourceOption) (*WebBackendServiceIamMember, error)

GetWebBackendServiceIamMember gets an existing WebBackendServiceIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebBackendServiceIamMember

func NewWebBackendServiceIamMember(ctx *pulumi.Context,
	name string, args *WebBackendServiceIamMemberArgs, opts ...pulumi.ResourceOption) (*WebBackendServiceIamMember, error)

NewWebBackendServiceIamMember registers a new resource with the given unique name, arguments, and options.

func (*WebBackendServiceIamMember) ElementType

func (*WebBackendServiceIamMember) ElementType() reflect.Type

func (*WebBackendServiceIamMember) ToWebBackendServiceIamMemberOutput

func (i *WebBackendServiceIamMember) ToWebBackendServiceIamMemberOutput() WebBackendServiceIamMemberOutput

func (*WebBackendServiceIamMember) ToWebBackendServiceIamMemberOutputWithContext

func (i *WebBackendServiceIamMember) ToWebBackendServiceIamMemberOutputWithContext(ctx context.Context) WebBackendServiceIamMemberOutput

type WebBackendServiceIamMemberArgs

type WebBackendServiceIamMemberArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebBackendServiceIamMemberConditionPtrInput
	Member    pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringInput
}

The set of arguments for constructing a WebBackendServiceIamMember resource.

func (WebBackendServiceIamMemberArgs) ElementType

type WebBackendServiceIamMemberArray

type WebBackendServiceIamMemberArray []WebBackendServiceIamMemberInput

func (WebBackendServiceIamMemberArray) ElementType

func (WebBackendServiceIamMemberArray) ToWebBackendServiceIamMemberArrayOutput

func (i WebBackendServiceIamMemberArray) ToWebBackendServiceIamMemberArrayOutput() WebBackendServiceIamMemberArrayOutput

func (WebBackendServiceIamMemberArray) ToWebBackendServiceIamMemberArrayOutputWithContext

func (i WebBackendServiceIamMemberArray) ToWebBackendServiceIamMemberArrayOutputWithContext(ctx context.Context) WebBackendServiceIamMemberArrayOutput

type WebBackendServiceIamMemberArrayInput

type WebBackendServiceIamMemberArrayInput interface {
	pulumi.Input

	ToWebBackendServiceIamMemberArrayOutput() WebBackendServiceIamMemberArrayOutput
	ToWebBackendServiceIamMemberArrayOutputWithContext(context.Context) WebBackendServiceIamMemberArrayOutput
}

WebBackendServiceIamMemberArrayInput is an input type that accepts WebBackendServiceIamMemberArray and WebBackendServiceIamMemberArrayOutput values. You can construct a concrete instance of `WebBackendServiceIamMemberArrayInput` via:

WebBackendServiceIamMemberArray{ WebBackendServiceIamMemberArgs{...} }

type WebBackendServiceIamMemberArrayOutput

type WebBackendServiceIamMemberArrayOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamMemberArrayOutput) ElementType

func (WebBackendServiceIamMemberArrayOutput) Index

func (WebBackendServiceIamMemberArrayOutput) ToWebBackendServiceIamMemberArrayOutput

func (o WebBackendServiceIamMemberArrayOutput) ToWebBackendServiceIamMemberArrayOutput() WebBackendServiceIamMemberArrayOutput

func (WebBackendServiceIamMemberArrayOutput) ToWebBackendServiceIamMemberArrayOutputWithContext

func (o WebBackendServiceIamMemberArrayOutput) ToWebBackendServiceIamMemberArrayOutputWithContext(ctx context.Context) WebBackendServiceIamMemberArrayOutput

type WebBackendServiceIamMemberCondition

type WebBackendServiceIamMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebBackendServiceIamMemberConditionArgs

type WebBackendServiceIamMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebBackendServiceIamMemberConditionArgs) ElementType

func (WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionOutput

func (i WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionOutput() WebBackendServiceIamMemberConditionOutput

func (WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionOutputWithContext

func (i WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionOutputWithContext(ctx context.Context) WebBackendServiceIamMemberConditionOutput

func (WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionPtrOutput

func (i WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionPtrOutput() WebBackendServiceIamMemberConditionPtrOutput

func (WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionPtrOutputWithContext

func (i WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) WebBackendServiceIamMemberConditionPtrOutput

type WebBackendServiceIamMemberConditionInput

type WebBackendServiceIamMemberConditionInput interface {
	pulumi.Input

	ToWebBackendServiceIamMemberConditionOutput() WebBackendServiceIamMemberConditionOutput
	ToWebBackendServiceIamMemberConditionOutputWithContext(context.Context) WebBackendServiceIamMemberConditionOutput
}

WebBackendServiceIamMemberConditionInput is an input type that accepts WebBackendServiceIamMemberConditionArgs and WebBackendServiceIamMemberConditionOutput values. You can construct a concrete instance of `WebBackendServiceIamMemberConditionInput` via:

WebBackendServiceIamMemberConditionArgs{...}

type WebBackendServiceIamMemberConditionOutput

type WebBackendServiceIamMemberConditionOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamMemberConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebBackendServiceIamMemberConditionOutput) ElementType

func (WebBackendServiceIamMemberConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebBackendServiceIamMemberConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionOutput

func (o WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionOutput() WebBackendServiceIamMemberConditionOutput

func (WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionOutputWithContext

func (o WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionOutputWithContext(ctx context.Context) WebBackendServiceIamMemberConditionOutput

func (WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionPtrOutput

func (o WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionPtrOutput() WebBackendServiceIamMemberConditionPtrOutput

func (WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionPtrOutputWithContext

func (o WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) WebBackendServiceIamMemberConditionPtrOutput

type WebBackendServiceIamMemberConditionPtrInput

type WebBackendServiceIamMemberConditionPtrInput interface {
	pulumi.Input

	ToWebBackendServiceIamMemberConditionPtrOutput() WebBackendServiceIamMemberConditionPtrOutput
	ToWebBackendServiceIamMemberConditionPtrOutputWithContext(context.Context) WebBackendServiceIamMemberConditionPtrOutput
}

WebBackendServiceIamMemberConditionPtrInput is an input type that accepts WebBackendServiceIamMemberConditionArgs, WebBackendServiceIamMemberConditionPtr and WebBackendServiceIamMemberConditionPtrOutput values. You can construct a concrete instance of `WebBackendServiceIamMemberConditionPtrInput` via:

        WebBackendServiceIamMemberConditionArgs{...}

or:

        nil

type WebBackendServiceIamMemberConditionPtrOutput

type WebBackendServiceIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamMemberConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebBackendServiceIamMemberConditionPtrOutput) Elem

func (WebBackendServiceIamMemberConditionPtrOutput) ElementType

func (WebBackendServiceIamMemberConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebBackendServiceIamMemberConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebBackendServiceIamMemberConditionPtrOutput) ToWebBackendServiceIamMemberConditionPtrOutput

func (o WebBackendServiceIamMemberConditionPtrOutput) ToWebBackendServiceIamMemberConditionPtrOutput() WebBackendServiceIamMemberConditionPtrOutput

func (WebBackendServiceIamMemberConditionPtrOutput) ToWebBackendServiceIamMemberConditionPtrOutputWithContext

func (o WebBackendServiceIamMemberConditionPtrOutput) ToWebBackendServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) WebBackendServiceIamMemberConditionPtrOutput

type WebBackendServiceIamMemberInput

type WebBackendServiceIamMemberInput interface {
	pulumi.Input

	ToWebBackendServiceIamMemberOutput() WebBackendServiceIamMemberOutput
	ToWebBackendServiceIamMemberOutputWithContext(ctx context.Context) WebBackendServiceIamMemberOutput
}

type WebBackendServiceIamMemberMap

type WebBackendServiceIamMemberMap map[string]WebBackendServiceIamMemberInput

func (WebBackendServiceIamMemberMap) ElementType

func (WebBackendServiceIamMemberMap) ToWebBackendServiceIamMemberMapOutput

func (i WebBackendServiceIamMemberMap) ToWebBackendServiceIamMemberMapOutput() WebBackendServiceIamMemberMapOutput

func (WebBackendServiceIamMemberMap) ToWebBackendServiceIamMemberMapOutputWithContext

func (i WebBackendServiceIamMemberMap) ToWebBackendServiceIamMemberMapOutputWithContext(ctx context.Context) WebBackendServiceIamMemberMapOutput

type WebBackendServiceIamMemberMapInput

type WebBackendServiceIamMemberMapInput interface {
	pulumi.Input

	ToWebBackendServiceIamMemberMapOutput() WebBackendServiceIamMemberMapOutput
	ToWebBackendServiceIamMemberMapOutputWithContext(context.Context) WebBackendServiceIamMemberMapOutput
}

WebBackendServiceIamMemberMapInput is an input type that accepts WebBackendServiceIamMemberMap and WebBackendServiceIamMemberMapOutput values. You can construct a concrete instance of `WebBackendServiceIamMemberMapInput` via:

WebBackendServiceIamMemberMap{ "key": WebBackendServiceIamMemberArgs{...} }

type WebBackendServiceIamMemberMapOutput

type WebBackendServiceIamMemberMapOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamMemberMapOutput) ElementType

func (WebBackendServiceIamMemberMapOutput) MapIndex

func (WebBackendServiceIamMemberMapOutput) ToWebBackendServiceIamMemberMapOutput

func (o WebBackendServiceIamMemberMapOutput) ToWebBackendServiceIamMemberMapOutput() WebBackendServiceIamMemberMapOutput

func (WebBackendServiceIamMemberMapOutput) ToWebBackendServiceIamMemberMapOutputWithContext

func (o WebBackendServiceIamMemberMapOutput) ToWebBackendServiceIamMemberMapOutputWithContext(ctx context.Context) WebBackendServiceIamMemberMapOutput

type WebBackendServiceIamMemberOutput

type WebBackendServiceIamMemberOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamMemberOutput) Condition added in v6.23.0

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebBackendServiceIamMemberOutput) ElementType

func (WebBackendServiceIamMemberOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (WebBackendServiceIamMemberOutput) Member added in v6.23.0

func (WebBackendServiceIamMemberOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebBackendServiceIamMemberOutput) Role added in v6.23.0

The role that should be applied. Only one `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebBackendServiceIamMemberOutput) ToWebBackendServiceIamMemberOutput

func (o WebBackendServiceIamMemberOutput) ToWebBackendServiceIamMemberOutput() WebBackendServiceIamMemberOutput

func (WebBackendServiceIamMemberOutput) ToWebBackendServiceIamMemberOutputWithContext

func (o WebBackendServiceIamMemberOutput) ToWebBackendServiceIamMemberOutputWithContext(ctx context.Context) WebBackendServiceIamMemberOutput

func (WebBackendServiceIamMemberOutput) WebBackendService added in v6.23.0

Used to find the parent resource to bind the IAM policy to

type WebBackendServiceIamMemberState

type WebBackendServiceIamMemberState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebBackendServiceIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag   pulumi.StringPtrInput
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringPtrInput
}

func (WebBackendServiceIamMemberState) ElementType

type WebBackendServiceIamPolicy

type WebBackendServiceIamPolicy struct {
	pulumi.CustomResourceState

	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringOutput `pulumi:"webBackendService"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebBackendService. Each of these resources serves a different use case:

* `iap.WebBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webbackendservice and replaces any existing policy already attached. * `iap.WebBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webbackendservice are preserved. * `iap.WebBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebBackendServiceIamPolicy`: Retrieves the IAM policy for the webbackendservice

> **Note:** `iap.WebBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebBackendServiceIamBinding` and `iap.WebBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_web\_backend\_service\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(google_compute_backend_service.Default.Project),
			WebBackendService: pulumi.Any(google_compute_backend_service.Default.Name),
			PolicyData:        *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(google_compute_backend_service.Default.Project),
			WebBackendService: pulumi.Any(google_compute_backend_service.Default.Name),
			PolicyData:        *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_backend\_service\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(google_compute_backend_service.Default.Project),
			WebBackendService: pulumi.Any(google_compute_backend_service.Default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(google_compute_backend_service.Default.Project),
			WebBackendService: pulumi.Any(google_compute_backend_service.Default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_backend\_service\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(google_compute_backend_service.Default.Project),
			WebBackendService: pulumi.Any(google_compute_backend_service.Default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(google_compute_backend_service.Default.Project),
			WebBackendService: pulumi.Any(google_compute_backend_service.Default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
			Condition: &iap.WebBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_web/compute/services/{{name}} * {{project}}/{{name}} * {{name}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy webbackendservice IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/webBackendServiceIamPolicy:WebBackendServiceIamPolicy editor "projects/{{project}}/iap_web/compute/services/{{web_backend_service}} roles/iap.httpsResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/webBackendServiceIamPolicy:WebBackendServiceIamPolicy editor "projects/{{project}}/iap_web/compute/services/{{web_backend_service}} roles/iap.httpsResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/webBackendServiceIamPolicy:WebBackendServiceIamPolicy editor projects/{{project}}/iap_web/compute/services/{{web_backend_service}}

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebBackendServiceIamPolicy

func GetWebBackendServiceIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebBackendServiceIamPolicyState, opts ...pulumi.ResourceOption) (*WebBackendServiceIamPolicy, error)

GetWebBackendServiceIamPolicy gets an existing WebBackendServiceIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebBackendServiceIamPolicy

func NewWebBackendServiceIamPolicy(ctx *pulumi.Context,
	name string, args *WebBackendServiceIamPolicyArgs, opts ...pulumi.ResourceOption) (*WebBackendServiceIamPolicy, error)

NewWebBackendServiceIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*WebBackendServiceIamPolicy) ElementType

func (*WebBackendServiceIamPolicy) ElementType() reflect.Type

func (*WebBackendServiceIamPolicy) ToWebBackendServiceIamPolicyOutput

func (i *WebBackendServiceIamPolicy) ToWebBackendServiceIamPolicyOutput() WebBackendServiceIamPolicyOutput

func (*WebBackendServiceIamPolicy) ToWebBackendServiceIamPolicyOutputWithContext

func (i *WebBackendServiceIamPolicy) ToWebBackendServiceIamPolicyOutputWithContext(ctx context.Context) WebBackendServiceIamPolicyOutput

type WebBackendServiceIamPolicyArgs

type WebBackendServiceIamPolicyArgs struct {
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringInput
}

The set of arguments for constructing a WebBackendServiceIamPolicy resource.

func (WebBackendServiceIamPolicyArgs) ElementType

type WebBackendServiceIamPolicyArray

type WebBackendServiceIamPolicyArray []WebBackendServiceIamPolicyInput

func (WebBackendServiceIamPolicyArray) ElementType

func (WebBackendServiceIamPolicyArray) ToWebBackendServiceIamPolicyArrayOutput

func (i WebBackendServiceIamPolicyArray) ToWebBackendServiceIamPolicyArrayOutput() WebBackendServiceIamPolicyArrayOutput

func (WebBackendServiceIamPolicyArray) ToWebBackendServiceIamPolicyArrayOutputWithContext

func (i WebBackendServiceIamPolicyArray) ToWebBackendServiceIamPolicyArrayOutputWithContext(ctx context.Context) WebBackendServiceIamPolicyArrayOutput

type WebBackendServiceIamPolicyArrayInput

type WebBackendServiceIamPolicyArrayInput interface {
	pulumi.Input

	ToWebBackendServiceIamPolicyArrayOutput() WebBackendServiceIamPolicyArrayOutput
	ToWebBackendServiceIamPolicyArrayOutputWithContext(context.Context) WebBackendServiceIamPolicyArrayOutput
}

WebBackendServiceIamPolicyArrayInput is an input type that accepts WebBackendServiceIamPolicyArray and WebBackendServiceIamPolicyArrayOutput values. You can construct a concrete instance of `WebBackendServiceIamPolicyArrayInput` via:

WebBackendServiceIamPolicyArray{ WebBackendServiceIamPolicyArgs{...} }

type WebBackendServiceIamPolicyArrayOutput

type WebBackendServiceIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamPolicyArrayOutput) ElementType

func (WebBackendServiceIamPolicyArrayOutput) Index

func (WebBackendServiceIamPolicyArrayOutput) ToWebBackendServiceIamPolicyArrayOutput

func (o WebBackendServiceIamPolicyArrayOutput) ToWebBackendServiceIamPolicyArrayOutput() WebBackendServiceIamPolicyArrayOutput

func (WebBackendServiceIamPolicyArrayOutput) ToWebBackendServiceIamPolicyArrayOutputWithContext

func (o WebBackendServiceIamPolicyArrayOutput) ToWebBackendServiceIamPolicyArrayOutputWithContext(ctx context.Context) WebBackendServiceIamPolicyArrayOutput

type WebBackendServiceIamPolicyInput

type WebBackendServiceIamPolicyInput interface {
	pulumi.Input

	ToWebBackendServiceIamPolicyOutput() WebBackendServiceIamPolicyOutput
	ToWebBackendServiceIamPolicyOutputWithContext(ctx context.Context) WebBackendServiceIamPolicyOutput
}

type WebBackendServiceIamPolicyMap

type WebBackendServiceIamPolicyMap map[string]WebBackendServiceIamPolicyInput

func (WebBackendServiceIamPolicyMap) ElementType

func (WebBackendServiceIamPolicyMap) ToWebBackendServiceIamPolicyMapOutput

func (i WebBackendServiceIamPolicyMap) ToWebBackendServiceIamPolicyMapOutput() WebBackendServiceIamPolicyMapOutput

func (WebBackendServiceIamPolicyMap) ToWebBackendServiceIamPolicyMapOutputWithContext

func (i WebBackendServiceIamPolicyMap) ToWebBackendServiceIamPolicyMapOutputWithContext(ctx context.Context) WebBackendServiceIamPolicyMapOutput

type WebBackendServiceIamPolicyMapInput

type WebBackendServiceIamPolicyMapInput interface {
	pulumi.Input

	ToWebBackendServiceIamPolicyMapOutput() WebBackendServiceIamPolicyMapOutput
	ToWebBackendServiceIamPolicyMapOutputWithContext(context.Context) WebBackendServiceIamPolicyMapOutput
}

WebBackendServiceIamPolicyMapInput is an input type that accepts WebBackendServiceIamPolicyMap and WebBackendServiceIamPolicyMapOutput values. You can construct a concrete instance of `WebBackendServiceIamPolicyMapInput` via:

WebBackendServiceIamPolicyMap{ "key": WebBackendServiceIamPolicyArgs{...} }

type WebBackendServiceIamPolicyMapOutput

type WebBackendServiceIamPolicyMapOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamPolicyMapOutput) ElementType

func (WebBackendServiceIamPolicyMapOutput) MapIndex

func (WebBackendServiceIamPolicyMapOutput) ToWebBackendServiceIamPolicyMapOutput

func (o WebBackendServiceIamPolicyMapOutput) ToWebBackendServiceIamPolicyMapOutput() WebBackendServiceIamPolicyMapOutput

func (WebBackendServiceIamPolicyMapOutput) ToWebBackendServiceIamPolicyMapOutputWithContext

func (o WebBackendServiceIamPolicyMapOutput) ToWebBackendServiceIamPolicyMapOutputWithContext(ctx context.Context) WebBackendServiceIamPolicyMapOutput

type WebBackendServiceIamPolicyOutput

type WebBackendServiceIamPolicyOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamPolicyOutput) ElementType

func (WebBackendServiceIamPolicyOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (WebBackendServiceIamPolicyOutput) PolicyData added in v6.23.0

The policy data generated by a `organizations.getIAMPolicy` data source.

func (WebBackendServiceIamPolicyOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebBackendServiceIamPolicyOutput) ToWebBackendServiceIamPolicyOutput

func (o WebBackendServiceIamPolicyOutput) ToWebBackendServiceIamPolicyOutput() WebBackendServiceIamPolicyOutput

func (WebBackendServiceIamPolicyOutput) ToWebBackendServiceIamPolicyOutputWithContext

func (o WebBackendServiceIamPolicyOutput) ToWebBackendServiceIamPolicyOutputWithContext(ctx context.Context) WebBackendServiceIamPolicyOutput

func (WebBackendServiceIamPolicyOutput) WebBackendService added in v6.23.0

Used to find the parent resource to bind the IAM policy to

type WebBackendServiceIamPolicyState

type WebBackendServiceIamPolicyState struct {
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringPtrInput
}

func (WebBackendServiceIamPolicyState) ElementType

type WebIamBinding

type WebIamBinding struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag    pulumi.StringOutput      `pulumi:"etag"`
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy Web. Each of these resources serves a different use case:

* `iap.WebIamPolicy`: Authoritative. Sets the IAM policy for the web and replaces any existing policy already attached. * `iap.WebIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the web are preserved. * `iap.WebIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the web are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebIamPolicy`: Retrieves the IAM policy for the web

> **Note:** `iap.WebIamPolicy` **cannot** be used in conjunction with `iap.WebIamBinding` and `iap.WebIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebIamBinding` resources **can be** used in conjunction with `iap.WebIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_web\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(google_project_service.Project_service.Project),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(google_project_service.Project_service.Project),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_web * {{project}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy web IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/webIamBinding:WebIamBinding editor "projects/{{project}}/iap_web roles/iap.httpsResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/webIamBinding:WebIamBinding editor "projects/{{project}}/iap_web roles/iap.httpsResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/webIamBinding:WebIamBinding editor projects/{{project}}/iap_web

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebIamBinding

func GetWebIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebIamBindingState, opts ...pulumi.ResourceOption) (*WebIamBinding, error)

GetWebIamBinding gets an existing WebIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebIamBinding

func NewWebIamBinding(ctx *pulumi.Context,
	name string, args *WebIamBindingArgs, opts ...pulumi.ResourceOption) (*WebIamBinding, error)

NewWebIamBinding registers a new resource with the given unique name, arguments, and options.

func (*WebIamBinding) ElementType

func (*WebIamBinding) ElementType() reflect.Type

func (*WebIamBinding) ToWebIamBindingOutput

func (i *WebIamBinding) ToWebIamBindingOutput() WebIamBindingOutput

func (*WebIamBinding) ToWebIamBindingOutputWithContext

func (i *WebIamBinding) ToWebIamBindingOutputWithContext(ctx context.Context) WebIamBindingOutput

type WebIamBindingArgs

type WebIamBindingArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebIamBindingConditionPtrInput
	Members   pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a WebIamBinding resource.

func (WebIamBindingArgs) ElementType

func (WebIamBindingArgs) ElementType() reflect.Type

type WebIamBindingArray

type WebIamBindingArray []WebIamBindingInput

func (WebIamBindingArray) ElementType

func (WebIamBindingArray) ElementType() reflect.Type

func (WebIamBindingArray) ToWebIamBindingArrayOutput

func (i WebIamBindingArray) ToWebIamBindingArrayOutput() WebIamBindingArrayOutput

func (WebIamBindingArray) ToWebIamBindingArrayOutputWithContext

func (i WebIamBindingArray) ToWebIamBindingArrayOutputWithContext(ctx context.Context) WebIamBindingArrayOutput

type WebIamBindingArrayInput

type WebIamBindingArrayInput interface {
	pulumi.Input

	ToWebIamBindingArrayOutput() WebIamBindingArrayOutput
	ToWebIamBindingArrayOutputWithContext(context.Context) WebIamBindingArrayOutput
}

WebIamBindingArrayInput is an input type that accepts WebIamBindingArray and WebIamBindingArrayOutput values. You can construct a concrete instance of `WebIamBindingArrayInput` via:

WebIamBindingArray{ WebIamBindingArgs{...} }

type WebIamBindingArrayOutput

type WebIamBindingArrayOutput struct{ *pulumi.OutputState }

func (WebIamBindingArrayOutput) ElementType

func (WebIamBindingArrayOutput) ElementType() reflect.Type

func (WebIamBindingArrayOutput) Index

func (WebIamBindingArrayOutput) ToWebIamBindingArrayOutput

func (o WebIamBindingArrayOutput) ToWebIamBindingArrayOutput() WebIamBindingArrayOutput

func (WebIamBindingArrayOutput) ToWebIamBindingArrayOutputWithContext

func (o WebIamBindingArrayOutput) ToWebIamBindingArrayOutputWithContext(ctx context.Context) WebIamBindingArrayOutput

type WebIamBindingCondition

type WebIamBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebIamBindingConditionArgs

type WebIamBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebIamBindingConditionArgs) ElementType

func (WebIamBindingConditionArgs) ElementType() reflect.Type

func (WebIamBindingConditionArgs) ToWebIamBindingConditionOutput

func (i WebIamBindingConditionArgs) ToWebIamBindingConditionOutput() WebIamBindingConditionOutput

func (WebIamBindingConditionArgs) ToWebIamBindingConditionOutputWithContext

func (i WebIamBindingConditionArgs) ToWebIamBindingConditionOutputWithContext(ctx context.Context) WebIamBindingConditionOutput

func (WebIamBindingConditionArgs) ToWebIamBindingConditionPtrOutput

func (i WebIamBindingConditionArgs) ToWebIamBindingConditionPtrOutput() WebIamBindingConditionPtrOutput

func (WebIamBindingConditionArgs) ToWebIamBindingConditionPtrOutputWithContext

func (i WebIamBindingConditionArgs) ToWebIamBindingConditionPtrOutputWithContext(ctx context.Context) WebIamBindingConditionPtrOutput

type WebIamBindingConditionInput

type WebIamBindingConditionInput interface {
	pulumi.Input

	ToWebIamBindingConditionOutput() WebIamBindingConditionOutput
	ToWebIamBindingConditionOutputWithContext(context.Context) WebIamBindingConditionOutput
}

WebIamBindingConditionInput is an input type that accepts WebIamBindingConditionArgs and WebIamBindingConditionOutput values. You can construct a concrete instance of `WebIamBindingConditionInput` via:

WebIamBindingConditionArgs{...}

type WebIamBindingConditionOutput

type WebIamBindingConditionOutput struct{ *pulumi.OutputState }

func (WebIamBindingConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebIamBindingConditionOutput) ElementType

func (WebIamBindingConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebIamBindingConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebIamBindingConditionOutput) ToWebIamBindingConditionOutput

func (o WebIamBindingConditionOutput) ToWebIamBindingConditionOutput() WebIamBindingConditionOutput

func (WebIamBindingConditionOutput) ToWebIamBindingConditionOutputWithContext

func (o WebIamBindingConditionOutput) ToWebIamBindingConditionOutputWithContext(ctx context.Context) WebIamBindingConditionOutput

func (WebIamBindingConditionOutput) ToWebIamBindingConditionPtrOutput

func (o WebIamBindingConditionOutput) ToWebIamBindingConditionPtrOutput() WebIamBindingConditionPtrOutput

func (WebIamBindingConditionOutput) ToWebIamBindingConditionPtrOutputWithContext

func (o WebIamBindingConditionOutput) ToWebIamBindingConditionPtrOutputWithContext(ctx context.Context) WebIamBindingConditionPtrOutput

type WebIamBindingConditionPtrInput

type WebIamBindingConditionPtrInput interface {
	pulumi.Input

	ToWebIamBindingConditionPtrOutput() WebIamBindingConditionPtrOutput
	ToWebIamBindingConditionPtrOutputWithContext(context.Context) WebIamBindingConditionPtrOutput
}

WebIamBindingConditionPtrInput is an input type that accepts WebIamBindingConditionArgs, WebIamBindingConditionPtr and WebIamBindingConditionPtrOutput values. You can construct a concrete instance of `WebIamBindingConditionPtrInput` via:

        WebIamBindingConditionArgs{...}

or:

        nil

type WebIamBindingConditionPtrOutput

type WebIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (WebIamBindingConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebIamBindingConditionPtrOutput) Elem

func (WebIamBindingConditionPtrOutput) ElementType

func (WebIamBindingConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebIamBindingConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebIamBindingConditionPtrOutput) ToWebIamBindingConditionPtrOutput

func (o WebIamBindingConditionPtrOutput) ToWebIamBindingConditionPtrOutput() WebIamBindingConditionPtrOutput

func (WebIamBindingConditionPtrOutput) ToWebIamBindingConditionPtrOutputWithContext

func (o WebIamBindingConditionPtrOutput) ToWebIamBindingConditionPtrOutputWithContext(ctx context.Context) WebIamBindingConditionPtrOutput

type WebIamBindingInput

type WebIamBindingInput interface {
	pulumi.Input

	ToWebIamBindingOutput() WebIamBindingOutput
	ToWebIamBindingOutputWithContext(ctx context.Context) WebIamBindingOutput
}

type WebIamBindingMap

type WebIamBindingMap map[string]WebIamBindingInput

func (WebIamBindingMap) ElementType

func (WebIamBindingMap) ElementType() reflect.Type

func (WebIamBindingMap) ToWebIamBindingMapOutput

func (i WebIamBindingMap) ToWebIamBindingMapOutput() WebIamBindingMapOutput

func (WebIamBindingMap) ToWebIamBindingMapOutputWithContext

func (i WebIamBindingMap) ToWebIamBindingMapOutputWithContext(ctx context.Context) WebIamBindingMapOutput

type WebIamBindingMapInput

type WebIamBindingMapInput interface {
	pulumi.Input

	ToWebIamBindingMapOutput() WebIamBindingMapOutput
	ToWebIamBindingMapOutputWithContext(context.Context) WebIamBindingMapOutput
}

WebIamBindingMapInput is an input type that accepts WebIamBindingMap and WebIamBindingMapOutput values. You can construct a concrete instance of `WebIamBindingMapInput` via:

WebIamBindingMap{ "key": WebIamBindingArgs{...} }

type WebIamBindingMapOutput

type WebIamBindingMapOutput struct{ *pulumi.OutputState }

func (WebIamBindingMapOutput) ElementType

func (WebIamBindingMapOutput) ElementType() reflect.Type

func (WebIamBindingMapOutput) MapIndex

func (WebIamBindingMapOutput) ToWebIamBindingMapOutput

func (o WebIamBindingMapOutput) ToWebIamBindingMapOutput() WebIamBindingMapOutput

func (WebIamBindingMapOutput) ToWebIamBindingMapOutputWithContext

func (o WebIamBindingMapOutput) ToWebIamBindingMapOutputWithContext(ctx context.Context) WebIamBindingMapOutput

type WebIamBindingOutput

type WebIamBindingOutput struct{ *pulumi.OutputState }

func (WebIamBindingOutput) Condition added in v6.23.0

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebIamBindingOutput) ElementType

func (WebIamBindingOutput) ElementType() reflect.Type

func (WebIamBindingOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (WebIamBindingOutput) Members added in v6.23.0

func (WebIamBindingOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebIamBindingOutput) Role added in v6.23.0

The role that should be applied. Only one `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebIamBindingOutput) ToWebIamBindingOutput

func (o WebIamBindingOutput) ToWebIamBindingOutput() WebIamBindingOutput

func (WebIamBindingOutput) ToWebIamBindingOutputWithContext

func (o WebIamBindingOutput) ToWebIamBindingOutputWithContext(ctx context.Context) WebIamBindingOutput

type WebIamBindingState

type WebIamBindingState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag    pulumi.StringPtrInput
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (WebIamBindingState) ElementType

func (WebIamBindingState) ElementType() reflect.Type

type WebIamMember

type WebIamMember struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag   pulumi.StringOutput `pulumi:"etag"`
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy Web. Each of these resources serves a different use case:

* `iap.WebIamPolicy`: Authoritative. Sets the IAM policy for the web and replaces any existing policy already attached. * `iap.WebIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the web are preserved. * `iap.WebIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the web are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebIamPolicy`: Retrieves the IAM policy for the web

> **Note:** `iap.WebIamPolicy` **cannot** be used in conjunction with `iap.WebIamBinding` and `iap.WebIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebIamBinding` resources **can be** used in conjunction with `iap.WebIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_web\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(google_project_service.Project_service.Project),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(google_project_service.Project_service.Project),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_web * {{project}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy web IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/webIamMember:WebIamMember editor "projects/{{project}}/iap_web roles/iap.httpsResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/webIamMember:WebIamMember editor "projects/{{project}}/iap_web roles/iap.httpsResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/webIamMember:WebIamMember editor projects/{{project}}/iap_web

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebIamMember

func GetWebIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebIamMemberState, opts ...pulumi.ResourceOption) (*WebIamMember, error)

GetWebIamMember gets an existing WebIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebIamMember

func NewWebIamMember(ctx *pulumi.Context,
	name string, args *WebIamMemberArgs, opts ...pulumi.ResourceOption) (*WebIamMember, error)

NewWebIamMember registers a new resource with the given unique name, arguments, and options.

func (*WebIamMember) ElementType

func (*WebIamMember) ElementType() reflect.Type

func (*WebIamMember) ToWebIamMemberOutput

func (i *WebIamMember) ToWebIamMemberOutput() WebIamMemberOutput

func (*WebIamMember) ToWebIamMemberOutputWithContext

func (i *WebIamMember) ToWebIamMemberOutputWithContext(ctx context.Context) WebIamMemberOutput

type WebIamMemberArgs

type WebIamMemberArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebIamMemberConditionPtrInput
	Member    pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a WebIamMember resource.

func (WebIamMemberArgs) ElementType

func (WebIamMemberArgs) ElementType() reflect.Type

type WebIamMemberArray

type WebIamMemberArray []WebIamMemberInput

func (WebIamMemberArray) ElementType

func (WebIamMemberArray) ElementType() reflect.Type

func (WebIamMemberArray) ToWebIamMemberArrayOutput

func (i WebIamMemberArray) ToWebIamMemberArrayOutput() WebIamMemberArrayOutput

func (WebIamMemberArray) ToWebIamMemberArrayOutputWithContext

func (i WebIamMemberArray) ToWebIamMemberArrayOutputWithContext(ctx context.Context) WebIamMemberArrayOutput

type WebIamMemberArrayInput

type WebIamMemberArrayInput interface {
	pulumi.Input

	ToWebIamMemberArrayOutput() WebIamMemberArrayOutput
	ToWebIamMemberArrayOutputWithContext(context.Context) WebIamMemberArrayOutput
}

WebIamMemberArrayInput is an input type that accepts WebIamMemberArray and WebIamMemberArrayOutput values. You can construct a concrete instance of `WebIamMemberArrayInput` via:

WebIamMemberArray{ WebIamMemberArgs{...} }

type WebIamMemberArrayOutput

type WebIamMemberArrayOutput struct{ *pulumi.OutputState }

func (WebIamMemberArrayOutput) ElementType

func (WebIamMemberArrayOutput) ElementType() reflect.Type

func (WebIamMemberArrayOutput) Index

func (WebIamMemberArrayOutput) ToWebIamMemberArrayOutput

func (o WebIamMemberArrayOutput) ToWebIamMemberArrayOutput() WebIamMemberArrayOutput

func (WebIamMemberArrayOutput) ToWebIamMemberArrayOutputWithContext

func (o WebIamMemberArrayOutput) ToWebIamMemberArrayOutputWithContext(ctx context.Context) WebIamMemberArrayOutput

type WebIamMemberCondition

type WebIamMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebIamMemberConditionArgs

type WebIamMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebIamMemberConditionArgs) ElementType

func (WebIamMemberConditionArgs) ElementType() reflect.Type

func (WebIamMemberConditionArgs) ToWebIamMemberConditionOutput

func (i WebIamMemberConditionArgs) ToWebIamMemberConditionOutput() WebIamMemberConditionOutput

func (WebIamMemberConditionArgs) ToWebIamMemberConditionOutputWithContext

func (i WebIamMemberConditionArgs) ToWebIamMemberConditionOutputWithContext(ctx context.Context) WebIamMemberConditionOutput

func (WebIamMemberConditionArgs) ToWebIamMemberConditionPtrOutput

func (i WebIamMemberConditionArgs) ToWebIamMemberConditionPtrOutput() WebIamMemberConditionPtrOutput

func (WebIamMemberConditionArgs) ToWebIamMemberConditionPtrOutputWithContext

func (i WebIamMemberConditionArgs) ToWebIamMemberConditionPtrOutputWithContext(ctx context.Context) WebIamMemberConditionPtrOutput

type WebIamMemberConditionInput

type WebIamMemberConditionInput interface {
	pulumi.Input

	ToWebIamMemberConditionOutput() WebIamMemberConditionOutput
	ToWebIamMemberConditionOutputWithContext(context.Context) WebIamMemberConditionOutput
}

WebIamMemberConditionInput is an input type that accepts WebIamMemberConditionArgs and WebIamMemberConditionOutput values. You can construct a concrete instance of `WebIamMemberConditionInput` via:

WebIamMemberConditionArgs{...}

type WebIamMemberConditionOutput

type WebIamMemberConditionOutput struct{ *pulumi.OutputState }

func (WebIamMemberConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebIamMemberConditionOutput) ElementType

func (WebIamMemberConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebIamMemberConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebIamMemberConditionOutput) ToWebIamMemberConditionOutput

func (o WebIamMemberConditionOutput) ToWebIamMemberConditionOutput() WebIamMemberConditionOutput

func (WebIamMemberConditionOutput) ToWebIamMemberConditionOutputWithContext

func (o WebIamMemberConditionOutput) ToWebIamMemberConditionOutputWithContext(ctx context.Context) WebIamMemberConditionOutput

func (WebIamMemberConditionOutput) ToWebIamMemberConditionPtrOutput

func (o WebIamMemberConditionOutput) ToWebIamMemberConditionPtrOutput() WebIamMemberConditionPtrOutput

func (WebIamMemberConditionOutput) ToWebIamMemberConditionPtrOutputWithContext

func (o WebIamMemberConditionOutput) ToWebIamMemberConditionPtrOutputWithContext(ctx context.Context) WebIamMemberConditionPtrOutput

type WebIamMemberConditionPtrInput

type WebIamMemberConditionPtrInput interface {
	pulumi.Input

	ToWebIamMemberConditionPtrOutput() WebIamMemberConditionPtrOutput
	ToWebIamMemberConditionPtrOutputWithContext(context.Context) WebIamMemberConditionPtrOutput
}

WebIamMemberConditionPtrInput is an input type that accepts WebIamMemberConditionArgs, WebIamMemberConditionPtr and WebIamMemberConditionPtrOutput values. You can construct a concrete instance of `WebIamMemberConditionPtrInput` via:

        WebIamMemberConditionArgs{...}

or:

        nil

type WebIamMemberConditionPtrOutput

type WebIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (WebIamMemberConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebIamMemberConditionPtrOutput) Elem

func (WebIamMemberConditionPtrOutput) ElementType

func (WebIamMemberConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebIamMemberConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebIamMemberConditionPtrOutput) ToWebIamMemberConditionPtrOutput

func (o WebIamMemberConditionPtrOutput) ToWebIamMemberConditionPtrOutput() WebIamMemberConditionPtrOutput

func (WebIamMemberConditionPtrOutput) ToWebIamMemberConditionPtrOutputWithContext

func (o WebIamMemberConditionPtrOutput) ToWebIamMemberConditionPtrOutputWithContext(ctx context.Context) WebIamMemberConditionPtrOutput

type WebIamMemberInput

type WebIamMemberInput interface {
	pulumi.Input

	ToWebIamMemberOutput() WebIamMemberOutput
	ToWebIamMemberOutputWithContext(ctx context.Context) WebIamMemberOutput
}

type WebIamMemberMap

type WebIamMemberMap map[string]WebIamMemberInput

func (WebIamMemberMap) ElementType

func (WebIamMemberMap) ElementType() reflect.Type

func (WebIamMemberMap) ToWebIamMemberMapOutput

func (i WebIamMemberMap) ToWebIamMemberMapOutput() WebIamMemberMapOutput

func (WebIamMemberMap) ToWebIamMemberMapOutputWithContext

func (i WebIamMemberMap) ToWebIamMemberMapOutputWithContext(ctx context.Context) WebIamMemberMapOutput

type WebIamMemberMapInput

type WebIamMemberMapInput interface {
	pulumi.Input

	ToWebIamMemberMapOutput() WebIamMemberMapOutput
	ToWebIamMemberMapOutputWithContext(context.Context) WebIamMemberMapOutput
}

WebIamMemberMapInput is an input type that accepts WebIamMemberMap and WebIamMemberMapOutput values. You can construct a concrete instance of `WebIamMemberMapInput` via:

WebIamMemberMap{ "key": WebIamMemberArgs{...} }

type WebIamMemberMapOutput

type WebIamMemberMapOutput struct{ *pulumi.OutputState }

func (WebIamMemberMapOutput) ElementType

func (WebIamMemberMapOutput) ElementType() reflect.Type

func (WebIamMemberMapOutput) MapIndex

func (WebIamMemberMapOutput) ToWebIamMemberMapOutput

func (o WebIamMemberMapOutput) ToWebIamMemberMapOutput() WebIamMemberMapOutput

func (WebIamMemberMapOutput) ToWebIamMemberMapOutputWithContext

func (o WebIamMemberMapOutput) ToWebIamMemberMapOutputWithContext(ctx context.Context) WebIamMemberMapOutput

type WebIamMemberOutput

type WebIamMemberOutput struct{ *pulumi.OutputState }

func (WebIamMemberOutput) Condition added in v6.23.0

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebIamMemberOutput) ElementType

func (WebIamMemberOutput) ElementType() reflect.Type

func (WebIamMemberOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (WebIamMemberOutput) Member added in v6.23.0

func (WebIamMemberOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebIamMemberOutput) Role added in v6.23.0

The role that should be applied. Only one `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebIamMemberOutput) ToWebIamMemberOutput

func (o WebIamMemberOutput) ToWebIamMemberOutput() WebIamMemberOutput

func (WebIamMemberOutput) ToWebIamMemberOutputWithContext

func (o WebIamMemberOutput) ToWebIamMemberOutputWithContext(ctx context.Context) WebIamMemberOutput

type WebIamMemberState

type WebIamMemberState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag   pulumi.StringPtrInput
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (WebIamMemberState) ElementType

func (WebIamMemberState) ElementType() reflect.Type

type WebIamPolicy

type WebIamPolicy struct {
	pulumi.CustomResourceState

	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy Web. Each of these resources serves a different use case:

* `iap.WebIamPolicy`: Authoritative. Sets the IAM policy for the web and replaces any existing policy already attached. * `iap.WebIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the web are preserved. * `iap.WebIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the web are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebIamPolicy`: Retrieves the IAM policy for the web

> **Note:** `iap.WebIamPolicy` **cannot** be used in conjunction with `iap.WebIamBinding` and `iap.WebIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebIamBinding` resources **can be** used in conjunction with `iap.WebIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_web\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(google_project_service.Project_service.Project),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(google_project_service.Project_service.Project),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_web * {{project}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy web IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/webIamPolicy:WebIamPolicy editor "projects/{{project}}/iap_web roles/iap.httpsResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/webIamPolicy:WebIamPolicy editor "projects/{{project}}/iap_web roles/iap.httpsResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/webIamPolicy:WebIamPolicy editor projects/{{project}}/iap_web

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebIamPolicy

func GetWebIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebIamPolicyState, opts ...pulumi.ResourceOption) (*WebIamPolicy, error)

GetWebIamPolicy gets an existing WebIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebIamPolicy

func NewWebIamPolicy(ctx *pulumi.Context,
	name string, args *WebIamPolicyArgs, opts ...pulumi.ResourceOption) (*WebIamPolicy, error)

NewWebIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*WebIamPolicy) ElementType

func (*WebIamPolicy) ElementType() reflect.Type

func (*WebIamPolicy) ToWebIamPolicyOutput

func (i *WebIamPolicy) ToWebIamPolicyOutput() WebIamPolicyOutput

func (*WebIamPolicy) ToWebIamPolicyOutputWithContext

func (i *WebIamPolicy) ToWebIamPolicyOutputWithContext(ctx context.Context) WebIamPolicyOutput

type WebIamPolicyArgs

type WebIamPolicyArgs struct {
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
}

The set of arguments for constructing a WebIamPolicy resource.

func (WebIamPolicyArgs) ElementType

func (WebIamPolicyArgs) ElementType() reflect.Type

type WebIamPolicyArray

type WebIamPolicyArray []WebIamPolicyInput

func (WebIamPolicyArray) ElementType

func (WebIamPolicyArray) ElementType() reflect.Type

func (WebIamPolicyArray) ToWebIamPolicyArrayOutput

func (i WebIamPolicyArray) ToWebIamPolicyArrayOutput() WebIamPolicyArrayOutput

func (WebIamPolicyArray) ToWebIamPolicyArrayOutputWithContext

func (i WebIamPolicyArray) ToWebIamPolicyArrayOutputWithContext(ctx context.Context) WebIamPolicyArrayOutput

type WebIamPolicyArrayInput

type WebIamPolicyArrayInput interface {
	pulumi.Input

	ToWebIamPolicyArrayOutput() WebIamPolicyArrayOutput
	ToWebIamPolicyArrayOutputWithContext(context.Context) WebIamPolicyArrayOutput
}

WebIamPolicyArrayInput is an input type that accepts WebIamPolicyArray and WebIamPolicyArrayOutput values. You can construct a concrete instance of `WebIamPolicyArrayInput` via:

WebIamPolicyArray{ WebIamPolicyArgs{...} }

type WebIamPolicyArrayOutput

type WebIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (WebIamPolicyArrayOutput) ElementType

func (WebIamPolicyArrayOutput) ElementType() reflect.Type

func (WebIamPolicyArrayOutput) Index

func (WebIamPolicyArrayOutput) ToWebIamPolicyArrayOutput

func (o WebIamPolicyArrayOutput) ToWebIamPolicyArrayOutput() WebIamPolicyArrayOutput

func (WebIamPolicyArrayOutput) ToWebIamPolicyArrayOutputWithContext

func (o WebIamPolicyArrayOutput) ToWebIamPolicyArrayOutputWithContext(ctx context.Context) WebIamPolicyArrayOutput

type WebIamPolicyInput

type WebIamPolicyInput interface {
	pulumi.Input

	ToWebIamPolicyOutput() WebIamPolicyOutput
	ToWebIamPolicyOutputWithContext(ctx context.Context) WebIamPolicyOutput
}

type WebIamPolicyMap

type WebIamPolicyMap map[string]WebIamPolicyInput

func (WebIamPolicyMap) ElementType

func (WebIamPolicyMap) ElementType() reflect.Type

func (WebIamPolicyMap) ToWebIamPolicyMapOutput

func (i WebIamPolicyMap) ToWebIamPolicyMapOutput() WebIamPolicyMapOutput

func (WebIamPolicyMap) ToWebIamPolicyMapOutputWithContext

func (i WebIamPolicyMap) ToWebIamPolicyMapOutputWithContext(ctx context.Context) WebIamPolicyMapOutput

type WebIamPolicyMapInput

type WebIamPolicyMapInput interface {
	pulumi.Input

	ToWebIamPolicyMapOutput() WebIamPolicyMapOutput
	ToWebIamPolicyMapOutputWithContext(context.Context) WebIamPolicyMapOutput
}

WebIamPolicyMapInput is an input type that accepts WebIamPolicyMap and WebIamPolicyMapOutput values. You can construct a concrete instance of `WebIamPolicyMapInput` via:

WebIamPolicyMap{ "key": WebIamPolicyArgs{...} }

type WebIamPolicyMapOutput

type WebIamPolicyMapOutput struct{ *pulumi.OutputState }

func (WebIamPolicyMapOutput) ElementType

func (WebIamPolicyMapOutput) ElementType() reflect.Type

func (WebIamPolicyMapOutput) MapIndex

func (WebIamPolicyMapOutput) ToWebIamPolicyMapOutput

func (o WebIamPolicyMapOutput) ToWebIamPolicyMapOutput() WebIamPolicyMapOutput

func (WebIamPolicyMapOutput) ToWebIamPolicyMapOutputWithContext

func (o WebIamPolicyMapOutput) ToWebIamPolicyMapOutputWithContext(ctx context.Context) WebIamPolicyMapOutput

type WebIamPolicyOutput

type WebIamPolicyOutput struct{ *pulumi.OutputState }

func (WebIamPolicyOutput) ElementType

func (WebIamPolicyOutput) ElementType() reflect.Type

func (WebIamPolicyOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (WebIamPolicyOutput) PolicyData added in v6.23.0

func (o WebIamPolicyOutput) PolicyData() pulumi.StringOutput

The policy data generated by a `organizations.getIAMPolicy` data source.

func (WebIamPolicyOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebIamPolicyOutput) ToWebIamPolicyOutput

func (o WebIamPolicyOutput) ToWebIamPolicyOutput() WebIamPolicyOutput

func (WebIamPolicyOutput) ToWebIamPolicyOutputWithContext

func (o WebIamPolicyOutput) ToWebIamPolicyOutputWithContext(ctx context.Context) WebIamPolicyOutput

type WebIamPolicyState

type WebIamPolicyState struct {
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
}

func (WebIamPolicyState) ElementType

func (WebIamPolicyState) ElementType() reflect.Type

type WebTypeAppEngingIamBinding

type WebTypeAppEngingIamBinding struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeAppEngingIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag    pulumi.StringOutput      `pulumi:"etag"`
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeAppEngine. Each of these resources serves a different use case:

* `iap.WebTypeAppEngingIamPolicy`: Authoritative. Sets the IAM policy for the webtypeappengine and replaces any existing policy already attached. * `iap.WebTypeAppEngingIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypeappengine are preserved. * `iap.WebTypeAppEngingIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypeappengine are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeAppEngingIamPolicy`: Retrieves the IAM policy for the webtypeappengine

> **Note:** `iap.WebTypeAppEngingIamPolicy` **cannot** be used in conjunction with `iap.WebTypeAppEngingIamBinding` and `iap.WebTypeAppEngingIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeAppEngingIamBinding` resources **can be** used in conjunction with `iap.WebTypeAppEngingIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_web\_type\_app\_engine\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(google_app_engine_application.App.Project),
			AppId:      pulumi.Any(google_app_engine_application.App.App_id),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(google_app_engine_application.App.Project),
			AppId:      pulumi.Any(google_app_engine_application.App.App_id),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_type\_app\_engine\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(google_app_engine_application.App.Project),
			AppId:   pulumi.Any(google_app_engine_application.App.App_id),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(google_app_engine_application.App.Project),
			AppId:   pulumi.Any(google_app_engine_application.App.App_id),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeAppEngingIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_type\_app\_engine\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(google_app_engine_application.App.Project),
			AppId:   pulumi.Any(google_app_engine_application.App.App_id),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(google_app_engine_application.App.Project),
			AppId:   pulumi.Any(google_app_engine_application.App.App_id),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeAppEngingIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_web/appengine-{{appId}} * {{project}}/{{appId}} * {{appId}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy webtypeappengine IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/webTypeAppEngingIamBinding:WebTypeAppEngingIamBinding editor "projects/{{project}}/iap_web/appengine-{{appId}} roles/iap.httpsResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/webTypeAppEngingIamBinding:WebTypeAppEngingIamBinding editor "projects/{{project}}/iap_web/appengine-{{appId}} roles/iap.httpsResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/webTypeAppEngingIamBinding:WebTypeAppEngingIamBinding editor projects/{{project}}/iap_web/appengine-{{appId}}

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebTypeAppEngingIamBinding

func GetWebTypeAppEngingIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebTypeAppEngingIamBindingState, opts ...pulumi.ResourceOption) (*WebTypeAppEngingIamBinding, error)

GetWebTypeAppEngingIamBinding gets an existing WebTypeAppEngingIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebTypeAppEngingIamBinding

func NewWebTypeAppEngingIamBinding(ctx *pulumi.Context,
	name string, args *WebTypeAppEngingIamBindingArgs, opts ...pulumi.ResourceOption) (*WebTypeAppEngingIamBinding, error)

NewWebTypeAppEngingIamBinding registers a new resource with the given unique name, arguments, and options.

func (*WebTypeAppEngingIamBinding) ElementType

func (*WebTypeAppEngingIamBinding) ElementType() reflect.Type

func (*WebTypeAppEngingIamBinding) ToWebTypeAppEngingIamBindingOutput

func (i *WebTypeAppEngingIamBinding) ToWebTypeAppEngingIamBindingOutput() WebTypeAppEngingIamBindingOutput

func (*WebTypeAppEngingIamBinding) ToWebTypeAppEngingIamBindingOutputWithContext

func (i *WebTypeAppEngingIamBinding) ToWebTypeAppEngingIamBindingOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingOutput

type WebTypeAppEngingIamBindingArgs

type WebTypeAppEngingIamBindingArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeAppEngingIamBindingConditionPtrInput
	Members   pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a WebTypeAppEngingIamBinding resource.

func (WebTypeAppEngingIamBindingArgs) ElementType

type WebTypeAppEngingIamBindingArray

type WebTypeAppEngingIamBindingArray []WebTypeAppEngingIamBindingInput

func (WebTypeAppEngingIamBindingArray) ElementType

func (WebTypeAppEngingIamBindingArray) ToWebTypeAppEngingIamBindingArrayOutput

func (i WebTypeAppEngingIamBindingArray) ToWebTypeAppEngingIamBindingArrayOutput() WebTypeAppEngingIamBindingArrayOutput

func (WebTypeAppEngingIamBindingArray) ToWebTypeAppEngingIamBindingArrayOutputWithContext

func (i WebTypeAppEngingIamBindingArray) ToWebTypeAppEngingIamBindingArrayOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingArrayOutput

type WebTypeAppEngingIamBindingArrayInput

type WebTypeAppEngingIamBindingArrayInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamBindingArrayOutput() WebTypeAppEngingIamBindingArrayOutput
	ToWebTypeAppEngingIamBindingArrayOutputWithContext(context.Context) WebTypeAppEngingIamBindingArrayOutput
}

WebTypeAppEngingIamBindingArrayInput is an input type that accepts WebTypeAppEngingIamBindingArray and WebTypeAppEngingIamBindingArrayOutput values. You can construct a concrete instance of `WebTypeAppEngingIamBindingArrayInput` via:

WebTypeAppEngingIamBindingArray{ WebTypeAppEngingIamBindingArgs{...} }

type WebTypeAppEngingIamBindingArrayOutput

type WebTypeAppEngingIamBindingArrayOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamBindingArrayOutput) ElementType

func (WebTypeAppEngingIamBindingArrayOutput) Index

func (WebTypeAppEngingIamBindingArrayOutput) ToWebTypeAppEngingIamBindingArrayOutput

func (o WebTypeAppEngingIamBindingArrayOutput) ToWebTypeAppEngingIamBindingArrayOutput() WebTypeAppEngingIamBindingArrayOutput

func (WebTypeAppEngingIamBindingArrayOutput) ToWebTypeAppEngingIamBindingArrayOutputWithContext

func (o WebTypeAppEngingIamBindingArrayOutput) ToWebTypeAppEngingIamBindingArrayOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingArrayOutput

type WebTypeAppEngingIamBindingCondition

type WebTypeAppEngingIamBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebTypeAppEngingIamBindingConditionArgs

type WebTypeAppEngingIamBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebTypeAppEngingIamBindingConditionArgs) ElementType

func (WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionOutput

func (i WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionOutput() WebTypeAppEngingIamBindingConditionOutput

func (WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionOutputWithContext

func (i WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingConditionOutput

func (WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionPtrOutput

func (i WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionPtrOutput() WebTypeAppEngingIamBindingConditionPtrOutput

func (WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionPtrOutputWithContext

func (i WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionPtrOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingConditionPtrOutput

type WebTypeAppEngingIamBindingConditionInput

type WebTypeAppEngingIamBindingConditionInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamBindingConditionOutput() WebTypeAppEngingIamBindingConditionOutput
	ToWebTypeAppEngingIamBindingConditionOutputWithContext(context.Context) WebTypeAppEngingIamBindingConditionOutput
}

WebTypeAppEngingIamBindingConditionInput is an input type that accepts WebTypeAppEngingIamBindingConditionArgs and WebTypeAppEngingIamBindingConditionOutput values. You can construct a concrete instance of `WebTypeAppEngingIamBindingConditionInput` via:

WebTypeAppEngingIamBindingConditionArgs{...}

type WebTypeAppEngingIamBindingConditionOutput

type WebTypeAppEngingIamBindingConditionOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamBindingConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeAppEngingIamBindingConditionOutput) ElementType

func (WebTypeAppEngingIamBindingConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeAppEngingIamBindingConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionOutput

func (o WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionOutput() WebTypeAppEngingIamBindingConditionOutput

func (WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionOutputWithContext

func (o WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingConditionOutput

func (WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionPtrOutput

func (o WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionPtrOutput() WebTypeAppEngingIamBindingConditionPtrOutput

func (WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionPtrOutputWithContext

func (o WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionPtrOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingConditionPtrOutput

type WebTypeAppEngingIamBindingConditionPtrInput

type WebTypeAppEngingIamBindingConditionPtrInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamBindingConditionPtrOutput() WebTypeAppEngingIamBindingConditionPtrOutput
	ToWebTypeAppEngingIamBindingConditionPtrOutputWithContext(context.Context) WebTypeAppEngingIamBindingConditionPtrOutput
}

WebTypeAppEngingIamBindingConditionPtrInput is an input type that accepts WebTypeAppEngingIamBindingConditionArgs, WebTypeAppEngingIamBindingConditionPtr and WebTypeAppEngingIamBindingConditionPtrOutput values. You can construct a concrete instance of `WebTypeAppEngingIamBindingConditionPtrInput` via:

        WebTypeAppEngingIamBindingConditionArgs{...}

or:

        nil

type WebTypeAppEngingIamBindingConditionPtrOutput

type WebTypeAppEngingIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamBindingConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeAppEngingIamBindingConditionPtrOutput) Elem

func (WebTypeAppEngingIamBindingConditionPtrOutput) ElementType

func (WebTypeAppEngingIamBindingConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeAppEngingIamBindingConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeAppEngingIamBindingConditionPtrOutput) ToWebTypeAppEngingIamBindingConditionPtrOutput

func (o WebTypeAppEngingIamBindingConditionPtrOutput) ToWebTypeAppEngingIamBindingConditionPtrOutput() WebTypeAppEngingIamBindingConditionPtrOutput

func (WebTypeAppEngingIamBindingConditionPtrOutput) ToWebTypeAppEngingIamBindingConditionPtrOutputWithContext

func (o WebTypeAppEngingIamBindingConditionPtrOutput) ToWebTypeAppEngingIamBindingConditionPtrOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingConditionPtrOutput

type WebTypeAppEngingIamBindingInput

type WebTypeAppEngingIamBindingInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamBindingOutput() WebTypeAppEngingIamBindingOutput
	ToWebTypeAppEngingIamBindingOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingOutput
}

type WebTypeAppEngingIamBindingMap

type WebTypeAppEngingIamBindingMap map[string]WebTypeAppEngingIamBindingInput

func (WebTypeAppEngingIamBindingMap) ElementType

func (WebTypeAppEngingIamBindingMap) ToWebTypeAppEngingIamBindingMapOutput

func (i WebTypeAppEngingIamBindingMap) ToWebTypeAppEngingIamBindingMapOutput() WebTypeAppEngingIamBindingMapOutput

func (WebTypeAppEngingIamBindingMap) ToWebTypeAppEngingIamBindingMapOutputWithContext

func (i WebTypeAppEngingIamBindingMap) ToWebTypeAppEngingIamBindingMapOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingMapOutput

type WebTypeAppEngingIamBindingMapInput

type WebTypeAppEngingIamBindingMapInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamBindingMapOutput() WebTypeAppEngingIamBindingMapOutput
	ToWebTypeAppEngingIamBindingMapOutputWithContext(context.Context) WebTypeAppEngingIamBindingMapOutput
}

WebTypeAppEngingIamBindingMapInput is an input type that accepts WebTypeAppEngingIamBindingMap and WebTypeAppEngingIamBindingMapOutput values. You can construct a concrete instance of `WebTypeAppEngingIamBindingMapInput` via:

WebTypeAppEngingIamBindingMap{ "key": WebTypeAppEngingIamBindingArgs{...} }

type WebTypeAppEngingIamBindingMapOutput

type WebTypeAppEngingIamBindingMapOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamBindingMapOutput) ElementType

func (WebTypeAppEngingIamBindingMapOutput) MapIndex

func (WebTypeAppEngingIamBindingMapOutput) ToWebTypeAppEngingIamBindingMapOutput

func (o WebTypeAppEngingIamBindingMapOutput) ToWebTypeAppEngingIamBindingMapOutput() WebTypeAppEngingIamBindingMapOutput

func (WebTypeAppEngingIamBindingMapOutput) ToWebTypeAppEngingIamBindingMapOutputWithContext

func (o WebTypeAppEngingIamBindingMapOutput) ToWebTypeAppEngingIamBindingMapOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingMapOutput

type WebTypeAppEngingIamBindingOutput

type WebTypeAppEngingIamBindingOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamBindingOutput) AppId added in v6.23.0

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (WebTypeAppEngingIamBindingOutput) Condition added in v6.23.0

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebTypeAppEngingIamBindingOutput) ElementType

func (WebTypeAppEngingIamBindingOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (WebTypeAppEngingIamBindingOutput) Members added in v6.23.0

func (WebTypeAppEngingIamBindingOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebTypeAppEngingIamBindingOutput) Role added in v6.23.0

The role that should be applied. Only one `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebTypeAppEngingIamBindingOutput) ToWebTypeAppEngingIamBindingOutput

func (o WebTypeAppEngingIamBindingOutput) ToWebTypeAppEngingIamBindingOutput() WebTypeAppEngingIamBindingOutput

func (WebTypeAppEngingIamBindingOutput) ToWebTypeAppEngingIamBindingOutputWithContext

func (o WebTypeAppEngingIamBindingOutput) ToWebTypeAppEngingIamBindingOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingOutput

type WebTypeAppEngingIamBindingState

type WebTypeAppEngingIamBindingState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeAppEngingIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag    pulumi.StringPtrInput
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (WebTypeAppEngingIamBindingState) ElementType

type WebTypeAppEngingIamMember

type WebTypeAppEngingIamMember struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeAppEngingIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag   pulumi.StringOutput `pulumi:"etag"`
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeAppEngine. Each of these resources serves a different use case:

* `iap.WebTypeAppEngingIamPolicy`: Authoritative. Sets the IAM policy for the webtypeappengine and replaces any existing policy already attached. * `iap.WebTypeAppEngingIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypeappengine are preserved. * `iap.WebTypeAppEngingIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypeappengine are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeAppEngingIamPolicy`: Retrieves the IAM policy for the webtypeappengine

> **Note:** `iap.WebTypeAppEngingIamPolicy` **cannot** be used in conjunction with `iap.WebTypeAppEngingIamBinding` and `iap.WebTypeAppEngingIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeAppEngingIamBinding` resources **can be** used in conjunction with `iap.WebTypeAppEngingIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_web\_type\_app\_engine\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(google_app_engine_application.App.Project),
			AppId:      pulumi.Any(google_app_engine_application.App.App_id),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(google_app_engine_application.App.Project),
			AppId:      pulumi.Any(google_app_engine_application.App.App_id),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_type\_app\_engine\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(google_app_engine_application.App.Project),
			AppId:   pulumi.Any(google_app_engine_application.App.App_id),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(google_app_engine_application.App.Project),
			AppId:   pulumi.Any(google_app_engine_application.App.App_id),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeAppEngingIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_type\_app\_engine\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(google_app_engine_application.App.Project),
			AppId:   pulumi.Any(google_app_engine_application.App.App_id),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(google_app_engine_application.App.Project),
			AppId:   pulumi.Any(google_app_engine_application.App.App_id),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeAppEngingIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_web/appengine-{{appId}} * {{project}}/{{appId}} * {{appId}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy webtypeappengine IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/webTypeAppEngingIamMember:WebTypeAppEngingIamMember editor "projects/{{project}}/iap_web/appengine-{{appId}} roles/iap.httpsResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/webTypeAppEngingIamMember:WebTypeAppEngingIamMember editor "projects/{{project}}/iap_web/appengine-{{appId}} roles/iap.httpsResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/webTypeAppEngingIamMember:WebTypeAppEngingIamMember editor projects/{{project}}/iap_web/appengine-{{appId}}

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebTypeAppEngingIamMember

func GetWebTypeAppEngingIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebTypeAppEngingIamMemberState, opts ...pulumi.ResourceOption) (*WebTypeAppEngingIamMember, error)

GetWebTypeAppEngingIamMember gets an existing WebTypeAppEngingIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebTypeAppEngingIamMember

func NewWebTypeAppEngingIamMember(ctx *pulumi.Context,
	name string, args *WebTypeAppEngingIamMemberArgs, opts ...pulumi.ResourceOption) (*WebTypeAppEngingIamMember, error)

NewWebTypeAppEngingIamMember registers a new resource with the given unique name, arguments, and options.

func (*WebTypeAppEngingIamMember) ElementType

func (*WebTypeAppEngingIamMember) ElementType() reflect.Type

func (*WebTypeAppEngingIamMember) ToWebTypeAppEngingIamMemberOutput

func (i *WebTypeAppEngingIamMember) ToWebTypeAppEngingIamMemberOutput() WebTypeAppEngingIamMemberOutput

func (*WebTypeAppEngingIamMember) ToWebTypeAppEngingIamMemberOutputWithContext

func (i *WebTypeAppEngingIamMember) ToWebTypeAppEngingIamMemberOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberOutput

type WebTypeAppEngingIamMemberArgs

type WebTypeAppEngingIamMemberArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeAppEngingIamMemberConditionPtrInput
	Member    pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a WebTypeAppEngingIamMember resource.

func (WebTypeAppEngingIamMemberArgs) ElementType

type WebTypeAppEngingIamMemberArray

type WebTypeAppEngingIamMemberArray []WebTypeAppEngingIamMemberInput

func (WebTypeAppEngingIamMemberArray) ElementType

func (WebTypeAppEngingIamMemberArray) ToWebTypeAppEngingIamMemberArrayOutput

func (i WebTypeAppEngingIamMemberArray) ToWebTypeAppEngingIamMemberArrayOutput() WebTypeAppEngingIamMemberArrayOutput

func (WebTypeAppEngingIamMemberArray) ToWebTypeAppEngingIamMemberArrayOutputWithContext

func (i WebTypeAppEngingIamMemberArray) ToWebTypeAppEngingIamMemberArrayOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberArrayOutput

type WebTypeAppEngingIamMemberArrayInput

type WebTypeAppEngingIamMemberArrayInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamMemberArrayOutput() WebTypeAppEngingIamMemberArrayOutput
	ToWebTypeAppEngingIamMemberArrayOutputWithContext(context.Context) WebTypeAppEngingIamMemberArrayOutput
}

WebTypeAppEngingIamMemberArrayInput is an input type that accepts WebTypeAppEngingIamMemberArray and WebTypeAppEngingIamMemberArrayOutput values. You can construct a concrete instance of `WebTypeAppEngingIamMemberArrayInput` via:

WebTypeAppEngingIamMemberArray{ WebTypeAppEngingIamMemberArgs{...} }

type WebTypeAppEngingIamMemberArrayOutput

type WebTypeAppEngingIamMemberArrayOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamMemberArrayOutput) ElementType

func (WebTypeAppEngingIamMemberArrayOutput) Index

func (WebTypeAppEngingIamMemberArrayOutput) ToWebTypeAppEngingIamMemberArrayOutput

func (o WebTypeAppEngingIamMemberArrayOutput) ToWebTypeAppEngingIamMemberArrayOutput() WebTypeAppEngingIamMemberArrayOutput

func (WebTypeAppEngingIamMemberArrayOutput) ToWebTypeAppEngingIamMemberArrayOutputWithContext

func (o WebTypeAppEngingIamMemberArrayOutput) ToWebTypeAppEngingIamMemberArrayOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberArrayOutput

type WebTypeAppEngingIamMemberCondition

type WebTypeAppEngingIamMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebTypeAppEngingIamMemberConditionArgs

type WebTypeAppEngingIamMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebTypeAppEngingIamMemberConditionArgs) ElementType

func (WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionOutput

func (i WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionOutput() WebTypeAppEngingIamMemberConditionOutput

func (WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionOutputWithContext

func (i WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberConditionOutput

func (WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionPtrOutput

func (i WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionPtrOutput() WebTypeAppEngingIamMemberConditionPtrOutput

func (WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionPtrOutputWithContext

func (i WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionPtrOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberConditionPtrOutput

type WebTypeAppEngingIamMemberConditionInput

type WebTypeAppEngingIamMemberConditionInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamMemberConditionOutput() WebTypeAppEngingIamMemberConditionOutput
	ToWebTypeAppEngingIamMemberConditionOutputWithContext(context.Context) WebTypeAppEngingIamMemberConditionOutput
}

WebTypeAppEngingIamMemberConditionInput is an input type that accepts WebTypeAppEngingIamMemberConditionArgs and WebTypeAppEngingIamMemberConditionOutput values. You can construct a concrete instance of `WebTypeAppEngingIamMemberConditionInput` via:

WebTypeAppEngingIamMemberConditionArgs{...}

type WebTypeAppEngingIamMemberConditionOutput

type WebTypeAppEngingIamMemberConditionOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamMemberConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeAppEngingIamMemberConditionOutput) ElementType

func (WebTypeAppEngingIamMemberConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeAppEngingIamMemberConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionOutput

func (o WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionOutput() WebTypeAppEngingIamMemberConditionOutput

func (WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionOutputWithContext

func (o WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberConditionOutput

func (WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionPtrOutput

func (o WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionPtrOutput() WebTypeAppEngingIamMemberConditionPtrOutput

func (WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionPtrOutputWithContext

func (o WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionPtrOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberConditionPtrOutput

type WebTypeAppEngingIamMemberConditionPtrInput

type WebTypeAppEngingIamMemberConditionPtrInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamMemberConditionPtrOutput() WebTypeAppEngingIamMemberConditionPtrOutput
	ToWebTypeAppEngingIamMemberConditionPtrOutputWithContext(context.Context) WebTypeAppEngingIamMemberConditionPtrOutput
}

WebTypeAppEngingIamMemberConditionPtrInput is an input type that accepts WebTypeAppEngingIamMemberConditionArgs, WebTypeAppEngingIamMemberConditionPtr and WebTypeAppEngingIamMemberConditionPtrOutput values. You can construct a concrete instance of `WebTypeAppEngingIamMemberConditionPtrInput` via:

        WebTypeAppEngingIamMemberConditionArgs{...}

or:

        nil

type WebTypeAppEngingIamMemberConditionPtrOutput

type WebTypeAppEngingIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamMemberConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeAppEngingIamMemberConditionPtrOutput) Elem

func (WebTypeAppEngingIamMemberConditionPtrOutput) ElementType

func (WebTypeAppEngingIamMemberConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeAppEngingIamMemberConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeAppEngingIamMemberConditionPtrOutput) ToWebTypeAppEngingIamMemberConditionPtrOutput

func (o WebTypeAppEngingIamMemberConditionPtrOutput) ToWebTypeAppEngingIamMemberConditionPtrOutput() WebTypeAppEngingIamMemberConditionPtrOutput

func (WebTypeAppEngingIamMemberConditionPtrOutput) ToWebTypeAppEngingIamMemberConditionPtrOutputWithContext

func (o WebTypeAppEngingIamMemberConditionPtrOutput) ToWebTypeAppEngingIamMemberConditionPtrOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberConditionPtrOutput

type WebTypeAppEngingIamMemberInput

type WebTypeAppEngingIamMemberInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamMemberOutput() WebTypeAppEngingIamMemberOutput
	ToWebTypeAppEngingIamMemberOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberOutput
}

type WebTypeAppEngingIamMemberMap

type WebTypeAppEngingIamMemberMap map[string]WebTypeAppEngingIamMemberInput

func (WebTypeAppEngingIamMemberMap) ElementType

func (WebTypeAppEngingIamMemberMap) ToWebTypeAppEngingIamMemberMapOutput

func (i WebTypeAppEngingIamMemberMap) ToWebTypeAppEngingIamMemberMapOutput() WebTypeAppEngingIamMemberMapOutput

func (WebTypeAppEngingIamMemberMap) ToWebTypeAppEngingIamMemberMapOutputWithContext

func (i WebTypeAppEngingIamMemberMap) ToWebTypeAppEngingIamMemberMapOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberMapOutput

type WebTypeAppEngingIamMemberMapInput

type WebTypeAppEngingIamMemberMapInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamMemberMapOutput() WebTypeAppEngingIamMemberMapOutput
	ToWebTypeAppEngingIamMemberMapOutputWithContext(context.Context) WebTypeAppEngingIamMemberMapOutput
}

WebTypeAppEngingIamMemberMapInput is an input type that accepts WebTypeAppEngingIamMemberMap and WebTypeAppEngingIamMemberMapOutput values. You can construct a concrete instance of `WebTypeAppEngingIamMemberMapInput` via:

WebTypeAppEngingIamMemberMap{ "key": WebTypeAppEngingIamMemberArgs{...} }

type WebTypeAppEngingIamMemberMapOutput

type WebTypeAppEngingIamMemberMapOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamMemberMapOutput) ElementType

func (WebTypeAppEngingIamMemberMapOutput) MapIndex

func (WebTypeAppEngingIamMemberMapOutput) ToWebTypeAppEngingIamMemberMapOutput

func (o WebTypeAppEngingIamMemberMapOutput) ToWebTypeAppEngingIamMemberMapOutput() WebTypeAppEngingIamMemberMapOutput

func (WebTypeAppEngingIamMemberMapOutput) ToWebTypeAppEngingIamMemberMapOutputWithContext

func (o WebTypeAppEngingIamMemberMapOutput) ToWebTypeAppEngingIamMemberMapOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberMapOutput

type WebTypeAppEngingIamMemberOutput

type WebTypeAppEngingIamMemberOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamMemberOutput) AppId added in v6.23.0

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (WebTypeAppEngingIamMemberOutput) Condition added in v6.23.0

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebTypeAppEngingIamMemberOutput) ElementType

func (WebTypeAppEngingIamMemberOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (WebTypeAppEngingIamMemberOutput) Member added in v6.23.0

func (WebTypeAppEngingIamMemberOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebTypeAppEngingIamMemberOutput) Role added in v6.23.0

The role that should be applied. Only one `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebTypeAppEngingIamMemberOutput) ToWebTypeAppEngingIamMemberOutput

func (o WebTypeAppEngingIamMemberOutput) ToWebTypeAppEngingIamMemberOutput() WebTypeAppEngingIamMemberOutput

func (WebTypeAppEngingIamMemberOutput) ToWebTypeAppEngingIamMemberOutputWithContext

func (o WebTypeAppEngingIamMemberOutput) ToWebTypeAppEngingIamMemberOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberOutput

type WebTypeAppEngingIamMemberState

type WebTypeAppEngingIamMemberState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeAppEngingIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag   pulumi.StringPtrInput
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (WebTypeAppEngingIamMemberState) ElementType

type WebTypeAppEngingIamPolicy

type WebTypeAppEngingIamPolicy struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeAppEngine. Each of these resources serves a different use case:

* `iap.WebTypeAppEngingIamPolicy`: Authoritative. Sets the IAM policy for the webtypeappengine and replaces any existing policy already attached. * `iap.WebTypeAppEngingIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypeappengine are preserved. * `iap.WebTypeAppEngingIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypeappengine are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeAppEngingIamPolicy`: Retrieves the IAM policy for the webtypeappengine

> **Note:** `iap.WebTypeAppEngingIamPolicy` **cannot** be used in conjunction with `iap.WebTypeAppEngingIamBinding` and `iap.WebTypeAppEngingIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeAppEngingIamBinding` resources **can be** used in conjunction with `iap.WebTypeAppEngingIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_web\_type\_app\_engine\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(google_app_engine_application.App.Project),
			AppId:      pulumi.Any(google_app_engine_application.App.App_id),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(google_app_engine_application.App.Project),
			AppId:      pulumi.Any(google_app_engine_application.App.App_id),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_type\_app\_engine\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(google_app_engine_application.App.Project),
			AppId:   pulumi.Any(google_app_engine_application.App.App_id),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(google_app_engine_application.App.Project),
			AppId:   pulumi.Any(google_app_engine_application.App.App_id),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeAppEngingIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_type\_app\_engine\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(google_app_engine_application.App.Project),
			AppId:   pulumi.Any(google_app_engine_application.App.App_id),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(google_app_engine_application.App.Project),
			AppId:   pulumi.Any(google_app_engine_application.App.App_id),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeAppEngingIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_web/appengine-{{appId}} * {{project}}/{{appId}} * {{appId}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy webtypeappengine IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/webTypeAppEngingIamPolicy:WebTypeAppEngingIamPolicy editor "projects/{{project}}/iap_web/appengine-{{appId}} roles/iap.httpsResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/webTypeAppEngingIamPolicy:WebTypeAppEngingIamPolicy editor "projects/{{project}}/iap_web/appengine-{{appId}} roles/iap.httpsResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/webTypeAppEngingIamPolicy:WebTypeAppEngingIamPolicy editor projects/{{project}}/iap_web/appengine-{{appId}}

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebTypeAppEngingIamPolicy

func GetWebTypeAppEngingIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebTypeAppEngingIamPolicyState, opts ...pulumi.ResourceOption) (*WebTypeAppEngingIamPolicy, error)

GetWebTypeAppEngingIamPolicy gets an existing WebTypeAppEngingIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebTypeAppEngingIamPolicy

func NewWebTypeAppEngingIamPolicy(ctx *pulumi.Context,
	name string, args *WebTypeAppEngingIamPolicyArgs, opts ...pulumi.ResourceOption) (*WebTypeAppEngingIamPolicy, error)

NewWebTypeAppEngingIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*WebTypeAppEngingIamPolicy) ElementType

func (*WebTypeAppEngingIamPolicy) ElementType() reflect.Type

func (*WebTypeAppEngingIamPolicy) ToWebTypeAppEngingIamPolicyOutput

func (i *WebTypeAppEngingIamPolicy) ToWebTypeAppEngingIamPolicyOutput() WebTypeAppEngingIamPolicyOutput

func (*WebTypeAppEngingIamPolicy) ToWebTypeAppEngingIamPolicyOutputWithContext

func (i *WebTypeAppEngingIamPolicy) ToWebTypeAppEngingIamPolicyOutputWithContext(ctx context.Context) WebTypeAppEngingIamPolicyOutput

type WebTypeAppEngingIamPolicyArgs

type WebTypeAppEngingIamPolicyArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
}

The set of arguments for constructing a WebTypeAppEngingIamPolicy resource.

func (WebTypeAppEngingIamPolicyArgs) ElementType

type WebTypeAppEngingIamPolicyArray

type WebTypeAppEngingIamPolicyArray []WebTypeAppEngingIamPolicyInput

func (WebTypeAppEngingIamPolicyArray) ElementType

func (WebTypeAppEngingIamPolicyArray) ToWebTypeAppEngingIamPolicyArrayOutput

func (i WebTypeAppEngingIamPolicyArray) ToWebTypeAppEngingIamPolicyArrayOutput() WebTypeAppEngingIamPolicyArrayOutput

func (WebTypeAppEngingIamPolicyArray) ToWebTypeAppEngingIamPolicyArrayOutputWithContext

func (i WebTypeAppEngingIamPolicyArray) ToWebTypeAppEngingIamPolicyArrayOutputWithContext(ctx context.Context) WebTypeAppEngingIamPolicyArrayOutput

type WebTypeAppEngingIamPolicyArrayInput

type WebTypeAppEngingIamPolicyArrayInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamPolicyArrayOutput() WebTypeAppEngingIamPolicyArrayOutput
	ToWebTypeAppEngingIamPolicyArrayOutputWithContext(context.Context) WebTypeAppEngingIamPolicyArrayOutput
}

WebTypeAppEngingIamPolicyArrayInput is an input type that accepts WebTypeAppEngingIamPolicyArray and WebTypeAppEngingIamPolicyArrayOutput values. You can construct a concrete instance of `WebTypeAppEngingIamPolicyArrayInput` via:

WebTypeAppEngingIamPolicyArray{ WebTypeAppEngingIamPolicyArgs{...} }

type WebTypeAppEngingIamPolicyArrayOutput

type WebTypeAppEngingIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamPolicyArrayOutput) ElementType

func (WebTypeAppEngingIamPolicyArrayOutput) Index

func (WebTypeAppEngingIamPolicyArrayOutput) ToWebTypeAppEngingIamPolicyArrayOutput

func (o WebTypeAppEngingIamPolicyArrayOutput) ToWebTypeAppEngingIamPolicyArrayOutput() WebTypeAppEngingIamPolicyArrayOutput

func (WebTypeAppEngingIamPolicyArrayOutput) ToWebTypeAppEngingIamPolicyArrayOutputWithContext

func (o WebTypeAppEngingIamPolicyArrayOutput) ToWebTypeAppEngingIamPolicyArrayOutputWithContext(ctx context.Context) WebTypeAppEngingIamPolicyArrayOutput

type WebTypeAppEngingIamPolicyInput

type WebTypeAppEngingIamPolicyInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamPolicyOutput() WebTypeAppEngingIamPolicyOutput
	ToWebTypeAppEngingIamPolicyOutputWithContext(ctx context.Context) WebTypeAppEngingIamPolicyOutput
}

type WebTypeAppEngingIamPolicyMap

type WebTypeAppEngingIamPolicyMap map[string]WebTypeAppEngingIamPolicyInput

func (WebTypeAppEngingIamPolicyMap) ElementType

func (WebTypeAppEngingIamPolicyMap) ToWebTypeAppEngingIamPolicyMapOutput

func (i WebTypeAppEngingIamPolicyMap) ToWebTypeAppEngingIamPolicyMapOutput() WebTypeAppEngingIamPolicyMapOutput

func (WebTypeAppEngingIamPolicyMap) ToWebTypeAppEngingIamPolicyMapOutputWithContext

func (i WebTypeAppEngingIamPolicyMap) ToWebTypeAppEngingIamPolicyMapOutputWithContext(ctx context.Context) WebTypeAppEngingIamPolicyMapOutput

type WebTypeAppEngingIamPolicyMapInput

type WebTypeAppEngingIamPolicyMapInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamPolicyMapOutput() WebTypeAppEngingIamPolicyMapOutput
	ToWebTypeAppEngingIamPolicyMapOutputWithContext(context.Context) WebTypeAppEngingIamPolicyMapOutput
}

WebTypeAppEngingIamPolicyMapInput is an input type that accepts WebTypeAppEngingIamPolicyMap and WebTypeAppEngingIamPolicyMapOutput values. You can construct a concrete instance of `WebTypeAppEngingIamPolicyMapInput` via:

WebTypeAppEngingIamPolicyMap{ "key": WebTypeAppEngingIamPolicyArgs{...} }

type WebTypeAppEngingIamPolicyMapOutput

type WebTypeAppEngingIamPolicyMapOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamPolicyMapOutput) ElementType

func (WebTypeAppEngingIamPolicyMapOutput) MapIndex

func (WebTypeAppEngingIamPolicyMapOutput) ToWebTypeAppEngingIamPolicyMapOutput

func (o WebTypeAppEngingIamPolicyMapOutput) ToWebTypeAppEngingIamPolicyMapOutput() WebTypeAppEngingIamPolicyMapOutput

func (WebTypeAppEngingIamPolicyMapOutput) ToWebTypeAppEngingIamPolicyMapOutputWithContext

func (o WebTypeAppEngingIamPolicyMapOutput) ToWebTypeAppEngingIamPolicyMapOutputWithContext(ctx context.Context) WebTypeAppEngingIamPolicyMapOutput

type WebTypeAppEngingIamPolicyOutput

type WebTypeAppEngingIamPolicyOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamPolicyOutput) AppId added in v6.23.0

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (WebTypeAppEngingIamPolicyOutput) ElementType

func (WebTypeAppEngingIamPolicyOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (WebTypeAppEngingIamPolicyOutput) PolicyData added in v6.23.0

The policy data generated by a `organizations.getIAMPolicy` data source.

func (WebTypeAppEngingIamPolicyOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebTypeAppEngingIamPolicyOutput) ToWebTypeAppEngingIamPolicyOutput

func (o WebTypeAppEngingIamPolicyOutput) ToWebTypeAppEngingIamPolicyOutput() WebTypeAppEngingIamPolicyOutput

func (WebTypeAppEngingIamPolicyOutput) ToWebTypeAppEngingIamPolicyOutputWithContext

func (o WebTypeAppEngingIamPolicyOutput) ToWebTypeAppEngingIamPolicyOutputWithContext(ctx context.Context) WebTypeAppEngingIamPolicyOutput

type WebTypeAppEngingIamPolicyState

type WebTypeAppEngingIamPolicyState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
}

func (WebTypeAppEngingIamPolicyState) ElementType

type WebTypeComputeIamBinding

type WebTypeComputeIamBinding struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeComputeIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag    pulumi.StringOutput      `pulumi:"etag"`
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeCompute. Each of these resources serves a different use case:

* `iap.WebTypeComputeIamPolicy`: Authoritative. Sets the IAM policy for the webtypecompute and replaces any existing policy already attached. * `iap.WebTypeComputeIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypecompute are preserved. * `iap.WebTypeComputeIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypecompute are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeComputeIamPolicy`: Retrieves the IAM policy for the webtypecompute

> **Note:** `iap.WebTypeComputeIamPolicy` **cannot** be used in conjunction with `iap.WebTypeComputeIamBinding` and `iap.WebTypeComputeIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeComputeIamBinding` resources **can be** used in conjunction with `iap.WebTypeComputeIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_web\_type\_compute\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(google_project_service.Project_service.Project),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(google_project_service.Project_service.Project),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_type\_compute\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeComputeIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_type\_compute\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeComputeIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_web/compute * {{project}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy webtypecompute IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/webTypeComputeIamBinding:WebTypeComputeIamBinding editor "projects/{{project}}/iap_web/compute roles/iap.httpsResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/webTypeComputeIamBinding:WebTypeComputeIamBinding editor "projects/{{project}}/iap_web/compute roles/iap.httpsResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/webTypeComputeIamBinding:WebTypeComputeIamBinding editor projects/{{project}}/iap_web/compute

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebTypeComputeIamBinding

func GetWebTypeComputeIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebTypeComputeIamBindingState, opts ...pulumi.ResourceOption) (*WebTypeComputeIamBinding, error)

GetWebTypeComputeIamBinding gets an existing WebTypeComputeIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebTypeComputeIamBinding

func NewWebTypeComputeIamBinding(ctx *pulumi.Context,
	name string, args *WebTypeComputeIamBindingArgs, opts ...pulumi.ResourceOption) (*WebTypeComputeIamBinding, error)

NewWebTypeComputeIamBinding registers a new resource with the given unique name, arguments, and options.

func (*WebTypeComputeIamBinding) ElementType

func (*WebTypeComputeIamBinding) ElementType() reflect.Type

func (*WebTypeComputeIamBinding) ToWebTypeComputeIamBindingOutput

func (i *WebTypeComputeIamBinding) ToWebTypeComputeIamBindingOutput() WebTypeComputeIamBindingOutput

func (*WebTypeComputeIamBinding) ToWebTypeComputeIamBindingOutputWithContext

func (i *WebTypeComputeIamBinding) ToWebTypeComputeIamBindingOutputWithContext(ctx context.Context) WebTypeComputeIamBindingOutput

type WebTypeComputeIamBindingArgs

type WebTypeComputeIamBindingArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeComputeIamBindingConditionPtrInput
	Members   pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a WebTypeComputeIamBinding resource.

func (WebTypeComputeIamBindingArgs) ElementType

type WebTypeComputeIamBindingArray

type WebTypeComputeIamBindingArray []WebTypeComputeIamBindingInput

func (WebTypeComputeIamBindingArray) ElementType

func (WebTypeComputeIamBindingArray) ToWebTypeComputeIamBindingArrayOutput

func (i WebTypeComputeIamBindingArray) ToWebTypeComputeIamBindingArrayOutput() WebTypeComputeIamBindingArrayOutput

func (WebTypeComputeIamBindingArray) ToWebTypeComputeIamBindingArrayOutputWithContext

func (i WebTypeComputeIamBindingArray) ToWebTypeComputeIamBindingArrayOutputWithContext(ctx context.Context) WebTypeComputeIamBindingArrayOutput

type WebTypeComputeIamBindingArrayInput

type WebTypeComputeIamBindingArrayInput interface {
	pulumi.Input

	ToWebTypeComputeIamBindingArrayOutput() WebTypeComputeIamBindingArrayOutput
	ToWebTypeComputeIamBindingArrayOutputWithContext(context.Context) WebTypeComputeIamBindingArrayOutput
}

WebTypeComputeIamBindingArrayInput is an input type that accepts WebTypeComputeIamBindingArray and WebTypeComputeIamBindingArrayOutput values. You can construct a concrete instance of `WebTypeComputeIamBindingArrayInput` via:

WebTypeComputeIamBindingArray{ WebTypeComputeIamBindingArgs{...} }

type WebTypeComputeIamBindingArrayOutput

type WebTypeComputeIamBindingArrayOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamBindingArrayOutput) ElementType

func (WebTypeComputeIamBindingArrayOutput) Index

func (WebTypeComputeIamBindingArrayOutput) ToWebTypeComputeIamBindingArrayOutput

func (o WebTypeComputeIamBindingArrayOutput) ToWebTypeComputeIamBindingArrayOutput() WebTypeComputeIamBindingArrayOutput

func (WebTypeComputeIamBindingArrayOutput) ToWebTypeComputeIamBindingArrayOutputWithContext

func (o WebTypeComputeIamBindingArrayOutput) ToWebTypeComputeIamBindingArrayOutputWithContext(ctx context.Context) WebTypeComputeIamBindingArrayOutput

type WebTypeComputeIamBindingCondition

type WebTypeComputeIamBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebTypeComputeIamBindingConditionArgs

type WebTypeComputeIamBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebTypeComputeIamBindingConditionArgs) ElementType

func (WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionOutput

func (i WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionOutput() WebTypeComputeIamBindingConditionOutput

func (WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionOutputWithContext

func (i WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionOutputWithContext(ctx context.Context) WebTypeComputeIamBindingConditionOutput

func (WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionPtrOutput

func (i WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionPtrOutput() WebTypeComputeIamBindingConditionPtrOutput

func (WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionPtrOutputWithContext

func (i WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionPtrOutputWithContext(ctx context.Context) WebTypeComputeIamBindingConditionPtrOutput

type WebTypeComputeIamBindingConditionInput

type WebTypeComputeIamBindingConditionInput interface {
	pulumi.Input

	ToWebTypeComputeIamBindingConditionOutput() WebTypeComputeIamBindingConditionOutput
	ToWebTypeComputeIamBindingConditionOutputWithContext(context.Context) WebTypeComputeIamBindingConditionOutput
}

WebTypeComputeIamBindingConditionInput is an input type that accepts WebTypeComputeIamBindingConditionArgs and WebTypeComputeIamBindingConditionOutput values. You can construct a concrete instance of `WebTypeComputeIamBindingConditionInput` via:

WebTypeComputeIamBindingConditionArgs{...}

type WebTypeComputeIamBindingConditionOutput

type WebTypeComputeIamBindingConditionOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamBindingConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeComputeIamBindingConditionOutput) ElementType

func (WebTypeComputeIamBindingConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeComputeIamBindingConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionOutput

func (o WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionOutput() WebTypeComputeIamBindingConditionOutput

func (WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionOutputWithContext

func (o WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionOutputWithContext(ctx context.Context) WebTypeComputeIamBindingConditionOutput

func (WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionPtrOutput

func (o WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionPtrOutput() WebTypeComputeIamBindingConditionPtrOutput

func (WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionPtrOutputWithContext

func (o WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionPtrOutputWithContext(ctx context.Context) WebTypeComputeIamBindingConditionPtrOutput

type WebTypeComputeIamBindingConditionPtrInput

type WebTypeComputeIamBindingConditionPtrInput interface {
	pulumi.Input

	ToWebTypeComputeIamBindingConditionPtrOutput() WebTypeComputeIamBindingConditionPtrOutput
	ToWebTypeComputeIamBindingConditionPtrOutputWithContext(context.Context) WebTypeComputeIamBindingConditionPtrOutput
}

WebTypeComputeIamBindingConditionPtrInput is an input type that accepts WebTypeComputeIamBindingConditionArgs, WebTypeComputeIamBindingConditionPtr and WebTypeComputeIamBindingConditionPtrOutput values. You can construct a concrete instance of `WebTypeComputeIamBindingConditionPtrInput` via:

        WebTypeComputeIamBindingConditionArgs{...}

or:

        nil

type WebTypeComputeIamBindingConditionPtrOutput

type WebTypeComputeIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamBindingConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeComputeIamBindingConditionPtrOutput) Elem

func (WebTypeComputeIamBindingConditionPtrOutput) ElementType

func (WebTypeComputeIamBindingConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeComputeIamBindingConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeComputeIamBindingConditionPtrOutput) ToWebTypeComputeIamBindingConditionPtrOutput

func (o WebTypeComputeIamBindingConditionPtrOutput) ToWebTypeComputeIamBindingConditionPtrOutput() WebTypeComputeIamBindingConditionPtrOutput

func (WebTypeComputeIamBindingConditionPtrOutput) ToWebTypeComputeIamBindingConditionPtrOutputWithContext

func (o WebTypeComputeIamBindingConditionPtrOutput) ToWebTypeComputeIamBindingConditionPtrOutputWithContext(ctx context.Context) WebTypeComputeIamBindingConditionPtrOutput

type WebTypeComputeIamBindingInput

type WebTypeComputeIamBindingInput interface {
	pulumi.Input

	ToWebTypeComputeIamBindingOutput() WebTypeComputeIamBindingOutput
	ToWebTypeComputeIamBindingOutputWithContext(ctx context.Context) WebTypeComputeIamBindingOutput
}

type WebTypeComputeIamBindingMap

type WebTypeComputeIamBindingMap map[string]WebTypeComputeIamBindingInput

func (WebTypeComputeIamBindingMap) ElementType

func (WebTypeComputeIamBindingMap) ToWebTypeComputeIamBindingMapOutput

func (i WebTypeComputeIamBindingMap) ToWebTypeComputeIamBindingMapOutput() WebTypeComputeIamBindingMapOutput

func (WebTypeComputeIamBindingMap) ToWebTypeComputeIamBindingMapOutputWithContext

func (i WebTypeComputeIamBindingMap) ToWebTypeComputeIamBindingMapOutputWithContext(ctx context.Context) WebTypeComputeIamBindingMapOutput

type WebTypeComputeIamBindingMapInput

type WebTypeComputeIamBindingMapInput interface {
	pulumi.Input

	ToWebTypeComputeIamBindingMapOutput() WebTypeComputeIamBindingMapOutput
	ToWebTypeComputeIamBindingMapOutputWithContext(context.Context) WebTypeComputeIamBindingMapOutput
}

WebTypeComputeIamBindingMapInput is an input type that accepts WebTypeComputeIamBindingMap and WebTypeComputeIamBindingMapOutput values. You can construct a concrete instance of `WebTypeComputeIamBindingMapInput` via:

WebTypeComputeIamBindingMap{ "key": WebTypeComputeIamBindingArgs{...} }

type WebTypeComputeIamBindingMapOutput

type WebTypeComputeIamBindingMapOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamBindingMapOutput) ElementType

func (WebTypeComputeIamBindingMapOutput) MapIndex

func (WebTypeComputeIamBindingMapOutput) ToWebTypeComputeIamBindingMapOutput

func (o WebTypeComputeIamBindingMapOutput) ToWebTypeComputeIamBindingMapOutput() WebTypeComputeIamBindingMapOutput

func (WebTypeComputeIamBindingMapOutput) ToWebTypeComputeIamBindingMapOutputWithContext

func (o WebTypeComputeIamBindingMapOutput) ToWebTypeComputeIamBindingMapOutputWithContext(ctx context.Context) WebTypeComputeIamBindingMapOutput

type WebTypeComputeIamBindingOutput

type WebTypeComputeIamBindingOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamBindingOutput) Condition added in v6.23.0

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebTypeComputeIamBindingOutput) ElementType

func (WebTypeComputeIamBindingOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (WebTypeComputeIamBindingOutput) Members added in v6.23.0

func (WebTypeComputeIamBindingOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebTypeComputeIamBindingOutput) Role added in v6.23.0

The role that should be applied. Only one `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebTypeComputeIamBindingOutput) ToWebTypeComputeIamBindingOutput

func (o WebTypeComputeIamBindingOutput) ToWebTypeComputeIamBindingOutput() WebTypeComputeIamBindingOutput

func (WebTypeComputeIamBindingOutput) ToWebTypeComputeIamBindingOutputWithContext

func (o WebTypeComputeIamBindingOutput) ToWebTypeComputeIamBindingOutputWithContext(ctx context.Context) WebTypeComputeIamBindingOutput

type WebTypeComputeIamBindingState

type WebTypeComputeIamBindingState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeComputeIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag    pulumi.StringPtrInput
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (WebTypeComputeIamBindingState) ElementType

type WebTypeComputeIamMember

type WebTypeComputeIamMember struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeComputeIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag   pulumi.StringOutput `pulumi:"etag"`
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeCompute. Each of these resources serves a different use case:

* `iap.WebTypeComputeIamPolicy`: Authoritative. Sets the IAM policy for the webtypecompute and replaces any existing policy already attached. * `iap.WebTypeComputeIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypecompute are preserved. * `iap.WebTypeComputeIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypecompute are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeComputeIamPolicy`: Retrieves the IAM policy for the webtypecompute

> **Note:** `iap.WebTypeComputeIamPolicy` **cannot** be used in conjunction with `iap.WebTypeComputeIamBinding` and `iap.WebTypeComputeIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeComputeIamBinding` resources **can be** used in conjunction with `iap.WebTypeComputeIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_web\_type\_compute\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(google_project_service.Project_service.Project),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(google_project_service.Project_service.Project),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_type\_compute\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeComputeIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_type\_compute\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeComputeIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_web/compute * {{project}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy webtypecompute IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/webTypeComputeIamMember:WebTypeComputeIamMember editor "projects/{{project}}/iap_web/compute roles/iap.httpsResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/webTypeComputeIamMember:WebTypeComputeIamMember editor "projects/{{project}}/iap_web/compute roles/iap.httpsResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/webTypeComputeIamMember:WebTypeComputeIamMember editor projects/{{project}}/iap_web/compute

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebTypeComputeIamMember

func GetWebTypeComputeIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebTypeComputeIamMemberState, opts ...pulumi.ResourceOption) (*WebTypeComputeIamMember, error)

GetWebTypeComputeIamMember gets an existing WebTypeComputeIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebTypeComputeIamMember

func NewWebTypeComputeIamMember(ctx *pulumi.Context,
	name string, args *WebTypeComputeIamMemberArgs, opts ...pulumi.ResourceOption) (*WebTypeComputeIamMember, error)

NewWebTypeComputeIamMember registers a new resource with the given unique name, arguments, and options.

func (*WebTypeComputeIamMember) ElementType

func (*WebTypeComputeIamMember) ElementType() reflect.Type

func (*WebTypeComputeIamMember) ToWebTypeComputeIamMemberOutput

func (i *WebTypeComputeIamMember) ToWebTypeComputeIamMemberOutput() WebTypeComputeIamMemberOutput

func (*WebTypeComputeIamMember) ToWebTypeComputeIamMemberOutputWithContext

func (i *WebTypeComputeIamMember) ToWebTypeComputeIamMemberOutputWithContext(ctx context.Context) WebTypeComputeIamMemberOutput

type WebTypeComputeIamMemberArgs

type WebTypeComputeIamMemberArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeComputeIamMemberConditionPtrInput
	Member    pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a WebTypeComputeIamMember resource.

func (WebTypeComputeIamMemberArgs) ElementType

type WebTypeComputeIamMemberArray

type WebTypeComputeIamMemberArray []WebTypeComputeIamMemberInput

func (WebTypeComputeIamMemberArray) ElementType

func (WebTypeComputeIamMemberArray) ToWebTypeComputeIamMemberArrayOutput

func (i WebTypeComputeIamMemberArray) ToWebTypeComputeIamMemberArrayOutput() WebTypeComputeIamMemberArrayOutput

func (WebTypeComputeIamMemberArray) ToWebTypeComputeIamMemberArrayOutputWithContext

func (i WebTypeComputeIamMemberArray) ToWebTypeComputeIamMemberArrayOutputWithContext(ctx context.Context) WebTypeComputeIamMemberArrayOutput

type WebTypeComputeIamMemberArrayInput

type WebTypeComputeIamMemberArrayInput interface {
	pulumi.Input

	ToWebTypeComputeIamMemberArrayOutput() WebTypeComputeIamMemberArrayOutput
	ToWebTypeComputeIamMemberArrayOutputWithContext(context.Context) WebTypeComputeIamMemberArrayOutput
}

WebTypeComputeIamMemberArrayInput is an input type that accepts WebTypeComputeIamMemberArray and WebTypeComputeIamMemberArrayOutput values. You can construct a concrete instance of `WebTypeComputeIamMemberArrayInput` via:

WebTypeComputeIamMemberArray{ WebTypeComputeIamMemberArgs{...} }

type WebTypeComputeIamMemberArrayOutput

type WebTypeComputeIamMemberArrayOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamMemberArrayOutput) ElementType

func (WebTypeComputeIamMemberArrayOutput) Index

func (WebTypeComputeIamMemberArrayOutput) ToWebTypeComputeIamMemberArrayOutput

func (o WebTypeComputeIamMemberArrayOutput) ToWebTypeComputeIamMemberArrayOutput() WebTypeComputeIamMemberArrayOutput

func (WebTypeComputeIamMemberArrayOutput) ToWebTypeComputeIamMemberArrayOutputWithContext

func (o WebTypeComputeIamMemberArrayOutput) ToWebTypeComputeIamMemberArrayOutputWithContext(ctx context.Context) WebTypeComputeIamMemberArrayOutput

type WebTypeComputeIamMemberCondition

type WebTypeComputeIamMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebTypeComputeIamMemberConditionArgs

type WebTypeComputeIamMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebTypeComputeIamMemberConditionArgs) ElementType

func (WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionOutput

func (i WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionOutput() WebTypeComputeIamMemberConditionOutput

func (WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionOutputWithContext

func (i WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionOutputWithContext(ctx context.Context) WebTypeComputeIamMemberConditionOutput

func (WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionPtrOutput

func (i WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionPtrOutput() WebTypeComputeIamMemberConditionPtrOutput

func (WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionPtrOutputWithContext

func (i WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionPtrOutputWithContext(ctx context.Context) WebTypeComputeIamMemberConditionPtrOutput

type WebTypeComputeIamMemberConditionInput

type WebTypeComputeIamMemberConditionInput interface {
	pulumi.Input

	ToWebTypeComputeIamMemberConditionOutput() WebTypeComputeIamMemberConditionOutput
	ToWebTypeComputeIamMemberConditionOutputWithContext(context.Context) WebTypeComputeIamMemberConditionOutput
}

WebTypeComputeIamMemberConditionInput is an input type that accepts WebTypeComputeIamMemberConditionArgs and WebTypeComputeIamMemberConditionOutput values. You can construct a concrete instance of `WebTypeComputeIamMemberConditionInput` via:

WebTypeComputeIamMemberConditionArgs{...}

type WebTypeComputeIamMemberConditionOutput

type WebTypeComputeIamMemberConditionOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamMemberConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeComputeIamMemberConditionOutput) ElementType

func (WebTypeComputeIamMemberConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeComputeIamMemberConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionOutput

func (o WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionOutput() WebTypeComputeIamMemberConditionOutput

func (WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionOutputWithContext

func (o WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionOutputWithContext(ctx context.Context) WebTypeComputeIamMemberConditionOutput

func (WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionPtrOutput

func (o WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionPtrOutput() WebTypeComputeIamMemberConditionPtrOutput

func (WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionPtrOutputWithContext

func (o WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionPtrOutputWithContext(ctx context.Context) WebTypeComputeIamMemberConditionPtrOutput

type WebTypeComputeIamMemberConditionPtrInput

type WebTypeComputeIamMemberConditionPtrInput interface {
	pulumi.Input

	ToWebTypeComputeIamMemberConditionPtrOutput() WebTypeComputeIamMemberConditionPtrOutput
	ToWebTypeComputeIamMemberConditionPtrOutputWithContext(context.Context) WebTypeComputeIamMemberConditionPtrOutput
}

WebTypeComputeIamMemberConditionPtrInput is an input type that accepts WebTypeComputeIamMemberConditionArgs, WebTypeComputeIamMemberConditionPtr and WebTypeComputeIamMemberConditionPtrOutput values. You can construct a concrete instance of `WebTypeComputeIamMemberConditionPtrInput` via:

        WebTypeComputeIamMemberConditionArgs{...}

or:

        nil

type WebTypeComputeIamMemberConditionPtrOutput

type WebTypeComputeIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamMemberConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeComputeIamMemberConditionPtrOutput) Elem

func (WebTypeComputeIamMemberConditionPtrOutput) ElementType

func (WebTypeComputeIamMemberConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeComputeIamMemberConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeComputeIamMemberConditionPtrOutput) ToWebTypeComputeIamMemberConditionPtrOutput

func (o WebTypeComputeIamMemberConditionPtrOutput) ToWebTypeComputeIamMemberConditionPtrOutput() WebTypeComputeIamMemberConditionPtrOutput

func (WebTypeComputeIamMemberConditionPtrOutput) ToWebTypeComputeIamMemberConditionPtrOutputWithContext

func (o WebTypeComputeIamMemberConditionPtrOutput) ToWebTypeComputeIamMemberConditionPtrOutputWithContext(ctx context.Context) WebTypeComputeIamMemberConditionPtrOutput

type WebTypeComputeIamMemberInput

type WebTypeComputeIamMemberInput interface {
	pulumi.Input

	ToWebTypeComputeIamMemberOutput() WebTypeComputeIamMemberOutput
	ToWebTypeComputeIamMemberOutputWithContext(ctx context.Context) WebTypeComputeIamMemberOutput
}

type WebTypeComputeIamMemberMap

type WebTypeComputeIamMemberMap map[string]WebTypeComputeIamMemberInput

func (WebTypeComputeIamMemberMap) ElementType

func (WebTypeComputeIamMemberMap) ElementType() reflect.Type

func (WebTypeComputeIamMemberMap) ToWebTypeComputeIamMemberMapOutput

func (i WebTypeComputeIamMemberMap) ToWebTypeComputeIamMemberMapOutput() WebTypeComputeIamMemberMapOutput

func (WebTypeComputeIamMemberMap) ToWebTypeComputeIamMemberMapOutputWithContext

func (i WebTypeComputeIamMemberMap) ToWebTypeComputeIamMemberMapOutputWithContext(ctx context.Context) WebTypeComputeIamMemberMapOutput

type WebTypeComputeIamMemberMapInput

type WebTypeComputeIamMemberMapInput interface {
	pulumi.Input

	ToWebTypeComputeIamMemberMapOutput() WebTypeComputeIamMemberMapOutput
	ToWebTypeComputeIamMemberMapOutputWithContext(context.Context) WebTypeComputeIamMemberMapOutput
}

WebTypeComputeIamMemberMapInput is an input type that accepts WebTypeComputeIamMemberMap and WebTypeComputeIamMemberMapOutput values. You can construct a concrete instance of `WebTypeComputeIamMemberMapInput` via:

WebTypeComputeIamMemberMap{ "key": WebTypeComputeIamMemberArgs{...} }

type WebTypeComputeIamMemberMapOutput

type WebTypeComputeIamMemberMapOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamMemberMapOutput) ElementType

func (WebTypeComputeIamMemberMapOutput) MapIndex

func (WebTypeComputeIamMemberMapOutput) ToWebTypeComputeIamMemberMapOutput

func (o WebTypeComputeIamMemberMapOutput) ToWebTypeComputeIamMemberMapOutput() WebTypeComputeIamMemberMapOutput

func (WebTypeComputeIamMemberMapOutput) ToWebTypeComputeIamMemberMapOutputWithContext

func (o WebTypeComputeIamMemberMapOutput) ToWebTypeComputeIamMemberMapOutputWithContext(ctx context.Context) WebTypeComputeIamMemberMapOutput

type WebTypeComputeIamMemberOutput

type WebTypeComputeIamMemberOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamMemberOutput) Condition added in v6.23.0

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebTypeComputeIamMemberOutput) ElementType

func (WebTypeComputeIamMemberOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (WebTypeComputeIamMemberOutput) Member added in v6.23.0

func (WebTypeComputeIamMemberOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebTypeComputeIamMemberOutput) Role added in v6.23.0

The role that should be applied. Only one `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebTypeComputeIamMemberOutput) ToWebTypeComputeIamMemberOutput

func (o WebTypeComputeIamMemberOutput) ToWebTypeComputeIamMemberOutput() WebTypeComputeIamMemberOutput

func (WebTypeComputeIamMemberOutput) ToWebTypeComputeIamMemberOutputWithContext

func (o WebTypeComputeIamMemberOutput) ToWebTypeComputeIamMemberOutputWithContext(ctx context.Context) WebTypeComputeIamMemberOutput

type WebTypeComputeIamMemberState

type WebTypeComputeIamMemberState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeComputeIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag   pulumi.StringPtrInput
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (WebTypeComputeIamMemberState) ElementType

type WebTypeComputeIamPolicy

type WebTypeComputeIamPolicy struct {
	pulumi.CustomResourceState

	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringOutput `pulumi:"project"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeCompute. Each of these resources serves a different use case:

* `iap.WebTypeComputeIamPolicy`: Authoritative. Sets the IAM policy for the webtypecompute and replaces any existing policy already attached. * `iap.WebTypeComputeIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypecompute are preserved. * `iap.WebTypeComputeIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypecompute are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeComputeIamPolicy`: Retrieves the IAM policy for the webtypecompute

> **Note:** `iap.WebTypeComputeIamPolicy` **cannot** be used in conjunction with `iap.WebTypeComputeIamBinding` and `iap.WebTypeComputeIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeComputeIamBinding` resources **can be** used in conjunction with `iap.WebTypeComputeIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## google\_iap\_web\_type\_compute\_iam\_policy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(google_project_service.Project_service.Project),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(google_project_service.Project_service.Project),
			PolicyData: *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_type\_compute\_iam\_binding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeComputeIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## google\_iap\_web\_type\_compute\_iam\_member

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(google_project_service.Project_service.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeComputeIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms* projects/{{project}}/iap_web/compute * {{project}} Any variables not passed in the import command will be taken from the provider configuration. Identity-Aware Proxy webtypecompute IAM resources can be imported using the resource identifiers, role, and member. IAM member imports use space-delimited identifiersthe resource in question, the role, and the member identity, e.g.

```sh

$ pulumi import gcp:iap/webTypeComputeIamPolicy:WebTypeComputeIamPolicy editor "projects/{{project}}/iap_web/compute roles/iap.httpsResourceAccessor user:jane@example.com"

```

IAM binding imports use space-delimited identifiersthe resource in question and the role, e.g.

```sh

$ pulumi import gcp:iap/webTypeComputeIamPolicy:WebTypeComputeIamPolicy editor "projects/{{project}}/iap_web/compute roles/iap.httpsResourceAccessor"

```

IAM policy imports use the identifier of the resource in question, e.g.

```sh

$ pulumi import gcp:iap/webTypeComputeIamPolicy:WebTypeComputeIamPolicy editor projects/{{project}}/iap_web/compute

```

-> **Custom Roles**If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebTypeComputeIamPolicy

func GetWebTypeComputeIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebTypeComputeIamPolicyState, opts ...pulumi.ResourceOption) (*WebTypeComputeIamPolicy, error)

GetWebTypeComputeIamPolicy gets an existing WebTypeComputeIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebTypeComputeIamPolicy

func NewWebTypeComputeIamPolicy(ctx *pulumi.Context,
	name string, args *WebTypeComputeIamPolicyArgs, opts ...pulumi.ResourceOption) (*WebTypeComputeIamPolicy, error)

NewWebTypeComputeIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*WebTypeComputeIamPolicy) ElementType

func (*WebTypeComputeIamPolicy) ElementType() reflect.Type

func (*WebTypeComputeIamPolicy) ToWebTypeComputeIamPolicyOutput

func (i *WebTypeComputeIamPolicy) ToWebTypeComputeIamPolicyOutput() WebTypeComputeIamPolicyOutput

func (*WebTypeComputeIamPolicy) ToWebTypeComputeIamPolicyOutputWithContext

func (i *WebTypeComputeIamPolicy) ToWebTypeComputeIamPolicyOutputWithContext(ctx context.Context) WebTypeComputeIamPolicyOutput

type WebTypeComputeIamPolicyArgs

type WebTypeComputeIamPolicyArgs struct {
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
}

The set of arguments for constructing a WebTypeComputeIamPolicy resource.

func (WebTypeComputeIamPolicyArgs) ElementType

type WebTypeComputeIamPolicyArray

type WebTypeComputeIamPolicyArray []WebTypeComputeIamPolicyInput

func (WebTypeComputeIamPolicyArray) ElementType

func (WebTypeComputeIamPolicyArray) ToWebTypeComputeIamPolicyArrayOutput

func (i WebTypeComputeIamPolicyArray) ToWebTypeComputeIamPolicyArrayOutput() WebTypeComputeIamPolicyArrayOutput

func (WebTypeComputeIamPolicyArray) ToWebTypeComputeIamPolicyArrayOutputWithContext

func (i WebTypeComputeIamPolicyArray) ToWebTypeComputeIamPolicyArrayOutputWithContext(ctx context.Context) WebTypeComputeIamPolicyArrayOutput

type WebTypeComputeIamPolicyArrayInput

type WebTypeComputeIamPolicyArrayInput interface {
	pulumi.Input

	ToWebTypeComputeIamPolicyArrayOutput() WebTypeComputeIamPolicyArrayOutput
	ToWebTypeComputeIamPolicyArrayOutputWithContext(context.Context) WebTypeComputeIamPolicyArrayOutput
}

WebTypeComputeIamPolicyArrayInput is an input type that accepts WebTypeComputeIamPolicyArray and WebTypeComputeIamPolicyArrayOutput values. You can construct a concrete instance of `WebTypeComputeIamPolicyArrayInput` via:

WebTypeComputeIamPolicyArray{ WebTypeComputeIamPolicyArgs{...} }

type WebTypeComputeIamPolicyArrayOutput

type WebTypeComputeIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamPolicyArrayOutput) ElementType

func (WebTypeComputeIamPolicyArrayOutput) Index

func (WebTypeComputeIamPolicyArrayOutput) ToWebTypeComputeIamPolicyArrayOutput

func (o WebTypeComputeIamPolicyArrayOutput) ToWebTypeComputeIamPolicyArrayOutput() WebTypeComputeIamPolicyArrayOutput

func (WebTypeComputeIamPolicyArrayOutput) ToWebTypeComputeIamPolicyArrayOutputWithContext

func (o WebTypeComputeIamPolicyArrayOutput) ToWebTypeComputeIamPolicyArrayOutputWithContext(ctx context.Context) WebTypeComputeIamPolicyArrayOutput

type WebTypeComputeIamPolicyInput

type WebTypeComputeIamPolicyInput interface {
	pulumi.Input

	ToWebTypeComputeIamPolicyOutput() WebTypeComputeIamPolicyOutput
	ToWebTypeComputeIamPolicyOutputWithContext(ctx context.Context) WebTypeComputeIamPolicyOutput
}

type WebTypeComputeIamPolicyMap

type WebTypeComputeIamPolicyMap map[string]WebTypeComputeIamPolicyInput

func (WebTypeComputeIamPolicyMap) ElementType

func (WebTypeComputeIamPolicyMap) ElementType() reflect.Type

func (WebTypeComputeIamPolicyMap) ToWebTypeComputeIamPolicyMapOutput

func (i WebTypeComputeIamPolicyMap) ToWebTypeComputeIamPolicyMapOutput() WebTypeComputeIamPolicyMapOutput

func (WebTypeComputeIamPolicyMap) ToWebTypeComputeIamPolicyMapOutputWithContext

func (i WebTypeComputeIamPolicyMap) ToWebTypeComputeIamPolicyMapOutputWithContext(ctx context.Context) WebTypeComputeIamPolicyMapOutput

type WebTypeComputeIamPolicyMapInput

type WebTypeComputeIamPolicyMapInput interface {
	pulumi.Input

	ToWebTypeComputeIamPolicyMapOutput() WebTypeComputeIamPolicyMapOutput
	ToWebTypeComputeIamPolicyMapOutputWithContext(context.Context) WebTypeComputeIamPolicyMapOutput
}

WebTypeComputeIamPolicyMapInput is an input type that accepts WebTypeComputeIamPolicyMap and WebTypeComputeIamPolicyMapOutput values. You can construct a concrete instance of `WebTypeComputeIamPolicyMapInput` via:

WebTypeComputeIamPolicyMap{ "key": WebTypeComputeIamPolicyArgs{...} }

type WebTypeComputeIamPolicyMapOutput

type WebTypeComputeIamPolicyMapOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamPolicyMapOutput) ElementType

func (WebTypeComputeIamPolicyMapOutput) MapIndex

func (WebTypeComputeIamPolicyMapOutput) ToWebTypeComputeIamPolicyMapOutput

func (o WebTypeComputeIamPolicyMapOutput) ToWebTypeComputeIamPolicyMapOutput() WebTypeComputeIamPolicyMapOutput

func (WebTypeComputeIamPolicyMapOutput) ToWebTypeComputeIamPolicyMapOutputWithContext

func (o WebTypeComputeIamPolicyMapOutput) ToWebTypeComputeIamPolicyMapOutputWithContext(ctx context.Context) WebTypeComputeIamPolicyMapOutput

type WebTypeComputeIamPolicyOutput

type WebTypeComputeIamPolicyOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamPolicyOutput) ElementType

func (WebTypeComputeIamPolicyOutput) Etag added in v6.23.0

(Computed) The etag of the IAM policy.

func (WebTypeComputeIamPolicyOutput) PolicyData added in v6.23.0

The policy data generated by a `organizations.getIAMPolicy` data source.

func (WebTypeComputeIamPolicyOutput) Project added in v6.23.0

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values:
  • **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  • **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
  • **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
  • **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebTypeComputeIamPolicyOutput) ToWebTypeComputeIamPolicyOutput

func (o WebTypeComputeIamPolicyOutput) ToWebTypeComputeIamPolicyOutput() WebTypeComputeIamPolicyOutput

func (WebTypeComputeIamPolicyOutput) ToWebTypeComputeIamPolicyOutputWithContext

func (o WebTypeComputeIamPolicyOutput) ToWebTypeComputeIamPolicyOutputWithContext(ctx context.Context) WebTypeComputeIamPolicyOutput

type WebTypeComputeIamPolicyState

type WebTypeComputeIamPolicyState struct {
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	//
	// * `member/members` - (Required) Identities that will be granted the privilege in `role`.
	//   Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Project pulumi.StringPtrInput
}

func (WebTypeComputeIamPolicyState) ElementType

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL