iap

package
v8.0.0-alpha.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 6, 2024 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AppEngineServiceIamBinding

type AppEngineServiceIamBinding struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineServiceIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringOutput `pulumi:"service"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineService. Each of these resources serves a different use case:

* `iap.AppEngineServiceIamPolicy`: Authoritative. Sets the IAM policy for the appengineservice and replaces any existing policy already attached. * `iap.AppEngineServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineservice are preserved. * `iap.AppEngineServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineServiceIamPolicy`: Retrieves the IAM policy for the appengineservice

> **Note:** `iap.AppEngineServiceIamPolicy` **cannot** be used in conjunction with `iap.AppEngineServiceIamBinding` and `iap.AppEngineServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineServiceIamBinding` resources **can be** used in conjunction with `iap.AppEngineServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineServiceIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy AppEngineService Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineService. Each of these resources serves a different use case:

* `iap.AppEngineServiceIamPolicy`: Authoritative. Sets the IAM policy for the appengineservice and replaces any existing policy already attached. * `iap.AppEngineServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineservice are preserved. * `iap.AppEngineServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineServiceIamPolicy`: Retrieves the IAM policy for the appengineservice

> **Note:** `iap.AppEngineServiceIamPolicy` **cannot** be used in conjunction with `iap.AppEngineServiceIamBinding` and `iap.AppEngineServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineServiceIamBinding` resources **can be** used in conjunction with `iap.AppEngineServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineServiceIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}

* {{project}}/{{appId}}/{{service}}

* {{appId}}/{{service}}

* {{service}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy appengineservice IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/appEngineServiceIamBinding:AppEngineServiceIamBinding editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/appEngineServiceIamBinding:AppEngineServiceIamBinding editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/appEngineServiceIamBinding:AppEngineServiceIamBinding editor projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetAppEngineServiceIamBinding

func GetAppEngineServiceIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AppEngineServiceIamBindingState, opts ...pulumi.ResourceOption) (*AppEngineServiceIamBinding, error)

GetAppEngineServiceIamBinding gets an existing AppEngineServiceIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAppEngineServiceIamBinding

func NewAppEngineServiceIamBinding(ctx *pulumi.Context,
	name string, args *AppEngineServiceIamBindingArgs, opts ...pulumi.ResourceOption) (*AppEngineServiceIamBinding, error)

NewAppEngineServiceIamBinding registers a new resource with the given unique name, arguments, and options.

func (*AppEngineServiceIamBinding) ElementType

func (*AppEngineServiceIamBinding) ElementType() reflect.Type

func (*AppEngineServiceIamBinding) ToAppEngineServiceIamBindingOutput

func (i *AppEngineServiceIamBinding) ToAppEngineServiceIamBindingOutput() AppEngineServiceIamBindingOutput

func (*AppEngineServiceIamBinding) ToAppEngineServiceIamBindingOutputWithContext

func (i *AppEngineServiceIamBinding) ToAppEngineServiceIamBindingOutputWithContext(ctx context.Context) AppEngineServiceIamBindingOutput

type AppEngineServiceIamBindingArgs

type AppEngineServiceIamBindingArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineServiceIamBindingConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput
}

The set of arguments for constructing a AppEngineServiceIamBinding resource.

func (AppEngineServiceIamBindingArgs) ElementType

type AppEngineServiceIamBindingArray

type AppEngineServiceIamBindingArray []AppEngineServiceIamBindingInput

func (AppEngineServiceIamBindingArray) ElementType

func (AppEngineServiceIamBindingArray) ToAppEngineServiceIamBindingArrayOutput

func (i AppEngineServiceIamBindingArray) ToAppEngineServiceIamBindingArrayOutput() AppEngineServiceIamBindingArrayOutput

func (AppEngineServiceIamBindingArray) ToAppEngineServiceIamBindingArrayOutputWithContext

func (i AppEngineServiceIamBindingArray) ToAppEngineServiceIamBindingArrayOutputWithContext(ctx context.Context) AppEngineServiceIamBindingArrayOutput

type AppEngineServiceIamBindingArrayInput

type AppEngineServiceIamBindingArrayInput interface {
	pulumi.Input

	ToAppEngineServiceIamBindingArrayOutput() AppEngineServiceIamBindingArrayOutput
	ToAppEngineServiceIamBindingArrayOutputWithContext(context.Context) AppEngineServiceIamBindingArrayOutput
}

AppEngineServiceIamBindingArrayInput is an input type that accepts AppEngineServiceIamBindingArray and AppEngineServiceIamBindingArrayOutput values. You can construct a concrete instance of `AppEngineServiceIamBindingArrayInput` via:

AppEngineServiceIamBindingArray{ AppEngineServiceIamBindingArgs{...} }

type AppEngineServiceIamBindingArrayOutput

type AppEngineServiceIamBindingArrayOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamBindingArrayOutput) ElementType

func (AppEngineServiceIamBindingArrayOutput) Index

func (AppEngineServiceIamBindingArrayOutput) ToAppEngineServiceIamBindingArrayOutput

func (o AppEngineServiceIamBindingArrayOutput) ToAppEngineServiceIamBindingArrayOutput() AppEngineServiceIamBindingArrayOutput

func (AppEngineServiceIamBindingArrayOutput) ToAppEngineServiceIamBindingArrayOutputWithContext

func (o AppEngineServiceIamBindingArrayOutput) ToAppEngineServiceIamBindingArrayOutputWithContext(ctx context.Context) AppEngineServiceIamBindingArrayOutput

type AppEngineServiceIamBindingCondition

type AppEngineServiceIamBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type AppEngineServiceIamBindingConditionArgs

type AppEngineServiceIamBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (AppEngineServiceIamBindingConditionArgs) ElementType

func (AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionOutput

func (i AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionOutput() AppEngineServiceIamBindingConditionOutput

func (AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionOutputWithContext

func (i AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionOutputWithContext(ctx context.Context) AppEngineServiceIamBindingConditionOutput

func (AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionPtrOutput

func (i AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionPtrOutput() AppEngineServiceIamBindingConditionPtrOutput

func (AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionPtrOutputWithContext

func (i AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) AppEngineServiceIamBindingConditionPtrOutput

type AppEngineServiceIamBindingConditionInput

type AppEngineServiceIamBindingConditionInput interface {
	pulumi.Input

	ToAppEngineServiceIamBindingConditionOutput() AppEngineServiceIamBindingConditionOutput
	ToAppEngineServiceIamBindingConditionOutputWithContext(context.Context) AppEngineServiceIamBindingConditionOutput
}

AppEngineServiceIamBindingConditionInput is an input type that accepts AppEngineServiceIamBindingConditionArgs and AppEngineServiceIamBindingConditionOutput values. You can construct a concrete instance of `AppEngineServiceIamBindingConditionInput` via:

AppEngineServiceIamBindingConditionArgs{...}

type AppEngineServiceIamBindingConditionOutput

type AppEngineServiceIamBindingConditionOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamBindingConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineServiceIamBindingConditionOutput) ElementType

func (AppEngineServiceIamBindingConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineServiceIamBindingConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionOutput

func (o AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionOutput() AppEngineServiceIamBindingConditionOutput

func (AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionOutputWithContext

func (o AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionOutputWithContext(ctx context.Context) AppEngineServiceIamBindingConditionOutput

func (AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionPtrOutput

func (o AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionPtrOutput() AppEngineServiceIamBindingConditionPtrOutput

func (AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionPtrOutputWithContext

func (o AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) AppEngineServiceIamBindingConditionPtrOutput

type AppEngineServiceIamBindingConditionPtrInput

type AppEngineServiceIamBindingConditionPtrInput interface {
	pulumi.Input

	ToAppEngineServiceIamBindingConditionPtrOutput() AppEngineServiceIamBindingConditionPtrOutput
	ToAppEngineServiceIamBindingConditionPtrOutputWithContext(context.Context) AppEngineServiceIamBindingConditionPtrOutput
}

AppEngineServiceIamBindingConditionPtrInput is an input type that accepts AppEngineServiceIamBindingConditionArgs, AppEngineServiceIamBindingConditionPtr and AppEngineServiceIamBindingConditionPtrOutput values. You can construct a concrete instance of `AppEngineServiceIamBindingConditionPtrInput` via:

        AppEngineServiceIamBindingConditionArgs{...}

or:

        nil

type AppEngineServiceIamBindingConditionPtrOutput

type AppEngineServiceIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamBindingConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineServiceIamBindingConditionPtrOutput) Elem

func (AppEngineServiceIamBindingConditionPtrOutput) ElementType

func (AppEngineServiceIamBindingConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineServiceIamBindingConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineServiceIamBindingConditionPtrOutput) ToAppEngineServiceIamBindingConditionPtrOutput

func (o AppEngineServiceIamBindingConditionPtrOutput) ToAppEngineServiceIamBindingConditionPtrOutput() AppEngineServiceIamBindingConditionPtrOutput

func (AppEngineServiceIamBindingConditionPtrOutput) ToAppEngineServiceIamBindingConditionPtrOutputWithContext

func (o AppEngineServiceIamBindingConditionPtrOutput) ToAppEngineServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) AppEngineServiceIamBindingConditionPtrOutput

type AppEngineServiceIamBindingInput

type AppEngineServiceIamBindingInput interface {
	pulumi.Input

	ToAppEngineServiceIamBindingOutput() AppEngineServiceIamBindingOutput
	ToAppEngineServiceIamBindingOutputWithContext(ctx context.Context) AppEngineServiceIamBindingOutput
}

type AppEngineServiceIamBindingMap

type AppEngineServiceIamBindingMap map[string]AppEngineServiceIamBindingInput

func (AppEngineServiceIamBindingMap) ElementType

func (AppEngineServiceIamBindingMap) ToAppEngineServiceIamBindingMapOutput

func (i AppEngineServiceIamBindingMap) ToAppEngineServiceIamBindingMapOutput() AppEngineServiceIamBindingMapOutput

func (AppEngineServiceIamBindingMap) ToAppEngineServiceIamBindingMapOutputWithContext

func (i AppEngineServiceIamBindingMap) ToAppEngineServiceIamBindingMapOutputWithContext(ctx context.Context) AppEngineServiceIamBindingMapOutput

type AppEngineServiceIamBindingMapInput

type AppEngineServiceIamBindingMapInput interface {
	pulumi.Input

	ToAppEngineServiceIamBindingMapOutput() AppEngineServiceIamBindingMapOutput
	ToAppEngineServiceIamBindingMapOutputWithContext(context.Context) AppEngineServiceIamBindingMapOutput
}

AppEngineServiceIamBindingMapInput is an input type that accepts AppEngineServiceIamBindingMap and AppEngineServiceIamBindingMapOutput values. You can construct a concrete instance of `AppEngineServiceIamBindingMapInput` via:

AppEngineServiceIamBindingMap{ "key": AppEngineServiceIamBindingArgs{...} }

type AppEngineServiceIamBindingMapOutput

type AppEngineServiceIamBindingMapOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamBindingMapOutput) ElementType

func (AppEngineServiceIamBindingMapOutput) MapIndex

func (AppEngineServiceIamBindingMapOutput) ToAppEngineServiceIamBindingMapOutput

func (o AppEngineServiceIamBindingMapOutput) ToAppEngineServiceIamBindingMapOutput() AppEngineServiceIamBindingMapOutput

func (AppEngineServiceIamBindingMapOutput) ToAppEngineServiceIamBindingMapOutputWithContext

func (o AppEngineServiceIamBindingMapOutput) ToAppEngineServiceIamBindingMapOutputWithContext(ctx context.Context) AppEngineServiceIamBindingMapOutput

type AppEngineServiceIamBindingOutput

type AppEngineServiceIamBindingOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamBindingOutput) AppId

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (AppEngineServiceIamBindingOutput) Condition

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (AppEngineServiceIamBindingOutput) ElementType

func (AppEngineServiceIamBindingOutput) Etag

(Computed) The etag of the IAM policy.

func (AppEngineServiceIamBindingOutput) Members

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (AppEngineServiceIamBindingOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (AppEngineServiceIamBindingOutput) Role

The role that should be applied. Only one `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (AppEngineServiceIamBindingOutput) Service

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

func (AppEngineServiceIamBindingOutput) ToAppEngineServiceIamBindingOutput

func (o AppEngineServiceIamBindingOutput) ToAppEngineServiceIamBindingOutput() AppEngineServiceIamBindingOutput

func (AppEngineServiceIamBindingOutput) ToAppEngineServiceIamBindingOutputWithContext

func (o AppEngineServiceIamBindingOutput) ToAppEngineServiceIamBindingOutputWithContext(ctx context.Context) AppEngineServiceIamBindingOutput

type AppEngineServiceIamBindingState

type AppEngineServiceIamBindingState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineServiceIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringPtrInput
}

func (AppEngineServiceIamBindingState) ElementType

type AppEngineServiceIamMember

type AppEngineServiceIamMember struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineServiceIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringOutput `pulumi:"service"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineService. Each of these resources serves a different use case:

* `iap.AppEngineServiceIamPolicy`: Authoritative. Sets the IAM policy for the appengineservice and replaces any existing policy already attached. * `iap.AppEngineServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineservice are preserved. * `iap.AppEngineServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineServiceIamPolicy`: Retrieves the IAM policy for the appengineservice

> **Note:** `iap.AppEngineServiceIamPolicy` **cannot** be used in conjunction with `iap.AppEngineServiceIamBinding` and `iap.AppEngineServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineServiceIamBinding` resources **can be** used in conjunction with `iap.AppEngineServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineServiceIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy AppEngineService Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineService. Each of these resources serves a different use case:

* `iap.AppEngineServiceIamPolicy`: Authoritative. Sets the IAM policy for the appengineservice and replaces any existing policy already attached. * `iap.AppEngineServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineservice are preserved. * `iap.AppEngineServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineServiceIamPolicy`: Retrieves the IAM policy for the appengineservice

> **Note:** `iap.AppEngineServiceIamPolicy` **cannot** be used in conjunction with `iap.AppEngineServiceIamBinding` and `iap.AppEngineServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineServiceIamBinding` resources **can be** used in conjunction with `iap.AppEngineServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineServiceIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}

* {{project}}/{{appId}}/{{service}}

* {{appId}}/{{service}}

* {{service}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy appengineservice IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/appEngineServiceIamMember:AppEngineServiceIamMember editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/appEngineServiceIamMember:AppEngineServiceIamMember editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/appEngineServiceIamMember:AppEngineServiceIamMember editor projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetAppEngineServiceIamMember

func GetAppEngineServiceIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AppEngineServiceIamMemberState, opts ...pulumi.ResourceOption) (*AppEngineServiceIamMember, error)

GetAppEngineServiceIamMember gets an existing AppEngineServiceIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAppEngineServiceIamMember

func NewAppEngineServiceIamMember(ctx *pulumi.Context,
	name string, args *AppEngineServiceIamMemberArgs, opts ...pulumi.ResourceOption) (*AppEngineServiceIamMember, error)

NewAppEngineServiceIamMember registers a new resource with the given unique name, arguments, and options.

func (*AppEngineServiceIamMember) ElementType

func (*AppEngineServiceIamMember) ElementType() reflect.Type

func (*AppEngineServiceIamMember) ToAppEngineServiceIamMemberOutput

func (i *AppEngineServiceIamMember) ToAppEngineServiceIamMemberOutput() AppEngineServiceIamMemberOutput

func (*AppEngineServiceIamMember) ToAppEngineServiceIamMemberOutputWithContext

func (i *AppEngineServiceIamMember) ToAppEngineServiceIamMemberOutputWithContext(ctx context.Context) AppEngineServiceIamMemberOutput

type AppEngineServiceIamMemberArgs

type AppEngineServiceIamMemberArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineServiceIamMemberConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput
}

The set of arguments for constructing a AppEngineServiceIamMember resource.

func (AppEngineServiceIamMemberArgs) ElementType

type AppEngineServiceIamMemberArray

type AppEngineServiceIamMemberArray []AppEngineServiceIamMemberInput

func (AppEngineServiceIamMemberArray) ElementType

func (AppEngineServiceIamMemberArray) ToAppEngineServiceIamMemberArrayOutput

func (i AppEngineServiceIamMemberArray) ToAppEngineServiceIamMemberArrayOutput() AppEngineServiceIamMemberArrayOutput

func (AppEngineServiceIamMemberArray) ToAppEngineServiceIamMemberArrayOutputWithContext

func (i AppEngineServiceIamMemberArray) ToAppEngineServiceIamMemberArrayOutputWithContext(ctx context.Context) AppEngineServiceIamMemberArrayOutput

type AppEngineServiceIamMemberArrayInput

type AppEngineServiceIamMemberArrayInput interface {
	pulumi.Input

	ToAppEngineServiceIamMemberArrayOutput() AppEngineServiceIamMemberArrayOutput
	ToAppEngineServiceIamMemberArrayOutputWithContext(context.Context) AppEngineServiceIamMemberArrayOutput
}

AppEngineServiceIamMemberArrayInput is an input type that accepts AppEngineServiceIamMemberArray and AppEngineServiceIamMemberArrayOutput values. You can construct a concrete instance of `AppEngineServiceIamMemberArrayInput` via:

AppEngineServiceIamMemberArray{ AppEngineServiceIamMemberArgs{...} }

type AppEngineServiceIamMemberArrayOutput

type AppEngineServiceIamMemberArrayOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamMemberArrayOutput) ElementType

func (AppEngineServiceIamMemberArrayOutput) Index

func (AppEngineServiceIamMemberArrayOutput) ToAppEngineServiceIamMemberArrayOutput

func (o AppEngineServiceIamMemberArrayOutput) ToAppEngineServiceIamMemberArrayOutput() AppEngineServiceIamMemberArrayOutput

func (AppEngineServiceIamMemberArrayOutput) ToAppEngineServiceIamMemberArrayOutputWithContext

func (o AppEngineServiceIamMemberArrayOutput) ToAppEngineServiceIamMemberArrayOutputWithContext(ctx context.Context) AppEngineServiceIamMemberArrayOutput

type AppEngineServiceIamMemberCondition

type AppEngineServiceIamMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type AppEngineServiceIamMemberConditionArgs

type AppEngineServiceIamMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (AppEngineServiceIamMemberConditionArgs) ElementType

func (AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionOutput

func (i AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionOutput() AppEngineServiceIamMemberConditionOutput

func (AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionOutputWithContext

func (i AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionOutputWithContext(ctx context.Context) AppEngineServiceIamMemberConditionOutput

func (AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionPtrOutput

func (i AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionPtrOutput() AppEngineServiceIamMemberConditionPtrOutput

func (AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionPtrOutputWithContext

func (i AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) AppEngineServiceIamMemberConditionPtrOutput

type AppEngineServiceIamMemberConditionInput

type AppEngineServiceIamMemberConditionInput interface {
	pulumi.Input

	ToAppEngineServiceIamMemberConditionOutput() AppEngineServiceIamMemberConditionOutput
	ToAppEngineServiceIamMemberConditionOutputWithContext(context.Context) AppEngineServiceIamMemberConditionOutput
}

AppEngineServiceIamMemberConditionInput is an input type that accepts AppEngineServiceIamMemberConditionArgs and AppEngineServiceIamMemberConditionOutput values. You can construct a concrete instance of `AppEngineServiceIamMemberConditionInput` via:

AppEngineServiceIamMemberConditionArgs{...}

type AppEngineServiceIamMemberConditionOutput

type AppEngineServiceIamMemberConditionOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamMemberConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineServiceIamMemberConditionOutput) ElementType

func (AppEngineServiceIamMemberConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineServiceIamMemberConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionOutput

func (o AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionOutput() AppEngineServiceIamMemberConditionOutput

func (AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionOutputWithContext

func (o AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionOutputWithContext(ctx context.Context) AppEngineServiceIamMemberConditionOutput

func (AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionPtrOutput

func (o AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionPtrOutput() AppEngineServiceIamMemberConditionPtrOutput

func (AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionPtrOutputWithContext

func (o AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) AppEngineServiceIamMemberConditionPtrOutput

type AppEngineServiceIamMemberConditionPtrInput

type AppEngineServiceIamMemberConditionPtrInput interface {
	pulumi.Input

	ToAppEngineServiceIamMemberConditionPtrOutput() AppEngineServiceIamMemberConditionPtrOutput
	ToAppEngineServiceIamMemberConditionPtrOutputWithContext(context.Context) AppEngineServiceIamMemberConditionPtrOutput
}

AppEngineServiceIamMemberConditionPtrInput is an input type that accepts AppEngineServiceIamMemberConditionArgs, AppEngineServiceIamMemberConditionPtr and AppEngineServiceIamMemberConditionPtrOutput values. You can construct a concrete instance of `AppEngineServiceIamMemberConditionPtrInput` via:

        AppEngineServiceIamMemberConditionArgs{...}

or:

        nil

type AppEngineServiceIamMemberConditionPtrOutput

type AppEngineServiceIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamMemberConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineServiceIamMemberConditionPtrOutput) Elem

func (AppEngineServiceIamMemberConditionPtrOutput) ElementType

func (AppEngineServiceIamMemberConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineServiceIamMemberConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineServiceIamMemberConditionPtrOutput) ToAppEngineServiceIamMemberConditionPtrOutput

func (o AppEngineServiceIamMemberConditionPtrOutput) ToAppEngineServiceIamMemberConditionPtrOutput() AppEngineServiceIamMemberConditionPtrOutput

func (AppEngineServiceIamMemberConditionPtrOutput) ToAppEngineServiceIamMemberConditionPtrOutputWithContext

func (o AppEngineServiceIamMemberConditionPtrOutput) ToAppEngineServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) AppEngineServiceIamMemberConditionPtrOutput

type AppEngineServiceIamMemberInput

type AppEngineServiceIamMemberInput interface {
	pulumi.Input

	ToAppEngineServiceIamMemberOutput() AppEngineServiceIamMemberOutput
	ToAppEngineServiceIamMemberOutputWithContext(ctx context.Context) AppEngineServiceIamMemberOutput
}

type AppEngineServiceIamMemberMap

type AppEngineServiceIamMemberMap map[string]AppEngineServiceIamMemberInput

func (AppEngineServiceIamMemberMap) ElementType

func (AppEngineServiceIamMemberMap) ToAppEngineServiceIamMemberMapOutput

func (i AppEngineServiceIamMemberMap) ToAppEngineServiceIamMemberMapOutput() AppEngineServiceIamMemberMapOutput

func (AppEngineServiceIamMemberMap) ToAppEngineServiceIamMemberMapOutputWithContext

func (i AppEngineServiceIamMemberMap) ToAppEngineServiceIamMemberMapOutputWithContext(ctx context.Context) AppEngineServiceIamMemberMapOutput

type AppEngineServiceIamMemberMapInput

type AppEngineServiceIamMemberMapInput interface {
	pulumi.Input

	ToAppEngineServiceIamMemberMapOutput() AppEngineServiceIamMemberMapOutput
	ToAppEngineServiceIamMemberMapOutputWithContext(context.Context) AppEngineServiceIamMemberMapOutput
}

AppEngineServiceIamMemberMapInput is an input type that accepts AppEngineServiceIamMemberMap and AppEngineServiceIamMemberMapOutput values. You can construct a concrete instance of `AppEngineServiceIamMemberMapInput` via:

AppEngineServiceIamMemberMap{ "key": AppEngineServiceIamMemberArgs{...} }

type AppEngineServiceIamMemberMapOutput

type AppEngineServiceIamMemberMapOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamMemberMapOutput) ElementType

func (AppEngineServiceIamMemberMapOutput) MapIndex

func (AppEngineServiceIamMemberMapOutput) ToAppEngineServiceIamMemberMapOutput

func (o AppEngineServiceIamMemberMapOutput) ToAppEngineServiceIamMemberMapOutput() AppEngineServiceIamMemberMapOutput

func (AppEngineServiceIamMemberMapOutput) ToAppEngineServiceIamMemberMapOutputWithContext

func (o AppEngineServiceIamMemberMapOutput) ToAppEngineServiceIamMemberMapOutputWithContext(ctx context.Context) AppEngineServiceIamMemberMapOutput

type AppEngineServiceIamMemberOutput

type AppEngineServiceIamMemberOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamMemberOutput) AppId

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (AppEngineServiceIamMemberOutput) Condition

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (AppEngineServiceIamMemberOutput) ElementType

func (AppEngineServiceIamMemberOutput) Etag

(Computed) The etag of the IAM policy.

func (AppEngineServiceIamMemberOutput) Member

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (AppEngineServiceIamMemberOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (AppEngineServiceIamMemberOutput) Role

The role that should be applied. Only one `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (AppEngineServiceIamMemberOutput) Service

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

func (AppEngineServiceIamMemberOutput) ToAppEngineServiceIamMemberOutput

func (o AppEngineServiceIamMemberOutput) ToAppEngineServiceIamMemberOutput() AppEngineServiceIamMemberOutput

func (AppEngineServiceIamMemberOutput) ToAppEngineServiceIamMemberOutputWithContext

func (o AppEngineServiceIamMemberOutput) ToAppEngineServiceIamMemberOutputWithContext(ctx context.Context) AppEngineServiceIamMemberOutput

type AppEngineServiceIamMemberState

type AppEngineServiceIamMemberState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineServiceIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringPtrInput
}

func (AppEngineServiceIamMemberState) ElementType

type AppEngineServiceIamPolicy

type AppEngineServiceIamPolicy struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringOutput `pulumi:"service"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineService. Each of these resources serves a different use case:

* `iap.AppEngineServiceIamPolicy`: Authoritative. Sets the IAM policy for the appengineservice and replaces any existing policy already attached. * `iap.AppEngineServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineservice are preserved. * `iap.AppEngineServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineServiceIamPolicy`: Retrieves the IAM policy for the appengineservice

> **Note:** `iap.AppEngineServiceIamPolicy` **cannot** be used in conjunction with `iap.AppEngineServiceIamBinding` and `iap.AppEngineServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineServiceIamBinding` resources **can be** used in conjunction with `iap.AppEngineServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineServiceIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy AppEngineService Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineService. Each of these resources serves a different use case:

* `iap.AppEngineServiceIamPolicy`: Authoritative. Sets the IAM policy for the appengineservice and replaces any existing policy already attached. * `iap.AppEngineServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineservice are preserved. * `iap.AppEngineServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineServiceIamPolicy`: Retrieves the IAM policy for the appengineservice

> **Note:** `iap.AppEngineServiceIamPolicy` **cannot** be used in conjunction with `iap.AppEngineServiceIamBinding` and `iap.AppEngineServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineServiceIamBinding` resources **can be** used in conjunction with `iap.AppEngineServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineServiceIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}

* {{project}}/{{appId}}/{{service}}

* {{appId}}/{{service}}

* {{service}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy appengineservice IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/appEngineServiceIamPolicy:AppEngineServiceIamPolicy editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/appEngineServiceIamPolicy:AppEngineServiceIamPolicy editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/appEngineServiceIamPolicy:AppEngineServiceIamPolicy editor projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetAppEngineServiceIamPolicy

func GetAppEngineServiceIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AppEngineServiceIamPolicyState, opts ...pulumi.ResourceOption) (*AppEngineServiceIamPolicy, error)

GetAppEngineServiceIamPolicy gets an existing AppEngineServiceIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAppEngineServiceIamPolicy

func NewAppEngineServiceIamPolicy(ctx *pulumi.Context,
	name string, args *AppEngineServiceIamPolicyArgs, opts ...pulumi.ResourceOption) (*AppEngineServiceIamPolicy, error)

NewAppEngineServiceIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*AppEngineServiceIamPolicy) ElementType

func (*AppEngineServiceIamPolicy) ElementType() reflect.Type

func (*AppEngineServiceIamPolicy) ToAppEngineServiceIamPolicyOutput

func (i *AppEngineServiceIamPolicy) ToAppEngineServiceIamPolicyOutput() AppEngineServiceIamPolicyOutput

func (*AppEngineServiceIamPolicy) ToAppEngineServiceIamPolicyOutputWithContext

func (i *AppEngineServiceIamPolicy) ToAppEngineServiceIamPolicyOutputWithContext(ctx context.Context) AppEngineServiceIamPolicyOutput

type AppEngineServiceIamPolicyArgs

type AppEngineServiceIamPolicyArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput
}

The set of arguments for constructing a AppEngineServiceIamPolicy resource.

func (AppEngineServiceIamPolicyArgs) ElementType

type AppEngineServiceIamPolicyArray

type AppEngineServiceIamPolicyArray []AppEngineServiceIamPolicyInput

func (AppEngineServiceIamPolicyArray) ElementType

func (AppEngineServiceIamPolicyArray) ToAppEngineServiceIamPolicyArrayOutput

func (i AppEngineServiceIamPolicyArray) ToAppEngineServiceIamPolicyArrayOutput() AppEngineServiceIamPolicyArrayOutput

func (AppEngineServiceIamPolicyArray) ToAppEngineServiceIamPolicyArrayOutputWithContext

func (i AppEngineServiceIamPolicyArray) ToAppEngineServiceIamPolicyArrayOutputWithContext(ctx context.Context) AppEngineServiceIamPolicyArrayOutput

type AppEngineServiceIamPolicyArrayInput

type AppEngineServiceIamPolicyArrayInput interface {
	pulumi.Input

	ToAppEngineServiceIamPolicyArrayOutput() AppEngineServiceIamPolicyArrayOutput
	ToAppEngineServiceIamPolicyArrayOutputWithContext(context.Context) AppEngineServiceIamPolicyArrayOutput
}

AppEngineServiceIamPolicyArrayInput is an input type that accepts AppEngineServiceIamPolicyArray and AppEngineServiceIamPolicyArrayOutput values. You can construct a concrete instance of `AppEngineServiceIamPolicyArrayInput` via:

AppEngineServiceIamPolicyArray{ AppEngineServiceIamPolicyArgs{...} }

type AppEngineServiceIamPolicyArrayOutput

type AppEngineServiceIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamPolicyArrayOutput) ElementType

func (AppEngineServiceIamPolicyArrayOutput) Index

func (AppEngineServiceIamPolicyArrayOutput) ToAppEngineServiceIamPolicyArrayOutput

func (o AppEngineServiceIamPolicyArrayOutput) ToAppEngineServiceIamPolicyArrayOutput() AppEngineServiceIamPolicyArrayOutput

func (AppEngineServiceIamPolicyArrayOutput) ToAppEngineServiceIamPolicyArrayOutputWithContext

func (o AppEngineServiceIamPolicyArrayOutput) ToAppEngineServiceIamPolicyArrayOutputWithContext(ctx context.Context) AppEngineServiceIamPolicyArrayOutput

type AppEngineServiceIamPolicyInput

type AppEngineServiceIamPolicyInput interface {
	pulumi.Input

	ToAppEngineServiceIamPolicyOutput() AppEngineServiceIamPolicyOutput
	ToAppEngineServiceIamPolicyOutputWithContext(ctx context.Context) AppEngineServiceIamPolicyOutput
}

type AppEngineServiceIamPolicyMap

type AppEngineServiceIamPolicyMap map[string]AppEngineServiceIamPolicyInput

func (AppEngineServiceIamPolicyMap) ElementType

func (AppEngineServiceIamPolicyMap) ToAppEngineServiceIamPolicyMapOutput

func (i AppEngineServiceIamPolicyMap) ToAppEngineServiceIamPolicyMapOutput() AppEngineServiceIamPolicyMapOutput

func (AppEngineServiceIamPolicyMap) ToAppEngineServiceIamPolicyMapOutputWithContext

func (i AppEngineServiceIamPolicyMap) ToAppEngineServiceIamPolicyMapOutputWithContext(ctx context.Context) AppEngineServiceIamPolicyMapOutput

type AppEngineServiceIamPolicyMapInput

type AppEngineServiceIamPolicyMapInput interface {
	pulumi.Input

	ToAppEngineServiceIamPolicyMapOutput() AppEngineServiceIamPolicyMapOutput
	ToAppEngineServiceIamPolicyMapOutputWithContext(context.Context) AppEngineServiceIamPolicyMapOutput
}

AppEngineServiceIamPolicyMapInput is an input type that accepts AppEngineServiceIamPolicyMap and AppEngineServiceIamPolicyMapOutput values. You can construct a concrete instance of `AppEngineServiceIamPolicyMapInput` via:

AppEngineServiceIamPolicyMap{ "key": AppEngineServiceIamPolicyArgs{...} }

type AppEngineServiceIamPolicyMapOutput

type AppEngineServiceIamPolicyMapOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamPolicyMapOutput) ElementType

func (AppEngineServiceIamPolicyMapOutput) MapIndex

func (AppEngineServiceIamPolicyMapOutput) ToAppEngineServiceIamPolicyMapOutput

func (o AppEngineServiceIamPolicyMapOutput) ToAppEngineServiceIamPolicyMapOutput() AppEngineServiceIamPolicyMapOutput

func (AppEngineServiceIamPolicyMapOutput) ToAppEngineServiceIamPolicyMapOutputWithContext

func (o AppEngineServiceIamPolicyMapOutput) ToAppEngineServiceIamPolicyMapOutputWithContext(ctx context.Context) AppEngineServiceIamPolicyMapOutput

type AppEngineServiceIamPolicyOutput

type AppEngineServiceIamPolicyOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamPolicyOutput) AppId

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (AppEngineServiceIamPolicyOutput) ElementType

func (AppEngineServiceIamPolicyOutput) Etag

(Computed) The etag of the IAM policy.

func (AppEngineServiceIamPolicyOutput) PolicyData

The policy data generated by a `organizations.getIAMPolicy` data source.

func (AppEngineServiceIamPolicyOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (AppEngineServiceIamPolicyOutput) Service

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

func (AppEngineServiceIamPolicyOutput) ToAppEngineServiceIamPolicyOutput

func (o AppEngineServiceIamPolicyOutput) ToAppEngineServiceIamPolicyOutput() AppEngineServiceIamPolicyOutput

func (AppEngineServiceIamPolicyOutput) ToAppEngineServiceIamPolicyOutputWithContext

func (o AppEngineServiceIamPolicyOutput) ToAppEngineServiceIamPolicyOutputWithContext(ctx context.Context) AppEngineServiceIamPolicyOutput

type AppEngineServiceIamPolicyState

type AppEngineServiceIamPolicyState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringPtrInput
}

func (AppEngineServiceIamPolicyState) ElementType

type AppEngineVersionIamBinding

type AppEngineVersionIamBinding struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineVersionIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringOutput `pulumi:"service"`
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringOutput `pulumi:"versionId"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineVersion. Each of these resources serves a different use case:

* `iap.AppEngineVersionIamPolicy`: Authoritative. Sets the IAM policy for the appengineversion and replaces any existing policy already attached. * `iap.AppEngineVersionIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineversion are preserved. * `iap.AppEngineVersionIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineversion are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineVersionIamPolicy`: Retrieves the IAM policy for the appengineversion

> **Note:** `iap.AppEngineVersionIamPolicy` **cannot** be used in conjunction with `iap.AppEngineVersionIamBinding` and `iap.AppEngineVersionIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineVersionIamBinding` resources **can be** used in conjunction with `iap.AppEngineVersionIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineVersionIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineVersionIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineVersionIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy AppEngineVersion Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineVersion. Each of these resources serves a different use case:

* `iap.AppEngineVersionIamPolicy`: Authoritative. Sets the IAM policy for the appengineversion and replaces any existing policy already attached. * `iap.AppEngineVersionIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineversion are preserved. * `iap.AppEngineVersionIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineversion are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineVersionIamPolicy`: Retrieves the IAM policy for the appengineversion

> **Note:** `iap.AppEngineVersionIamPolicy` **cannot** be used in conjunction with `iap.AppEngineVersionIamBinding` and `iap.AppEngineVersionIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineVersionIamBinding` resources **can be** used in conjunction with `iap.AppEngineVersionIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineVersionIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineVersionIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineVersionIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}}

* {{project}}/{{appId}}/{{service}}/{{versionId}}

* {{appId}}/{{service}}/{{versionId}}

* {{version}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy appengineversion IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/appEngineVersionIamBinding:AppEngineVersionIamBinding editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/appEngineVersionIamBinding:AppEngineVersionIamBinding editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/appEngineVersionIamBinding:AppEngineVersionIamBinding editor projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetAppEngineVersionIamBinding

func GetAppEngineVersionIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AppEngineVersionIamBindingState, opts ...pulumi.ResourceOption) (*AppEngineVersionIamBinding, error)

GetAppEngineVersionIamBinding gets an existing AppEngineVersionIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAppEngineVersionIamBinding

func NewAppEngineVersionIamBinding(ctx *pulumi.Context,
	name string, args *AppEngineVersionIamBindingArgs, opts ...pulumi.ResourceOption) (*AppEngineVersionIamBinding, error)

NewAppEngineVersionIamBinding registers a new resource with the given unique name, arguments, and options.

func (*AppEngineVersionIamBinding) ElementType

func (*AppEngineVersionIamBinding) ElementType() reflect.Type

func (*AppEngineVersionIamBinding) ToAppEngineVersionIamBindingOutput

func (i *AppEngineVersionIamBinding) ToAppEngineVersionIamBindingOutput() AppEngineVersionIamBindingOutput

func (*AppEngineVersionIamBinding) ToAppEngineVersionIamBindingOutputWithContext

func (i *AppEngineVersionIamBinding) ToAppEngineVersionIamBindingOutputWithContext(ctx context.Context) AppEngineVersionIamBindingOutput

type AppEngineVersionIamBindingArgs

type AppEngineVersionIamBindingArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineVersionIamBindingConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringInput
}

The set of arguments for constructing a AppEngineVersionIamBinding resource.

func (AppEngineVersionIamBindingArgs) ElementType

type AppEngineVersionIamBindingArray

type AppEngineVersionIamBindingArray []AppEngineVersionIamBindingInput

func (AppEngineVersionIamBindingArray) ElementType

func (AppEngineVersionIamBindingArray) ToAppEngineVersionIamBindingArrayOutput

func (i AppEngineVersionIamBindingArray) ToAppEngineVersionIamBindingArrayOutput() AppEngineVersionIamBindingArrayOutput

func (AppEngineVersionIamBindingArray) ToAppEngineVersionIamBindingArrayOutputWithContext

func (i AppEngineVersionIamBindingArray) ToAppEngineVersionIamBindingArrayOutputWithContext(ctx context.Context) AppEngineVersionIamBindingArrayOutput

type AppEngineVersionIamBindingArrayInput

type AppEngineVersionIamBindingArrayInput interface {
	pulumi.Input

	ToAppEngineVersionIamBindingArrayOutput() AppEngineVersionIamBindingArrayOutput
	ToAppEngineVersionIamBindingArrayOutputWithContext(context.Context) AppEngineVersionIamBindingArrayOutput
}

AppEngineVersionIamBindingArrayInput is an input type that accepts AppEngineVersionIamBindingArray and AppEngineVersionIamBindingArrayOutput values. You can construct a concrete instance of `AppEngineVersionIamBindingArrayInput` via:

AppEngineVersionIamBindingArray{ AppEngineVersionIamBindingArgs{...} }

type AppEngineVersionIamBindingArrayOutput

type AppEngineVersionIamBindingArrayOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamBindingArrayOutput) ElementType

func (AppEngineVersionIamBindingArrayOutput) Index

func (AppEngineVersionIamBindingArrayOutput) ToAppEngineVersionIamBindingArrayOutput

func (o AppEngineVersionIamBindingArrayOutput) ToAppEngineVersionIamBindingArrayOutput() AppEngineVersionIamBindingArrayOutput

func (AppEngineVersionIamBindingArrayOutput) ToAppEngineVersionIamBindingArrayOutputWithContext

func (o AppEngineVersionIamBindingArrayOutput) ToAppEngineVersionIamBindingArrayOutputWithContext(ctx context.Context) AppEngineVersionIamBindingArrayOutput

type AppEngineVersionIamBindingCondition

type AppEngineVersionIamBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type AppEngineVersionIamBindingConditionArgs

type AppEngineVersionIamBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (AppEngineVersionIamBindingConditionArgs) ElementType

func (AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionOutput

func (i AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionOutput() AppEngineVersionIamBindingConditionOutput

func (AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionOutputWithContext

func (i AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionOutputWithContext(ctx context.Context) AppEngineVersionIamBindingConditionOutput

func (AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionPtrOutput

func (i AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionPtrOutput() AppEngineVersionIamBindingConditionPtrOutput

func (AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionPtrOutputWithContext

func (i AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionPtrOutputWithContext(ctx context.Context) AppEngineVersionIamBindingConditionPtrOutput

type AppEngineVersionIamBindingConditionInput

type AppEngineVersionIamBindingConditionInput interface {
	pulumi.Input

	ToAppEngineVersionIamBindingConditionOutput() AppEngineVersionIamBindingConditionOutput
	ToAppEngineVersionIamBindingConditionOutputWithContext(context.Context) AppEngineVersionIamBindingConditionOutput
}

AppEngineVersionIamBindingConditionInput is an input type that accepts AppEngineVersionIamBindingConditionArgs and AppEngineVersionIamBindingConditionOutput values. You can construct a concrete instance of `AppEngineVersionIamBindingConditionInput` via:

AppEngineVersionIamBindingConditionArgs{...}

type AppEngineVersionIamBindingConditionOutput

type AppEngineVersionIamBindingConditionOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamBindingConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineVersionIamBindingConditionOutput) ElementType

func (AppEngineVersionIamBindingConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineVersionIamBindingConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionOutput

func (o AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionOutput() AppEngineVersionIamBindingConditionOutput

func (AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionOutputWithContext

func (o AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionOutputWithContext(ctx context.Context) AppEngineVersionIamBindingConditionOutput

func (AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionPtrOutput

func (o AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionPtrOutput() AppEngineVersionIamBindingConditionPtrOutput

func (AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionPtrOutputWithContext

func (o AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionPtrOutputWithContext(ctx context.Context) AppEngineVersionIamBindingConditionPtrOutput

type AppEngineVersionIamBindingConditionPtrInput

type AppEngineVersionIamBindingConditionPtrInput interface {
	pulumi.Input

	ToAppEngineVersionIamBindingConditionPtrOutput() AppEngineVersionIamBindingConditionPtrOutput
	ToAppEngineVersionIamBindingConditionPtrOutputWithContext(context.Context) AppEngineVersionIamBindingConditionPtrOutput
}

AppEngineVersionIamBindingConditionPtrInput is an input type that accepts AppEngineVersionIamBindingConditionArgs, AppEngineVersionIamBindingConditionPtr and AppEngineVersionIamBindingConditionPtrOutput values. You can construct a concrete instance of `AppEngineVersionIamBindingConditionPtrInput` via:

        AppEngineVersionIamBindingConditionArgs{...}

or:

        nil

type AppEngineVersionIamBindingConditionPtrOutput

type AppEngineVersionIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamBindingConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineVersionIamBindingConditionPtrOutput) Elem

func (AppEngineVersionIamBindingConditionPtrOutput) ElementType

func (AppEngineVersionIamBindingConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineVersionIamBindingConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineVersionIamBindingConditionPtrOutput) ToAppEngineVersionIamBindingConditionPtrOutput

func (o AppEngineVersionIamBindingConditionPtrOutput) ToAppEngineVersionIamBindingConditionPtrOutput() AppEngineVersionIamBindingConditionPtrOutput

func (AppEngineVersionIamBindingConditionPtrOutput) ToAppEngineVersionIamBindingConditionPtrOutputWithContext

func (o AppEngineVersionIamBindingConditionPtrOutput) ToAppEngineVersionIamBindingConditionPtrOutputWithContext(ctx context.Context) AppEngineVersionIamBindingConditionPtrOutput

type AppEngineVersionIamBindingInput

type AppEngineVersionIamBindingInput interface {
	pulumi.Input

	ToAppEngineVersionIamBindingOutput() AppEngineVersionIamBindingOutput
	ToAppEngineVersionIamBindingOutputWithContext(ctx context.Context) AppEngineVersionIamBindingOutput
}

type AppEngineVersionIamBindingMap

type AppEngineVersionIamBindingMap map[string]AppEngineVersionIamBindingInput

func (AppEngineVersionIamBindingMap) ElementType

func (AppEngineVersionIamBindingMap) ToAppEngineVersionIamBindingMapOutput

func (i AppEngineVersionIamBindingMap) ToAppEngineVersionIamBindingMapOutput() AppEngineVersionIamBindingMapOutput

func (AppEngineVersionIamBindingMap) ToAppEngineVersionIamBindingMapOutputWithContext

func (i AppEngineVersionIamBindingMap) ToAppEngineVersionIamBindingMapOutputWithContext(ctx context.Context) AppEngineVersionIamBindingMapOutput

type AppEngineVersionIamBindingMapInput

type AppEngineVersionIamBindingMapInput interface {
	pulumi.Input

	ToAppEngineVersionIamBindingMapOutput() AppEngineVersionIamBindingMapOutput
	ToAppEngineVersionIamBindingMapOutputWithContext(context.Context) AppEngineVersionIamBindingMapOutput
}

AppEngineVersionIamBindingMapInput is an input type that accepts AppEngineVersionIamBindingMap and AppEngineVersionIamBindingMapOutput values. You can construct a concrete instance of `AppEngineVersionIamBindingMapInput` via:

AppEngineVersionIamBindingMap{ "key": AppEngineVersionIamBindingArgs{...} }

type AppEngineVersionIamBindingMapOutput

type AppEngineVersionIamBindingMapOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamBindingMapOutput) ElementType

func (AppEngineVersionIamBindingMapOutput) MapIndex

func (AppEngineVersionIamBindingMapOutput) ToAppEngineVersionIamBindingMapOutput

func (o AppEngineVersionIamBindingMapOutput) ToAppEngineVersionIamBindingMapOutput() AppEngineVersionIamBindingMapOutput

func (AppEngineVersionIamBindingMapOutput) ToAppEngineVersionIamBindingMapOutputWithContext

func (o AppEngineVersionIamBindingMapOutput) ToAppEngineVersionIamBindingMapOutputWithContext(ctx context.Context) AppEngineVersionIamBindingMapOutput

type AppEngineVersionIamBindingOutput

type AppEngineVersionIamBindingOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamBindingOutput) AppId

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (AppEngineVersionIamBindingOutput) Condition

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (AppEngineVersionIamBindingOutput) ElementType

func (AppEngineVersionIamBindingOutput) Etag

(Computed) The etag of the IAM policy.

func (AppEngineVersionIamBindingOutput) Members

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (AppEngineVersionIamBindingOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (AppEngineVersionIamBindingOutput) Role

The role that should be applied. Only one `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (AppEngineVersionIamBindingOutput) Service

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

func (AppEngineVersionIamBindingOutput) ToAppEngineVersionIamBindingOutput

func (o AppEngineVersionIamBindingOutput) ToAppEngineVersionIamBindingOutput() AppEngineVersionIamBindingOutput

func (AppEngineVersionIamBindingOutput) ToAppEngineVersionIamBindingOutputWithContext

func (o AppEngineVersionIamBindingOutput) ToAppEngineVersionIamBindingOutputWithContext(ctx context.Context) AppEngineVersionIamBindingOutput

func (AppEngineVersionIamBindingOutput) VersionId

Version id of the App Engine application Used to find the parent resource to bind the IAM policy to

type AppEngineVersionIamBindingState

type AppEngineVersionIamBindingState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineVersionIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringPtrInput
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringPtrInput
}

func (AppEngineVersionIamBindingState) ElementType

type AppEngineVersionIamMember

type AppEngineVersionIamMember struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineVersionIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringOutput `pulumi:"service"`
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringOutput `pulumi:"versionId"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineVersion. Each of these resources serves a different use case:

* `iap.AppEngineVersionIamPolicy`: Authoritative. Sets the IAM policy for the appengineversion and replaces any existing policy already attached. * `iap.AppEngineVersionIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineversion are preserved. * `iap.AppEngineVersionIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineversion are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineVersionIamPolicy`: Retrieves the IAM policy for the appengineversion

> **Note:** `iap.AppEngineVersionIamPolicy` **cannot** be used in conjunction with `iap.AppEngineVersionIamBinding` and `iap.AppEngineVersionIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineVersionIamBinding` resources **can be** used in conjunction with `iap.AppEngineVersionIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineVersionIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineVersionIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineVersionIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy AppEngineVersion Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineVersion. Each of these resources serves a different use case:

* `iap.AppEngineVersionIamPolicy`: Authoritative. Sets the IAM policy for the appengineversion and replaces any existing policy already attached. * `iap.AppEngineVersionIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineversion are preserved. * `iap.AppEngineVersionIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineversion are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineVersionIamPolicy`: Retrieves the IAM policy for the appengineversion

> **Note:** `iap.AppEngineVersionIamPolicy` **cannot** be used in conjunction with `iap.AppEngineVersionIamBinding` and `iap.AppEngineVersionIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineVersionIamBinding` resources **can be** used in conjunction with `iap.AppEngineVersionIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineVersionIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineVersionIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineVersionIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}}

* {{project}}/{{appId}}/{{service}}/{{versionId}}

* {{appId}}/{{service}}/{{versionId}}

* {{version}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy appengineversion IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/appEngineVersionIamMember:AppEngineVersionIamMember editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/appEngineVersionIamMember:AppEngineVersionIamMember editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/appEngineVersionIamMember:AppEngineVersionIamMember editor projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetAppEngineVersionIamMember

func GetAppEngineVersionIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AppEngineVersionIamMemberState, opts ...pulumi.ResourceOption) (*AppEngineVersionIamMember, error)

GetAppEngineVersionIamMember gets an existing AppEngineVersionIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAppEngineVersionIamMember

func NewAppEngineVersionIamMember(ctx *pulumi.Context,
	name string, args *AppEngineVersionIamMemberArgs, opts ...pulumi.ResourceOption) (*AppEngineVersionIamMember, error)

NewAppEngineVersionIamMember registers a new resource with the given unique name, arguments, and options.

func (*AppEngineVersionIamMember) ElementType

func (*AppEngineVersionIamMember) ElementType() reflect.Type

func (*AppEngineVersionIamMember) ToAppEngineVersionIamMemberOutput

func (i *AppEngineVersionIamMember) ToAppEngineVersionIamMemberOutput() AppEngineVersionIamMemberOutput

func (*AppEngineVersionIamMember) ToAppEngineVersionIamMemberOutputWithContext

func (i *AppEngineVersionIamMember) ToAppEngineVersionIamMemberOutputWithContext(ctx context.Context) AppEngineVersionIamMemberOutput

type AppEngineVersionIamMemberArgs

type AppEngineVersionIamMemberArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineVersionIamMemberConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringInput
}

The set of arguments for constructing a AppEngineVersionIamMember resource.

func (AppEngineVersionIamMemberArgs) ElementType

type AppEngineVersionIamMemberArray

type AppEngineVersionIamMemberArray []AppEngineVersionIamMemberInput

func (AppEngineVersionIamMemberArray) ElementType

func (AppEngineVersionIamMemberArray) ToAppEngineVersionIamMemberArrayOutput

func (i AppEngineVersionIamMemberArray) ToAppEngineVersionIamMemberArrayOutput() AppEngineVersionIamMemberArrayOutput

func (AppEngineVersionIamMemberArray) ToAppEngineVersionIamMemberArrayOutputWithContext

func (i AppEngineVersionIamMemberArray) ToAppEngineVersionIamMemberArrayOutputWithContext(ctx context.Context) AppEngineVersionIamMemberArrayOutput

type AppEngineVersionIamMemberArrayInput

type AppEngineVersionIamMemberArrayInput interface {
	pulumi.Input

	ToAppEngineVersionIamMemberArrayOutput() AppEngineVersionIamMemberArrayOutput
	ToAppEngineVersionIamMemberArrayOutputWithContext(context.Context) AppEngineVersionIamMemberArrayOutput
}

AppEngineVersionIamMemberArrayInput is an input type that accepts AppEngineVersionIamMemberArray and AppEngineVersionIamMemberArrayOutput values. You can construct a concrete instance of `AppEngineVersionIamMemberArrayInput` via:

AppEngineVersionIamMemberArray{ AppEngineVersionIamMemberArgs{...} }

type AppEngineVersionIamMemberArrayOutput

type AppEngineVersionIamMemberArrayOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamMemberArrayOutput) ElementType

func (AppEngineVersionIamMemberArrayOutput) Index

func (AppEngineVersionIamMemberArrayOutput) ToAppEngineVersionIamMemberArrayOutput

func (o AppEngineVersionIamMemberArrayOutput) ToAppEngineVersionIamMemberArrayOutput() AppEngineVersionIamMemberArrayOutput

func (AppEngineVersionIamMemberArrayOutput) ToAppEngineVersionIamMemberArrayOutputWithContext

func (o AppEngineVersionIamMemberArrayOutput) ToAppEngineVersionIamMemberArrayOutputWithContext(ctx context.Context) AppEngineVersionIamMemberArrayOutput

type AppEngineVersionIamMemberCondition

type AppEngineVersionIamMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type AppEngineVersionIamMemberConditionArgs

type AppEngineVersionIamMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (AppEngineVersionIamMemberConditionArgs) ElementType

func (AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionOutput

func (i AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionOutput() AppEngineVersionIamMemberConditionOutput

func (AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionOutputWithContext

func (i AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionOutputWithContext(ctx context.Context) AppEngineVersionIamMemberConditionOutput

func (AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionPtrOutput

func (i AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionPtrOutput() AppEngineVersionIamMemberConditionPtrOutput

func (AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionPtrOutputWithContext

func (i AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionPtrOutputWithContext(ctx context.Context) AppEngineVersionIamMemberConditionPtrOutput

type AppEngineVersionIamMemberConditionInput

type AppEngineVersionIamMemberConditionInput interface {
	pulumi.Input

	ToAppEngineVersionIamMemberConditionOutput() AppEngineVersionIamMemberConditionOutput
	ToAppEngineVersionIamMemberConditionOutputWithContext(context.Context) AppEngineVersionIamMemberConditionOutput
}

AppEngineVersionIamMemberConditionInput is an input type that accepts AppEngineVersionIamMemberConditionArgs and AppEngineVersionIamMemberConditionOutput values. You can construct a concrete instance of `AppEngineVersionIamMemberConditionInput` via:

AppEngineVersionIamMemberConditionArgs{...}

type AppEngineVersionIamMemberConditionOutput

type AppEngineVersionIamMemberConditionOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamMemberConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineVersionIamMemberConditionOutput) ElementType

func (AppEngineVersionIamMemberConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineVersionIamMemberConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionOutput

func (o AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionOutput() AppEngineVersionIamMemberConditionOutput

func (AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionOutputWithContext

func (o AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionOutputWithContext(ctx context.Context) AppEngineVersionIamMemberConditionOutput

func (AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionPtrOutput

func (o AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionPtrOutput() AppEngineVersionIamMemberConditionPtrOutput

func (AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionPtrOutputWithContext

func (o AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionPtrOutputWithContext(ctx context.Context) AppEngineVersionIamMemberConditionPtrOutput

type AppEngineVersionIamMemberConditionPtrInput

type AppEngineVersionIamMemberConditionPtrInput interface {
	pulumi.Input

	ToAppEngineVersionIamMemberConditionPtrOutput() AppEngineVersionIamMemberConditionPtrOutput
	ToAppEngineVersionIamMemberConditionPtrOutputWithContext(context.Context) AppEngineVersionIamMemberConditionPtrOutput
}

AppEngineVersionIamMemberConditionPtrInput is an input type that accepts AppEngineVersionIamMemberConditionArgs, AppEngineVersionIamMemberConditionPtr and AppEngineVersionIamMemberConditionPtrOutput values. You can construct a concrete instance of `AppEngineVersionIamMemberConditionPtrInput` via:

        AppEngineVersionIamMemberConditionArgs{...}

or:

        nil

type AppEngineVersionIamMemberConditionPtrOutput

type AppEngineVersionIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamMemberConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineVersionIamMemberConditionPtrOutput) Elem

func (AppEngineVersionIamMemberConditionPtrOutput) ElementType

func (AppEngineVersionIamMemberConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineVersionIamMemberConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineVersionIamMemberConditionPtrOutput) ToAppEngineVersionIamMemberConditionPtrOutput

func (o AppEngineVersionIamMemberConditionPtrOutput) ToAppEngineVersionIamMemberConditionPtrOutput() AppEngineVersionIamMemberConditionPtrOutput

func (AppEngineVersionIamMemberConditionPtrOutput) ToAppEngineVersionIamMemberConditionPtrOutputWithContext

func (o AppEngineVersionIamMemberConditionPtrOutput) ToAppEngineVersionIamMemberConditionPtrOutputWithContext(ctx context.Context) AppEngineVersionIamMemberConditionPtrOutput

type AppEngineVersionIamMemberInput

type AppEngineVersionIamMemberInput interface {
	pulumi.Input

	ToAppEngineVersionIamMemberOutput() AppEngineVersionIamMemberOutput
	ToAppEngineVersionIamMemberOutputWithContext(ctx context.Context) AppEngineVersionIamMemberOutput
}

type AppEngineVersionIamMemberMap

type AppEngineVersionIamMemberMap map[string]AppEngineVersionIamMemberInput

func (AppEngineVersionIamMemberMap) ElementType

func (AppEngineVersionIamMemberMap) ToAppEngineVersionIamMemberMapOutput

func (i AppEngineVersionIamMemberMap) ToAppEngineVersionIamMemberMapOutput() AppEngineVersionIamMemberMapOutput

func (AppEngineVersionIamMemberMap) ToAppEngineVersionIamMemberMapOutputWithContext

func (i AppEngineVersionIamMemberMap) ToAppEngineVersionIamMemberMapOutputWithContext(ctx context.Context) AppEngineVersionIamMemberMapOutput

type AppEngineVersionIamMemberMapInput

type AppEngineVersionIamMemberMapInput interface {
	pulumi.Input

	ToAppEngineVersionIamMemberMapOutput() AppEngineVersionIamMemberMapOutput
	ToAppEngineVersionIamMemberMapOutputWithContext(context.Context) AppEngineVersionIamMemberMapOutput
}

AppEngineVersionIamMemberMapInput is an input type that accepts AppEngineVersionIamMemberMap and AppEngineVersionIamMemberMapOutput values. You can construct a concrete instance of `AppEngineVersionIamMemberMapInput` via:

AppEngineVersionIamMemberMap{ "key": AppEngineVersionIamMemberArgs{...} }

type AppEngineVersionIamMemberMapOutput

type AppEngineVersionIamMemberMapOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamMemberMapOutput) ElementType

func (AppEngineVersionIamMemberMapOutput) MapIndex

func (AppEngineVersionIamMemberMapOutput) ToAppEngineVersionIamMemberMapOutput

func (o AppEngineVersionIamMemberMapOutput) ToAppEngineVersionIamMemberMapOutput() AppEngineVersionIamMemberMapOutput

func (AppEngineVersionIamMemberMapOutput) ToAppEngineVersionIamMemberMapOutputWithContext

func (o AppEngineVersionIamMemberMapOutput) ToAppEngineVersionIamMemberMapOutputWithContext(ctx context.Context) AppEngineVersionIamMemberMapOutput

type AppEngineVersionIamMemberOutput

type AppEngineVersionIamMemberOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamMemberOutput) AppId

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (AppEngineVersionIamMemberOutput) Condition

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (AppEngineVersionIamMemberOutput) ElementType

func (AppEngineVersionIamMemberOutput) Etag

(Computed) The etag of the IAM policy.

func (AppEngineVersionIamMemberOutput) Member

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (AppEngineVersionIamMemberOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (AppEngineVersionIamMemberOutput) Role

The role that should be applied. Only one `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (AppEngineVersionIamMemberOutput) Service

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

func (AppEngineVersionIamMemberOutput) ToAppEngineVersionIamMemberOutput

func (o AppEngineVersionIamMemberOutput) ToAppEngineVersionIamMemberOutput() AppEngineVersionIamMemberOutput

func (AppEngineVersionIamMemberOutput) ToAppEngineVersionIamMemberOutputWithContext

func (o AppEngineVersionIamMemberOutput) ToAppEngineVersionIamMemberOutputWithContext(ctx context.Context) AppEngineVersionIamMemberOutput

func (AppEngineVersionIamMemberOutput) VersionId

Version id of the App Engine application Used to find the parent resource to bind the IAM policy to

type AppEngineVersionIamMemberState

type AppEngineVersionIamMemberState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineVersionIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringPtrInput
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringPtrInput
}

func (AppEngineVersionIamMemberState) ElementType

type AppEngineVersionIamPolicy

type AppEngineVersionIamPolicy struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringOutput `pulumi:"service"`
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringOutput `pulumi:"versionId"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineVersion. Each of these resources serves a different use case:

* `iap.AppEngineVersionIamPolicy`: Authoritative. Sets the IAM policy for the appengineversion and replaces any existing policy already attached. * `iap.AppEngineVersionIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineversion are preserved. * `iap.AppEngineVersionIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineversion are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineVersionIamPolicy`: Retrieves the IAM policy for the appengineversion

> **Note:** `iap.AppEngineVersionIamPolicy` **cannot** be used in conjunction with `iap.AppEngineVersionIamBinding` and `iap.AppEngineVersionIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineVersionIamBinding` resources **can be** used in conjunction with `iap.AppEngineVersionIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineVersionIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineVersionIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineVersionIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy AppEngineVersion Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineVersion. Each of these resources serves a different use case:

* `iap.AppEngineVersionIamPolicy`: Authoritative. Sets the IAM policy for the appengineversion and replaces any existing policy already attached. * `iap.AppEngineVersionIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineversion are preserved. * `iap.AppEngineVersionIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineversion are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineVersionIamPolicy`: Retrieves the IAM policy for the appengineversion

> **Note:** `iap.AppEngineVersionIamPolicy` **cannot** be used in conjunction with `iap.AppEngineVersionIamBinding` and `iap.AppEngineVersionIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineVersionIamBinding` resources **can be** used in conjunction with `iap.AppEngineVersionIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineVersionIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineVersionIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineVersionIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}}

* {{project}}/{{appId}}/{{service}}/{{versionId}}

* {{appId}}/{{service}}/{{versionId}}

* {{version}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy appengineversion IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/appEngineVersionIamPolicy:AppEngineVersionIamPolicy editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/appEngineVersionIamPolicy:AppEngineVersionIamPolicy editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/appEngineVersionIamPolicy:AppEngineVersionIamPolicy editor projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetAppEngineVersionIamPolicy

func GetAppEngineVersionIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AppEngineVersionIamPolicyState, opts ...pulumi.ResourceOption) (*AppEngineVersionIamPolicy, error)

GetAppEngineVersionIamPolicy gets an existing AppEngineVersionIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAppEngineVersionIamPolicy

func NewAppEngineVersionIamPolicy(ctx *pulumi.Context,
	name string, args *AppEngineVersionIamPolicyArgs, opts ...pulumi.ResourceOption) (*AppEngineVersionIamPolicy, error)

NewAppEngineVersionIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*AppEngineVersionIamPolicy) ElementType

func (*AppEngineVersionIamPolicy) ElementType() reflect.Type

func (*AppEngineVersionIamPolicy) ToAppEngineVersionIamPolicyOutput

func (i *AppEngineVersionIamPolicy) ToAppEngineVersionIamPolicyOutput() AppEngineVersionIamPolicyOutput

func (*AppEngineVersionIamPolicy) ToAppEngineVersionIamPolicyOutputWithContext

func (i *AppEngineVersionIamPolicy) ToAppEngineVersionIamPolicyOutputWithContext(ctx context.Context) AppEngineVersionIamPolicyOutput

type AppEngineVersionIamPolicyArgs

type AppEngineVersionIamPolicyArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringInput
}

The set of arguments for constructing a AppEngineVersionIamPolicy resource.

func (AppEngineVersionIamPolicyArgs) ElementType

type AppEngineVersionIamPolicyArray

type AppEngineVersionIamPolicyArray []AppEngineVersionIamPolicyInput

func (AppEngineVersionIamPolicyArray) ElementType

func (AppEngineVersionIamPolicyArray) ToAppEngineVersionIamPolicyArrayOutput

func (i AppEngineVersionIamPolicyArray) ToAppEngineVersionIamPolicyArrayOutput() AppEngineVersionIamPolicyArrayOutput

func (AppEngineVersionIamPolicyArray) ToAppEngineVersionIamPolicyArrayOutputWithContext

func (i AppEngineVersionIamPolicyArray) ToAppEngineVersionIamPolicyArrayOutputWithContext(ctx context.Context) AppEngineVersionIamPolicyArrayOutput

type AppEngineVersionIamPolicyArrayInput

type AppEngineVersionIamPolicyArrayInput interface {
	pulumi.Input

	ToAppEngineVersionIamPolicyArrayOutput() AppEngineVersionIamPolicyArrayOutput
	ToAppEngineVersionIamPolicyArrayOutputWithContext(context.Context) AppEngineVersionIamPolicyArrayOutput
}

AppEngineVersionIamPolicyArrayInput is an input type that accepts AppEngineVersionIamPolicyArray and AppEngineVersionIamPolicyArrayOutput values. You can construct a concrete instance of `AppEngineVersionIamPolicyArrayInput` via:

AppEngineVersionIamPolicyArray{ AppEngineVersionIamPolicyArgs{...} }

type AppEngineVersionIamPolicyArrayOutput

type AppEngineVersionIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamPolicyArrayOutput) ElementType

func (AppEngineVersionIamPolicyArrayOutput) Index

func (AppEngineVersionIamPolicyArrayOutput) ToAppEngineVersionIamPolicyArrayOutput

func (o AppEngineVersionIamPolicyArrayOutput) ToAppEngineVersionIamPolicyArrayOutput() AppEngineVersionIamPolicyArrayOutput

func (AppEngineVersionIamPolicyArrayOutput) ToAppEngineVersionIamPolicyArrayOutputWithContext

func (o AppEngineVersionIamPolicyArrayOutput) ToAppEngineVersionIamPolicyArrayOutputWithContext(ctx context.Context) AppEngineVersionIamPolicyArrayOutput

type AppEngineVersionIamPolicyInput

type AppEngineVersionIamPolicyInput interface {
	pulumi.Input

	ToAppEngineVersionIamPolicyOutput() AppEngineVersionIamPolicyOutput
	ToAppEngineVersionIamPolicyOutputWithContext(ctx context.Context) AppEngineVersionIamPolicyOutput
}

type AppEngineVersionIamPolicyMap

type AppEngineVersionIamPolicyMap map[string]AppEngineVersionIamPolicyInput

func (AppEngineVersionIamPolicyMap) ElementType

func (AppEngineVersionIamPolicyMap) ToAppEngineVersionIamPolicyMapOutput

func (i AppEngineVersionIamPolicyMap) ToAppEngineVersionIamPolicyMapOutput() AppEngineVersionIamPolicyMapOutput

func (AppEngineVersionIamPolicyMap) ToAppEngineVersionIamPolicyMapOutputWithContext

func (i AppEngineVersionIamPolicyMap) ToAppEngineVersionIamPolicyMapOutputWithContext(ctx context.Context) AppEngineVersionIamPolicyMapOutput

type AppEngineVersionIamPolicyMapInput

type AppEngineVersionIamPolicyMapInput interface {
	pulumi.Input

	ToAppEngineVersionIamPolicyMapOutput() AppEngineVersionIamPolicyMapOutput
	ToAppEngineVersionIamPolicyMapOutputWithContext(context.Context) AppEngineVersionIamPolicyMapOutput
}

AppEngineVersionIamPolicyMapInput is an input type that accepts AppEngineVersionIamPolicyMap and AppEngineVersionIamPolicyMapOutput values. You can construct a concrete instance of `AppEngineVersionIamPolicyMapInput` via:

AppEngineVersionIamPolicyMap{ "key": AppEngineVersionIamPolicyArgs{...} }

type AppEngineVersionIamPolicyMapOutput

type AppEngineVersionIamPolicyMapOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamPolicyMapOutput) ElementType

func (AppEngineVersionIamPolicyMapOutput) MapIndex

func (AppEngineVersionIamPolicyMapOutput) ToAppEngineVersionIamPolicyMapOutput

func (o AppEngineVersionIamPolicyMapOutput) ToAppEngineVersionIamPolicyMapOutput() AppEngineVersionIamPolicyMapOutput

func (AppEngineVersionIamPolicyMapOutput) ToAppEngineVersionIamPolicyMapOutputWithContext

func (o AppEngineVersionIamPolicyMapOutput) ToAppEngineVersionIamPolicyMapOutputWithContext(ctx context.Context) AppEngineVersionIamPolicyMapOutput

type AppEngineVersionIamPolicyOutput

type AppEngineVersionIamPolicyOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamPolicyOutput) AppId

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (AppEngineVersionIamPolicyOutput) ElementType

func (AppEngineVersionIamPolicyOutput) Etag

(Computed) The etag of the IAM policy.

func (AppEngineVersionIamPolicyOutput) PolicyData

The policy data generated by a `organizations.getIAMPolicy` data source.

func (AppEngineVersionIamPolicyOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (AppEngineVersionIamPolicyOutput) Service

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

func (AppEngineVersionIamPolicyOutput) ToAppEngineVersionIamPolicyOutput

func (o AppEngineVersionIamPolicyOutput) ToAppEngineVersionIamPolicyOutput() AppEngineVersionIamPolicyOutput

func (AppEngineVersionIamPolicyOutput) ToAppEngineVersionIamPolicyOutputWithContext

func (o AppEngineVersionIamPolicyOutput) ToAppEngineVersionIamPolicyOutputWithContext(ctx context.Context) AppEngineVersionIamPolicyOutput

func (AppEngineVersionIamPolicyOutput) VersionId

Version id of the App Engine application Used to find the parent resource to bind the IAM policy to

type AppEngineVersionIamPolicyState

type AppEngineVersionIamPolicyState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringPtrInput
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringPtrInput
}

func (AppEngineVersionIamPolicyState) ElementType

type Brand

type Brand struct {
	pulumi.CustomResourceState

	// Application name displayed on OAuth consent screen.
	//
	// ***
	ApplicationTitle pulumi.StringOutput `pulumi:"applicationTitle"`
	// Output only. Identifier of the brand, in the format `projects/{project_number}/brands/{brand_id}`
	// NOTE: The name can also be expressed as `projects/{project_id}/brands/{brand_id}`, e.g. when importing.
	// NOTE: The brand identification corresponds to the project number as only one
	// brand can be created per project.
	Name pulumi.StringOutput `pulumi:"name"`
	// Whether the brand is only intended for usage inside the GSuite organization only.
	OrgInternalOnly pulumi.BoolOutput `pulumi:"orgInternalOnly"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// Support email displayed on the OAuth consent screen. Can be either a
	// user or group email. When a user email is specified, the caller must
	// be the user with the associated email address. When a group email is
	// specified, the caller can be either a user or a service account which
	// is an owner of the specified group in Cloud Identity.
	SupportEmail pulumi.StringOutput `pulumi:"supportEmail"`
}

## Example Usage

### Iap Brand

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/projects"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		project, err := organizations.NewProject(ctx, "project", &organizations.ProjectArgs{
			ProjectId:      pulumi.String("my-project"),
			Name:           pulumi.String("my-project"),
			OrgId:          pulumi.String("123456789"),
			DeletionPolicy: pulumi.String("DELETE"),
		})
		if err != nil {
			return err
		}
		projectService, err := projects.NewService(ctx, "project_service", &projects.ServiceArgs{
			Project: project.ProjectId,
			Service: pulumi.String("iap.googleapis.com"),
		})
		if err != nil {
			return err
		}
		_, err = iap.NewBrand(ctx, "project_brand", &iap.BrandArgs{
			SupportEmail:     pulumi.String("support@example.com"),
			ApplicationTitle: pulumi.String("Cloud IAP protected Application"),
			Project:          projectService.Project,
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Brand can be imported using any of these accepted formats:

* `projects/{{project_id}}/brands/{{brand_id}}`

* `projects/{{project_number}}/brands/{{brand_id}}`

* `{{project_number}}/{{brand_id}}`

When using the `pulumi import` command, Brand can be imported using one of the formats above. For example:

```sh $ pulumi import gcp:iap/brand:Brand default projects/{{project_id}}/brands/{{brand_id}} ```

```sh $ pulumi import gcp:iap/brand:Brand default projects/{{project_number}}/brands/{{brand_id}} ```

```sh $ pulumi import gcp:iap/brand:Brand default {{project_number}}/{{brand_id}} ```

func GetBrand

func GetBrand(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *BrandState, opts ...pulumi.ResourceOption) (*Brand, error)

GetBrand gets an existing Brand resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewBrand

func NewBrand(ctx *pulumi.Context,
	name string, args *BrandArgs, opts ...pulumi.ResourceOption) (*Brand, error)

NewBrand registers a new resource with the given unique name, arguments, and options.

func (*Brand) ElementType

func (*Brand) ElementType() reflect.Type

func (*Brand) ToBrandOutput

func (i *Brand) ToBrandOutput() BrandOutput

func (*Brand) ToBrandOutputWithContext

func (i *Brand) ToBrandOutputWithContext(ctx context.Context) BrandOutput

type BrandArgs

type BrandArgs struct {
	// Application name displayed on OAuth consent screen.
	//
	// ***
	ApplicationTitle pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	Project pulumi.StringPtrInput
	// Support email displayed on the OAuth consent screen. Can be either a
	// user or group email. When a user email is specified, the caller must
	// be the user with the associated email address. When a group email is
	// specified, the caller can be either a user or a service account which
	// is an owner of the specified group in Cloud Identity.
	SupportEmail pulumi.StringInput
}

The set of arguments for constructing a Brand resource.

func (BrandArgs) ElementType

func (BrandArgs) ElementType() reflect.Type

type BrandArray

type BrandArray []BrandInput

func (BrandArray) ElementType

func (BrandArray) ElementType() reflect.Type

func (BrandArray) ToBrandArrayOutput

func (i BrandArray) ToBrandArrayOutput() BrandArrayOutput

func (BrandArray) ToBrandArrayOutputWithContext

func (i BrandArray) ToBrandArrayOutputWithContext(ctx context.Context) BrandArrayOutput

type BrandArrayInput

type BrandArrayInput interface {
	pulumi.Input

	ToBrandArrayOutput() BrandArrayOutput
	ToBrandArrayOutputWithContext(context.Context) BrandArrayOutput
}

BrandArrayInput is an input type that accepts BrandArray and BrandArrayOutput values. You can construct a concrete instance of `BrandArrayInput` via:

BrandArray{ BrandArgs{...} }

type BrandArrayOutput

type BrandArrayOutput struct{ *pulumi.OutputState }

func (BrandArrayOutput) ElementType

func (BrandArrayOutput) ElementType() reflect.Type

func (BrandArrayOutput) Index

func (BrandArrayOutput) ToBrandArrayOutput

func (o BrandArrayOutput) ToBrandArrayOutput() BrandArrayOutput

func (BrandArrayOutput) ToBrandArrayOutputWithContext

func (o BrandArrayOutput) ToBrandArrayOutputWithContext(ctx context.Context) BrandArrayOutput

type BrandInput

type BrandInput interface {
	pulumi.Input

	ToBrandOutput() BrandOutput
	ToBrandOutputWithContext(ctx context.Context) BrandOutput
}

type BrandMap

type BrandMap map[string]BrandInput

func (BrandMap) ElementType

func (BrandMap) ElementType() reflect.Type

func (BrandMap) ToBrandMapOutput

func (i BrandMap) ToBrandMapOutput() BrandMapOutput

func (BrandMap) ToBrandMapOutputWithContext

func (i BrandMap) ToBrandMapOutputWithContext(ctx context.Context) BrandMapOutput

type BrandMapInput

type BrandMapInput interface {
	pulumi.Input

	ToBrandMapOutput() BrandMapOutput
	ToBrandMapOutputWithContext(context.Context) BrandMapOutput
}

BrandMapInput is an input type that accepts BrandMap and BrandMapOutput values. You can construct a concrete instance of `BrandMapInput` via:

BrandMap{ "key": BrandArgs{...} }

type BrandMapOutput

type BrandMapOutput struct{ *pulumi.OutputState }

func (BrandMapOutput) ElementType

func (BrandMapOutput) ElementType() reflect.Type

func (BrandMapOutput) MapIndex

func (BrandMapOutput) ToBrandMapOutput

func (o BrandMapOutput) ToBrandMapOutput() BrandMapOutput

func (BrandMapOutput) ToBrandMapOutputWithContext

func (o BrandMapOutput) ToBrandMapOutputWithContext(ctx context.Context) BrandMapOutput

type BrandOutput

type BrandOutput struct{ *pulumi.OutputState }

func (BrandOutput) ApplicationTitle

func (o BrandOutput) ApplicationTitle() pulumi.StringOutput

Application name displayed on OAuth consent screen.

***

func (BrandOutput) ElementType

func (BrandOutput) ElementType() reflect.Type

func (BrandOutput) Name

func (o BrandOutput) Name() pulumi.StringOutput

Output only. Identifier of the brand, in the format `projects/{project_number}/brands/{brand_id}` NOTE: The name can also be expressed as `projects/{project_id}/brands/{brand_id}`, e.g. when importing. NOTE: The brand identification corresponds to the project number as only one brand can be created per project.

func (BrandOutput) OrgInternalOnly

func (o BrandOutput) OrgInternalOnly() pulumi.BoolOutput

Whether the brand is only intended for usage inside the GSuite organization only.

func (BrandOutput) Project

func (o BrandOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

func (BrandOutput) SupportEmail

func (o BrandOutput) SupportEmail() pulumi.StringOutput

Support email displayed on the OAuth consent screen. Can be either a user or group email. When a user email is specified, the caller must be the user with the associated email address. When a group email is specified, the caller can be either a user or a service account which is an owner of the specified group in Cloud Identity.

func (BrandOutput) ToBrandOutput

func (o BrandOutput) ToBrandOutput() BrandOutput

func (BrandOutput) ToBrandOutputWithContext

func (o BrandOutput) ToBrandOutputWithContext(ctx context.Context) BrandOutput

type BrandState

type BrandState struct {
	// Application name displayed on OAuth consent screen.
	//
	// ***
	ApplicationTitle pulumi.StringPtrInput
	// Output only. Identifier of the brand, in the format `projects/{project_number}/brands/{brand_id}`
	// NOTE: The name can also be expressed as `projects/{project_id}/brands/{brand_id}`, e.g. when importing.
	// NOTE: The brand identification corresponds to the project number as only one
	// brand can be created per project.
	Name pulumi.StringPtrInput
	// Whether the brand is only intended for usage inside the GSuite organization only.
	OrgInternalOnly pulumi.BoolPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	Project pulumi.StringPtrInput
	// Support email displayed on the OAuth consent screen. Can be either a
	// user or group email. When a user email is specified, the caller must
	// be the user with the associated email address. When a group email is
	// specified, the caller can be either a user or a service account which
	// is an owner of the specified group in Cloud Identity.
	SupportEmail pulumi.StringPtrInput
}

func (BrandState) ElementType

func (BrandState) ElementType() reflect.Type

type Client

type Client struct {
	pulumi.CustomResourceState

	// Identifier of the brand to which this client
	// is attached to. The format is
	// `projects/{project_number}/brands/{brand_id}`.
	//
	// ***
	Brand pulumi.StringOutput `pulumi:"brand"`
	// Output only. Unique identifier of the OAuth client.
	ClientId pulumi.StringOutput `pulumi:"clientId"`
	// Human-friendly name given to the OAuth client.
	DisplayName pulumi.StringOutput `pulumi:"displayName"`
	// Output only. Client secret of the OAuth client.
	// **Note**: This property is sensitive and will not be displayed in the plan.
	Secret pulumi.StringOutput `pulumi:"secret"`
}

Contains the data that describes an Identity Aware Proxy owned client.

> **Note:** Only internal org clients can be created via declarative tools. External clients must be manually created via the GCP console. This restriction is due to the existing APIs and not lack of support in this tool.

To get more information about Client, see:

* [API documentation](https://cloud.google.com/iap/docs/reference/rest/v1/projects.brands.identityAwareProxyClients) * How-to Guides

## Example Usage

### Iap Client

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/projects"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		project, err := organizations.NewProject(ctx, "project", &organizations.ProjectArgs{
			ProjectId:      pulumi.String("my-project"),
			Name:           pulumi.String("my-project"),
			OrgId:          pulumi.String("123456789"),
			DeletionPolicy: pulumi.String("DELETE"),
		})
		if err != nil {
			return err
		}
		projectService, err := projects.NewService(ctx, "project_service", &projects.ServiceArgs{
			Project: project.ProjectId,
			Service: pulumi.String("iap.googleapis.com"),
		})
		if err != nil {
			return err
		}
		projectBrand, err := iap.NewBrand(ctx, "project_brand", &iap.BrandArgs{
			SupportEmail:     pulumi.String("support@example.com"),
			ApplicationTitle: pulumi.String("Cloud IAP protected Application"),
			Project:          projectService.Project,
		})
		if err != nil {
			return err
		}
		_, err = iap.NewClient(ctx, "project_client", &iap.ClientArgs{
			DisplayName: pulumi.String("Test Client"),
			Brand:       projectBrand.Name,
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Client can be imported using any of these accepted formats:

* `{{brand}}/identityAwareProxyClients/{{client_id}}`

* `{{brand}}/{{client_id}}`

When using the `pulumi import` command, Client can be imported using one of the formats above. For example:

```sh $ pulumi import gcp:iap/client:Client default {{brand}}/identityAwareProxyClients/{{client_id}} ```

```sh $ pulumi import gcp:iap/client:Client default {{brand}}/{{client_id}} ```

func GetClient

func GetClient(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *ClientState, opts ...pulumi.ResourceOption) (*Client, error)

GetClient gets an existing Client resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewClient

func NewClient(ctx *pulumi.Context,
	name string, args *ClientArgs, opts ...pulumi.ResourceOption) (*Client, error)

NewClient registers a new resource with the given unique name, arguments, and options.

func (*Client) ElementType

func (*Client) ElementType() reflect.Type

func (*Client) ToClientOutput

func (i *Client) ToClientOutput() ClientOutput

func (*Client) ToClientOutputWithContext

func (i *Client) ToClientOutputWithContext(ctx context.Context) ClientOutput

type ClientArgs

type ClientArgs struct {
	// Identifier of the brand to which this client
	// is attached to. The format is
	// `projects/{project_number}/brands/{brand_id}`.
	//
	// ***
	Brand pulumi.StringInput
	// Human-friendly name given to the OAuth client.
	DisplayName pulumi.StringInput
}

The set of arguments for constructing a Client resource.

func (ClientArgs) ElementType

func (ClientArgs) ElementType() reflect.Type

type ClientArray

type ClientArray []ClientInput

func (ClientArray) ElementType

func (ClientArray) ElementType() reflect.Type

func (ClientArray) ToClientArrayOutput

func (i ClientArray) ToClientArrayOutput() ClientArrayOutput

func (ClientArray) ToClientArrayOutputWithContext

func (i ClientArray) ToClientArrayOutputWithContext(ctx context.Context) ClientArrayOutput

type ClientArrayInput

type ClientArrayInput interface {
	pulumi.Input

	ToClientArrayOutput() ClientArrayOutput
	ToClientArrayOutputWithContext(context.Context) ClientArrayOutput
}

ClientArrayInput is an input type that accepts ClientArray and ClientArrayOutput values. You can construct a concrete instance of `ClientArrayInput` via:

ClientArray{ ClientArgs{...} }

type ClientArrayOutput

type ClientArrayOutput struct{ *pulumi.OutputState }

func (ClientArrayOutput) ElementType

func (ClientArrayOutput) ElementType() reflect.Type

func (ClientArrayOutput) Index

func (ClientArrayOutput) ToClientArrayOutput

func (o ClientArrayOutput) ToClientArrayOutput() ClientArrayOutput

func (ClientArrayOutput) ToClientArrayOutputWithContext

func (o ClientArrayOutput) ToClientArrayOutputWithContext(ctx context.Context) ClientArrayOutput

type ClientInput

type ClientInput interface {
	pulumi.Input

	ToClientOutput() ClientOutput
	ToClientOutputWithContext(ctx context.Context) ClientOutput
}

type ClientMap

type ClientMap map[string]ClientInput

func (ClientMap) ElementType

func (ClientMap) ElementType() reflect.Type

func (ClientMap) ToClientMapOutput

func (i ClientMap) ToClientMapOutput() ClientMapOutput

func (ClientMap) ToClientMapOutputWithContext

func (i ClientMap) ToClientMapOutputWithContext(ctx context.Context) ClientMapOutput

type ClientMapInput

type ClientMapInput interface {
	pulumi.Input

	ToClientMapOutput() ClientMapOutput
	ToClientMapOutputWithContext(context.Context) ClientMapOutput
}

ClientMapInput is an input type that accepts ClientMap and ClientMapOutput values. You can construct a concrete instance of `ClientMapInput` via:

ClientMap{ "key": ClientArgs{...} }

type ClientMapOutput

type ClientMapOutput struct{ *pulumi.OutputState }

func (ClientMapOutput) ElementType

func (ClientMapOutput) ElementType() reflect.Type

func (ClientMapOutput) MapIndex

func (ClientMapOutput) ToClientMapOutput

func (o ClientMapOutput) ToClientMapOutput() ClientMapOutput

func (ClientMapOutput) ToClientMapOutputWithContext

func (o ClientMapOutput) ToClientMapOutputWithContext(ctx context.Context) ClientMapOutput

type ClientOutput

type ClientOutput struct{ *pulumi.OutputState }

func (ClientOutput) Brand

func (o ClientOutput) Brand() pulumi.StringOutput

Identifier of the brand to which this client is attached to. The format is `projects/{project_number}/brands/{brand_id}`.

***

func (ClientOutput) ClientId

func (o ClientOutput) ClientId() pulumi.StringOutput

Output only. Unique identifier of the OAuth client.

func (ClientOutput) DisplayName

func (o ClientOutput) DisplayName() pulumi.StringOutput

Human-friendly name given to the OAuth client.

func (ClientOutput) ElementType

func (ClientOutput) ElementType() reflect.Type

func (ClientOutput) Secret

func (o ClientOutput) Secret() pulumi.StringOutput

Output only. Client secret of the OAuth client. **Note**: This property is sensitive and will not be displayed in the plan.

func (ClientOutput) ToClientOutput

func (o ClientOutput) ToClientOutput() ClientOutput

func (ClientOutput) ToClientOutputWithContext

func (o ClientOutput) ToClientOutputWithContext(ctx context.Context) ClientOutput

type ClientState

type ClientState struct {
	// Identifier of the brand to which this client
	// is attached to. The format is
	// `projects/{project_number}/brands/{brand_id}`.
	//
	// ***
	Brand pulumi.StringPtrInput
	// Output only. Unique identifier of the OAuth client.
	ClientId pulumi.StringPtrInput
	// Human-friendly name given to the OAuth client.
	DisplayName pulumi.StringPtrInput
	// Output only. Client secret of the OAuth client.
	// **Note**: This property is sensitive and will not be displayed in the plan.
	Secret pulumi.StringPtrInput
}

func (ClientState) ElementType

func (ClientState) ElementType() reflect.Type

type GetTunnelInstanceIamPolicyArgs

type GetTunnelInstanceIamPolicyArgs struct {
	// Used to find the parent resource to bind the IAM policy to
	Instance string `pulumi:"instance"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
	Zone    *string `pulumi:"zone"`
}

A collection of arguments for invoking getTunnelInstanceIamPolicy.

type GetTunnelInstanceIamPolicyOutputArgs

type GetTunnelInstanceIamPolicyOutputArgs struct {
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringInput `pulumi:"instance"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
	Zone    pulumi.StringPtrInput `pulumi:"zone"`
}

A collection of arguments for invoking getTunnelInstanceIamPolicy.

func (GetTunnelInstanceIamPolicyOutputArgs) ElementType

type GetTunnelInstanceIamPolicyResult

type GetTunnelInstanceIamPolicyResult struct {
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id       string `pulumi:"id"`
	Instance string `pulumi:"instance"`
	// (Required only by `iap.TunnelInstanceIAMPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
	Zone       string `pulumi:"zone"`
}

A collection of values returned by getTunnelInstanceIamPolicy.

func GetTunnelInstanceIamPolicy

func GetTunnelInstanceIamPolicy(ctx *pulumi.Context, args *GetTunnelInstanceIamPolicyArgs, opts ...pulumi.InvokeOption) (*GetTunnelInstanceIamPolicyResult, error)

Retrieves the current IAM policy data for tunnelinstance

## example

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.GetTunnelInstanceIamPolicy(ctx, &iap.GetTunnelInstanceIamPolicyArgs{
			Project:  pulumi.StringRef(tunnelvm.Project),
			Zone:     pulumi.StringRef(tunnelvm.Zone),
			Instance: tunnelvm.Name,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type GetTunnelInstanceIamPolicyResultOutput

type GetTunnelInstanceIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getTunnelInstanceIamPolicy.

func (GetTunnelInstanceIamPolicyResultOutput) ElementType

func (GetTunnelInstanceIamPolicyResultOutput) Etag

(Computed) The etag of the IAM policy.

func (GetTunnelInstanceIamPolicyResultOutput) Id

The provider-assigned unique ID for this managed resource.

func (GetTunnelInstanceIamPolicyResultOutput) Instance

func (GetTunnelInstanceIamPolicyResultOutput) PolicyData

(Required only by `iap.TunnelInstanceIAMPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (GetTunnelInstanceIamPolicyResultOutput) Project

func (GetTunnelInstanceIamPolicyResultOutput) ToGetTunnelInstanceIamPolicyResultOutput

func (o GetTunnelInstanceIamPolicyResultOutput) ToGetTunnelInstanceIamPolicyResultOutput() GetTunnelInstanceIamPolicyResultOutput

func (GetTunnelInstanceIamPolicyResultOutput) ToGetTunnelInstanceIamPolicyResultOutputWithContext

func (o GetTunnelInstanceIamPolicyResultOutput) ToGetTunnelInstanceIamPolicyResultOutputWithContext(ctx context.Context) GetTunnelInstanceIamPolicyResultOutput

func (GetTunnelInstanceIamPolicyResultOutput) Zone

type GetWebTypeAppEngineIamPolicyArgs

type GetWebTypeAppEngineIamPolicyArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId string `pulumi:"appId"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
}

A collection of arguments for invoking getWebTypeAppEngineIamPolicy.

type GetWebTypeAppEngineIamPolicyOutputArgs

type GetWebTypeAppEngineIamPolicyOutputArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput `pulumi:"appId"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
}

A collection of arguments for invoking getWebTypeAppEngineIamPolicy.

func (GetWebTypeAppEngineIamPolicyOutputArgs) ElementType

type GetWebTypeAppEngineIamPolicyResult

type GetWebTypeAppEngineIamPolicyResult struct {
	AppId string `pulumi:"appId"`
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.WebTypeAppEngingIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
}

A collection of values returned by getWebTypeAppEngineIamPolicy.

func GetWebTypeAppEngineIamPolicy

func GetWebTypeAppEngineIamPolicy(ctx *pulumi.Context, args *GetWebTypeAppEngineIamPolicyArgs, opts ...pulumi.InvokeOption) (*GetWebTypeAppEngineIamPolicyResult, error)

Retrieves the current IAM policy data for webtypeappengine

## example

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.GetWebTypeAppEngineIamPolicy(ctx, &iap.GetWebTypeAppEngineIamPolicyArgs{
			Project: pulumi.StringRef(app.Project),
			AppId:   app.AppId,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type GetWebTypeAppEngineIamPolicyResultOutput

type GetWebTypeAppEngineIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getWebTypeAppEngineIamPolicy.

func (GetWebTypeAppEngineIamPolicyResultOutput) AppId

func (GetWebTypeAppEngineIamPolicyResultOutput) ElementType

func (GetWebTypeAppEngineIamPolicyResultOutput) Etag

(Computed) The etag of the IAM policy.

func (GetWebTypeAppEngineIamPolicyResultOutput) Id

The provider-assigned unique ID for this managed resource.

func (GetWebTypeAppEngineIamPolicyResultOutput) PolicyData

(Required only by `iap.WebTypeAppEngingIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (GetWebTypeAppEngineIamPolicyResultOutput) Project

func (GetWebTypeAppEngineIamPolicyResultOutput) ToGetWebTypeAppEngineIamPolicyResultOutput

func (o GetWebTypeAppEngineIamPolicyResultOutput) ToGetWebTypeAppEngineIamPolicyResultOutput() GetWebTypeAppEngineIamPolicyResultOutput

func (GetWebTypeAppEngineIamPolicyResultOutput) ToGetWebTypeAppEngineIamPolicyResultOutputWithContext

func (o GetWebTypeAppEngineIamPolicyResultOutput) ToGetWebTypeAppEngineIamPolicyResultOutputWithContext(ctx context.Context) GetWebTypeAppEngineIamPolicyResultOutput

type LookupAppEngineServiceIamPolicyArgs

type LookupAppEngineServiceIamPolicyArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId string `pulumi:"appId"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service string `pulumi:"service"`
}

A collection of arguments for invoking getAppEngineServiceIamPolicy.

type LookupAppEngineServiceIamPolicyOutputArgs

type LookupAppEngineServiceIamPolicyOutputArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput `pulumi:"appId"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput `pulumi:"service"`
}

A collection of arguments for invoking getAppEngineServiceIamPolicy.

func (LookupAppEngineServiceIamPolicyOutputArgs) ElementType

type LookupAppEngineServiceIamPolicyResult

type LookupAppEngineServiceIamPolicyResult struct {
	AppId string `pulumi:"appId"`
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.AppEngineServiceIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
	Service    string `pulumi:"service"`
}

A collection of values returned by getAppEngineServiceIamPolicy.

func LookupAppEngineServiceIamPolicy

Retrieves the current IAM policy data for appengineservice

## example

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.LookupAppEngineServiceIamPolicy(ctx, &iap.LookupAppEngineServiceIamPolicyArgs{
			Project: pulumi.StringRef(version.Project),
			AppId:   version.Project,
			Service: version.Service,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupAppEngineServiceIamPolicyResultOutput

type LookupAppEngineServiceIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getAppEngineServiceIamPolicy.

func (LookupAppEngineServiceIamPolicyResultOutput) AppId

func (LookupAppEngineServiceIamPolicyResultOutput) ElementType

func (LookupAppEngineServiceIamPolicyResultOutput) Etag

(Computed) The etag of the IAM policy.

func (LookupAppEngineServiceIamPolicyResultOutput) Id

The provider-assigned unique ID for this managed resource.

func (LookupAppEngineServiceIamPolicyResultOutput) PolicyData

(Required only by `iap.AppEngineServiceIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupAppEngineServiceIamPolicyResultOutput) Project

func (LookupAppEngineServiceIamPolicyResultOutput) Service

func (LookupAppEngineServiceIamPolicyResultOutput) ToLookupAppEngineServiceIamPolicyResultOutput

func (o LookupAppEngineServiceIamPolicyResultOutput) ToLookupAppEngineServiceIamPolicyResultOutput() LookupAppEngineServiceIamPolicyResultOutput

func (LookupAppEngineServiceIamPolicyResultOutput) ToLookupAppEngineServiceIamPolicyResultOutputWithContext

func (o LookupAppEngineServiceIamPolicyResultOutput) ToLookupAppEngineServiceIamPolicyResultOutputWithContext(ctx context.Context) LookupAppEngineServiceIamPolicyResultOutput

type LookupAppEngineVersionIamPolicyArgs

type LookupAppEngineVersionIamPolicyArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId string `pulumi:"appId"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service string `pulumi:"service"`
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId string `pulumi:"versionId"`
}

A collection of arguments for invoking getAppEngineVersionIamPolicy.

type LookupAppEngineVersionIamPolicyOutputArgs

type LookupAppEngineVersionIamPolicyOutputArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput `pulumi:"appId"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput `pulumi:"service"`
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringInput `pulumi:"versionId"`
}

A collection of arguments for invoking getAppEngineVersionIamPolicy.

func (LookupAppEngineVersionIamPolicyOutputArgs) ElementType

type LookupAppEngineVersionIamPolicyResult

type LookupAppEngineVersionIamPolicyResult struct {
	AppId string `pulumi:"appId"`
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.AppEngineVersionIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
	Service    string `pulumi:"service"`
	VersionId  string `pulumi:"versionId"`
}

A collection of values returned by getAppEngineVersionIamPolicy.

func LookupAppEngineVersionIamPolicy

Retrieves the current IAM policy data for appengineversion

## example

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.LookupAppEngineVersionIamPolicy(ctx, &iap.LookupAppEngineVersionIamPolicyArgs{
			Project:   pulumi.StringRef(version.Project),
			AppId:     version.Project,
			Service:   version.Service,
			VersionId: version.VersionId,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupAppEngineVersionIamPolicyResultOutput

type LookupAppEngineVersionIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getAppEngineVersionIamPolicy.

func (LookupAppEngineVersionIamPolicyResultOutput) AppId

func (LookupAppEngineVersionIamPolicyResultOutput) ElementType

func (LookupAppEngineVersionIamPolicyResultOutput) Etag

(Computed) The etag of the IAM policy.

func (LookupAppEngineVersionIamPolicyResultOutput) Id

The provider-assigned unique ID for this managed resource.

func (LookupAppEngineVersionIamPolicyResultOutput) PolicyData

(Required only by `iap.AppEngineVersionIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupAppEngineVersionIamPolicyResultOutput) Project

func (LookupAppEngineVersionIamPolicyResultOutput) Service

func (LookupAppEngineVersionIamPolicyResultOutput) ToLookupAppEngineVersionIamPolicyResultOutput

func (o LookupAppEngineVersionIamPolicyResultOutput) ToLookupAppEngineVersionIamPolicyResultOutput() LookupAppEngineVersionIamPolicyResultOutput

func (LookupAppEngineVersionIamPolicyResultOutput) ToLookupAppEngineVersionIamPolicyResultOutputWithContext

func (o LookupAppEngineVersionIamPolicyResultOutput) ToLookupAppEngineVersionIamPolicyResultOutputWithContext(ctx context.Context) LookupAppEngineVersionIamPolicyResultOutput

func (LookupAppEngineVersionIamPolicyResultOutput) VersionId

type LookupClientArgs

type LookupClientArgs struct {
	// The name of the brand.
	Brand string `pulumi:"brand"`
	// The clientId of the brand.
	ClientId string `pulumi:"clientId"`
}

A collection of arguments for invoking getClient.

type LookupClientOutputArgs

type LookupClientOutputArgs struct {
	// The name of the brand.
	Brand pulumi.StringInput `pulumi:"brand"`
	// The clientId of the brand.
	ClientId pulumi.StringInput `pulumi:"clientId"`
}

A collection of arguments for invoking getClient.

func (LookupClientOutputArgs) ElementType

func (LookupClientOutputArgs) ElementType() reflect.Type

type LookupClientResult

type LookupClientResult struct {
	Brand       string `pulumi:"brand"`
	ClientId    string `pulumi:"clientId"`
	DisplayName string `pulumi:"displayName"`
	// The provider-assigned unique ID for this managed resource.
	Id     string `pulumi:"id"`
	Secret string `pulumi:"secret"`
}

A collection of values returned by getClient.

func LookupClient

func LookupClient(ctx *pulumi.Context, args *LookupClientArgs, opts ...pulumi.InvokeOption) (*LookupClientResult, error)

Get info about a Google Cloud IAP Client.

## Example Usage

type LookupClientResultOutput

type LookupClientResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getClient.

func (LookupClientResultOutput) Brand

func (LookupClientResultOutput) ClientId

func (LookupClientResultOutput) DisplayName

func (LookupClientResultOutput) ElementType

func (LookupClientResultOutput) ElementType() reflect.Type

func (LookupClientResultOutput) Id

The provider-assigned unique ID for this managed resource.

func (LookupClientResultOutput) Secret

func (LookupClientResultOutput) ToLookupClientResultOutput

func (o LookupClientResultOutput) ToLookupClientResultOutput() LookupClientResultOutput

func (LookupClientResultOutput) ToLookupClientResultOutputWithContext

func (o LookupClientResultOutput) ToLookupClientResultOutputWithContext(ctx context.Context) LookupClientResultOutput

type LookupTunnelDestGroupIamPolicyArgs

type LookupTunnelDestGroupIamPolicyArgs struct {
	DestGroup string `pulumi:"destGroup"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
	// The region of the tunnel group. Must be the same as the network resources in the group.
	// Used to find the parent resource to bind the IAM policy to. If not specified,
	// the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no
	// region is specified, it is taken from the provider configuration.
	Region *string `pulumi:"region"`
}

A collection of arguments for invoking getTunnelDestGroupIamPolicy.

type LookupTunnelDestGroupIamPolicyOutputArgs

type LookupTunnelDestGroupIamPolicyOutputArgs struct {
	DestGroup pulumi.StringInput `pulumi:"destGroup"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
	// The region of the tunnel group. Must be the same as the network resources in the group.
	// Used to find the parent resource to bind the IAM policy to. If not specified,
	// the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no
	// region is specified, it is taken from the provider configuration.
	Region pulumi.StringPtrInput `pulumi:"region"`
}

A collection of arguments for invoking getTunnelDestGroupIamPolicy.

func (LookupTunnelDestGroupIamPolicyOutputArgs) ElementType

type LookupTunnelDestGroupIamPolicyResult

type LookupTunnelDestGroupIamPolicyResult struct {
	DestGroup string `pulumi:"destGroup"`
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.TunnelDestGroupIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
	Region     string `pulumi:"region"`
}

A collection of values returned by getTunnelDestGroupIamPolicy.

func LookupTunnelDestGroupIamPolicy

Retrieves the current IAM policy data for tunneldestgroup

## example

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.LookupTunnelDestGroupIamPolicy(ctx, &iap.LookupTunnelDestGroupIamPolicyArgs{
			Project:   pulumi.StringRef(destGroup.Project),
			Region:    pulumi.StringRef(destGroup.Region),
			DestGroup: destGroup.GroupName,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupTunnelDestGroupIamPolicyResultOutput

type LookupTunnelDestGroupIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getTunnelDestGroupIamPolicy.

func (LookupTunnelDestGroupIamPolicyResultOutput) DestGroup

func (LookupTunnelDestGroupIamPolicyResultOutput) ElementType

func (LookupTunnelDestGroupIamPolicyResultOutput) Etag

(Computed) The etag of the IAM policy.

func (LookupTunnelDestGroupIamPolicyResultOutput) Id

The provider-assigned unique ID for this managed resource.

func (LookupTunnelDestGroupIamPolicyResultOutput) PolicyData

(Required only by `iap.TunnelDestGroupIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupTunnelDestGroupIamPolicyResultOutput) Project

func (LookupTunnelDestGroupIamPolicyResultOutput) Region

func (LookupTunnelDestGroupIamPolicyResultOutput) ToLookupTunnelDestGroupIamPolicyResultOutput

func (o LookupTunnelDestGroupIamPolicyResultOutput) ToLookupTunnelDestGroupIamPolicyResultOutput() LookupTunnelDestGroupIamPolicyResultOutput

func (LookupTunnelDestGroupIamPolicyResultOutput) ToLookupTunnelDestGroupIamPolicyResultOutputWithContext

func (o LookupTunnelDestGroupIamPolicyResultOutput) ToLookupTunnelDestGroupIamPolicyResultOutputWithContext(ctx context.Context) LookupTunnelDestGroupIamPolicyResultOutput

type LookupTunnelIamPolicyArgs

type LookupTunnelIamPolicyArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
}

A collection of arguments for invoking getTunnelIamPolicy.

type LookupTunnelIamPolicyOutputArgs

type LookupTunnelIamPolicyOutputArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
}

A collection of arguments for invoking getTunnelIamPolicy.

func (LookupTunnelIamPolicyOutputArgs) ElementType

type LookupTunnelIamPolicyResult

type LookupTunnelIamPolicyResult struct {
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.TunnelIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
}

A collection of values returned by getTunnelIamPolicy.

func LookupTunnelIamPolicy

func LookupTunnelIamPolicy(ctx *pulumi.Context, args *LookupTunnelIamPolicyArgs, opts ...pulumi.InvokeOption) (*LookupTunnelIamPolicyResult, error)

Retrieves the current IAM policy data for tunnel

## example

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.LookupTunnelIamPolicy(ctx, &iap.LookupTunnelIamPolicyArgs{
			Project: pulumi.StringRef(projectService.Project),
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupTunnelIamPolicyResultOutput

type LookupTunnelIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getTunnelIamPolicy.

func (LookupTunnelIamPolicyResultOutput) ElementType

func (LookupTunnelIamPolicyResultOutput) Etag

(Computed) The etag of the IAM policy.

func (LookupTunnelIamPolicyResultOutput) Id

The provider-assigned unique ID for this managed resource.

func (LookupTunnelIamPolicyResultOutput) PolicyData

(Required only by `iap.TunnelIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupTunnelIamPolicyResultOutput) Project

func (LookupTunnelIamPolicyResultOutput) ToLookupTunnelIamPolicyResultOutput

func (o LookupTunnelIamPolicyResultOutput) ToLookupTunnelIamPolicyResultOutput() LookupTunnelIamPolicyResultOutput

func (LookupTunnelIamPolicyResultOutput) ToLookupTunnelIamPolicyResultOutputWithContext

func (o LookupTunnelIamPolicyResultOutput) ToLookupTunnelIamPolicyResultOutputWithContext(ctx context.Context) LookupTunnelIamPolicyResultOutput

type LookupWebBackendServiceIamPolicyArgs

type LookupWebBackendServiceIamPolicyArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService string `pulumi:"webBackendService"`
}

A collection of arguments for invoking getWebBackendServiceIamPolicy.

type LookupWebBackendServiceIamPolicyOutputArgs

type LookupWebBackendServiceIamPolicyOutputArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringInput `pulumi:"webBackendService"`
}

A collection of arguments for invoking getWebBackendServiceIamPolicy.

func (LookupWebBackendServiceIamPolicyOutputArgs) ElementType

type LookupWebBackendServiceIamPolicyResult

type LookupWebBackendServiceIamPolicyResult struct {
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.WebBackendServiceIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData        string `pulumi:"policyData"`
	Project           string `pulumi:"project"`
	WebBackendService string `pulumi:"webBackendService"`
}

A collection of values returned by getWebBackendServiceIamPolicy.

func LookupWebBackendServiceIamPolicy

Retrieves the current IAM policy data for webbackendservice

## example

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.LookupWebBackendServiceIamPolicy(ctx, &iap.LookupWebBackendServiceIamPolicyArgs{
			Project:           pulumi.StringRef(_default.Project),
			WebBackendService: _default.Name,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupWebBackendServiceIamPolicyResultOutput

type LookupWebBackendServiceIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getWebBackendServiceIamPolicy.

func (LookupWebBackendServiceIamPolicyResultOutput) ElementType

func (LookupWebBackendServiceIamPolicyResultOutput) Etag

(Computed) The etag of the IAM policy.

func (LookupWebBackendServiceIamPolicyResultOutput) Id

The provider-assigned unique ID for this managed resource.

func (LookupWebBackendServiceIamPolicyResultOutput) PolicyData

(Required only by `iap.WebBackendServiceIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupWebBackendServiceIamPolicyResultOutput) Project

func (LookupWebBackendServiceIamPolicyResultOutput) ToLookupWebBackendServiceIamPolicyResultOutput

func (o LookupWebBackendServiceIamPolicyResultOutput) ToLookupWebBackendServiceIamPolicyResultOutput() LookupWebBackendServiceIamPolicyResultOutput

func (LookupWebBackendServiceIamPolicyResultOutput) ToLookupWebBackendServiceIamPolicyResultOutputWithContext

func (o LookupWebBackendServiceIamPolicyResultOutput) ToLookupWebBackendServiceIamPolicyResultOutputWithContext(ctx context.Context) LookupWebBackendServiceIamPolicyResultOutput

func (LookupWebBackendServiceIamPolicyResultOutput) WebBackendService

type LookupWebIamPolicyArgs

type LookupWebIamPolicyArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
}

A collection of arguments for invoking getWebIamPolicy.

type LookupWebIamPolicyOutputArgs

type LookupWebIamPolicyOutputArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
}

A collection of arguments for invoking getWebIamPolicy.

func (LookupWebIamPolicyOutputArgs) ElementType

type LookupWebIamPolicyResult

type LookupWebIamPolicyResult struct {
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.WebIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
}

A collection of values returned by getWebIamPolicy.

func LookupWebIamPolicy

func LookupWebIamPolicy(ctx *pulumi.Context, args *LookupWebIamPolicyArgs, opts ...pulumi.InvokeOption) (*LookupWebIamPolicyResult, error)

Retrieves the current IAM policy data for web

## example

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.LookupWebIamPolicy(ctx, &iap.LookupWebIamPolicyArgs{
			Project: pulumi.StringRef(projectService.Project),
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupWebIamPolicyResultOutput

type LookupWebIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getWebIamPolicy.

func (LookupWebIamPolicyResultOutput) ElementType

func (LookupWebIamPolicyResultOutput) Etag

(Computed) The etag of the IAM policy.

func (LookupWebIamPolicyResultOutput) Id

The provider-assigned unique ID for this managed resource.

func (LookupWebIamPolicyResultOutput) PolicyData

(Required only by `iap.WebIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupWebIamPolicyResultOutput) Project

func (LookupWebIamPolicyResultOutput) ToLookupWebIamPolicyResultOutput

func (o LookupWebIamPolicyResultOutput) ToLookupWebIamPolicyResultOutput() LookupWebIamPolicyResultOutput

func (LookupWebIamPolicyResultOutput) ToLookupWebIamPolicyResultOutputWithContext

func (o LookupWebIamPolicyResultOutput) ToLookupWebIamPolicyResultOutputWithContext(ctx context.Context) LookupWebIamPolicyResultOutput

type LookupWebRegionBackendServiceIamPolicyArgs

type LookupWebRegionBackendServiceIamPolicyArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
	Region  *string `pulumi:"region"`
	// Used to find the parent resource to bind the IAM policy to
	WebRegionBackendService string `pulumi:"webRegionBackendService"`
}

A collection of arguments for invoking getWebRegionBackendServiceIamPolicy.

type LookupWebRegionBackendServiceIamPolicyOutputArgs

type LookupWebRegionBackendServiceIamPolicyOutputArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
	Region  pulumi.StringPtrInput `pulumi:"region"`
	// Used to find the parent resource to bind the IAM policy to
	WebRegionBackendService pulumi.StringInput `pulumi:"webRegionBackendService"`
}

A collection of arguments for invoking getWebRegionBackendServiceIamPolicy.

func (LookupWebRegionBackendServiceIamPolicyOutputArgs) ElementType

type LookupWebRegionBackendServiceIamPolicyResult

type LookupWebRegionBackendServiceIamPolicyResult struct {
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.WebRegionBackendServiceIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData              string `pulumi:"policyData"`
	Project                 string `pulumi:"project"`
	Region                  string `pulumi:"region"`
	WebRegionBackendService string `pulumi:"webRegionBackendService"`
}

A collection of values returned by getWebRegionBackendServiceIamPolicy.

func LookupWebRegionBackendServiceIamPolicy

Retrieves the current IAM policy data for webregionbackendservice

## example

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.LookupWebRegionBackendServiceIamPolicy(ctx, &iap.LookupWebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.StringRef(_default.Project),
			Region:                  pulumi.StringRef(_default.Region),
			WebRegionBackendService: _default.Name,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupWebRegionBackendServiceIamPolicyResultOutput

type LookupWebRegionBackendServiceIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getWebRegionBackendServiceIamPolicy.

func (LookupWebRegionBackendServiceIamPolicyResultOutput) ElementType

func (LookupWebRegionBackendServiceIamPolicyResultOutput) Etag

(Computed) The etag of the IAM policy.

func (LookupWebRegionBackendServiceIamPolicyResultOutput) Id

The provider-assigned unique ID for this managed resource.

func (LookupWebRegionBackendServiceIamPolicyResultOutput) PolicyData

(Required only by `iap.WebRegionBackendServiceIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupWebRegionBackendServiceIamPolicyResultOutput) Project

func (LookupWebRegionBackendServiceIamPolicyResultOutput) Region

func (LookupWebRegionBackendServiceIamPolicyResultOutput) ToLookupWebRegionBackendServiceIamPolicyResultOutput

func (o LookupWebRegionBackendServiceIamPolicyResultOutput) ToLookupWebRegionBackendServiceIamPolicyResultOutput() LookupWebRegionBackendServiceIamPolicyResultOutput

func (LookupWebRegionBackendServiceIamPolicyResultOutput) ToLookupWebRegionBackendServiceIamPolicyResultOutputWithContext

func (o LookupWebRegionBackendServiceIamPolicyResultOutput) ToLookupWebRegionBackendServiceIamPolicyResultOutputWithContext(ctx context.Context) LookupWebRegionBackendServiceIamPolicyResultOutput

func (LookupWebRegionBackendServiceIamPolicyResultOutput) WebRegionBackendService

type LookupWebTypeComputeIamPolicyArgs

type LookupWebTypeComputeIamPolicyArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
}

A collection of arguments for invoking getWebTypeComputeIamPolicy.

type LookupWebTypeComputeIamPolicyOutputArgs

type LookupWebTypeComputeIamPolicyOutputArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
}

A collection of arguments for invoking getWebTypeComputeIamPolicy.

func (LookupWebTypeComputeIamPolicyOutputArgs) ElementType

type LookupWebTypeComputeIamPolicyResult

type LookupWebTypeComputeIamPolicyResult struct {
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.WebTypeComputeIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
}

A collection of values returned by getWebTypeComputeIamPolicy.

func LookupWebTypeComputeIamPolicy

Retrieves the current IAM policy data for webtypecompute

## example

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.LookupWebTypeComputeIamPolicy(ctx, &iap.LookupWebTypeComputeIamPolicyArgs{
			Project: pulumi.StringRef(projectService.Project),
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupWebTypeComputeIamPolicyResultOutput

type LookupWebTypeComputeIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getWebTypeComputeIamPolicy.

func (LookupWebTypeComputeIamPolicyResultOutput) ElementType

func (LookupWebTypeComputeIamPolicyResultOutput) Etag

(Computed) The etag of the IAM policy.

func (LookupWebTypeComputeIamPolicyResultOutput) Id

The provider-assigned unique ID for this managed resource.

func (LookupWebTypeComputeIamPolicyResultOutput) PolicyData

(Required only by `iap.WebTypeComputeIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupWebTypeComputeIamPolicyResultOutput) Project

func (LookupWebTypeComputeIamPolicyResultOutput) ToLookupWebTypeComputeIamPolicyResultOutput

func (o LookupWebTypeComputeIamPolicyResultOutput) ToLookupWebTypeComputeIamPolicyResultOutput() LookupWebTypeComputeIamPolicyResultOutput

func (LookupWebTypeComputeIamPolicyResultOutput) ToLookupWebTypeComputeIamPolicyResultOutputWithContext

func (o LookupWebTypeComputeIamPolicyResultOutput) ToLookupWebTypeComputeIamPolicyResultOutputWithContext(ctx context.Context) LookupWebTypeComputeIamPolicyResultOutput

type TunnelDestGroup

type TunnelDestGroup struct {
	pulumi.CustomResourceState

	// List of CIDRs that this group applies to.
	Cidrs pulumi.StringArrayOutput `pulumi:"cidrs"`
	// List of FQDNs that this group applies to.
	Fqdns pulumi.StringArrayOutput `pulumi:"fqdns"`
	// Unique tunnel destination group name.
	//
	// ***
	GroupName pulumi.StringOutput `pulumi:"groupName"`
	// Full resource name.
	Name pulumi.StringOutput `pulumi:"name"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The region of the tunnel group. Must be the same as the network resources in the group.
	Region pulumi.StringOutput `pulumi:"region"`
}

Tunnel destination groups represent resources that have the same tunnel access restrictions.

To get more information about TunnelDestGroup, see:

* [API documentation](https://cloud.google.com/iap/docs/reference/rest/v1/projects.iap_tunnel.locations.destGroups) * How-to Guides

## Example Usage

### Iap Destgroup

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroup(ctx, "dest_group", &iap.TunnelDestGroupArgs{
			Region:    pulumi.String("us-central1"),
			GroupName: pulumi.String("testgroup_2605"),
			Cidrs: pulumi.StringArray{
				pulumi.String("10.1.0.0/16"),
				pulumi.String("192.168.10.0/24"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

TunnelDestGroup can be imported using any of these accepted formats:

* `projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{group_name}}`

* `{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{group_name}}`

* `{{project}}/{{region}}/{{group_name}}`

* `{{region}}/destGroups/{{group_name}}`

* `{{region}}/{{group_name}}`

* `{{group_name}}`

When using the `pulumi import` command, TunnelDestGroup can be imported using one of the formats above. For example:

```sh $ pulumi import gcp:iap/tunnelDestGroup:TunnelDestGroup default projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{group_name}} ```

```sh $ pulumi import gcp:iap/tunnelDestGroup:TunnelDestGroup default {{project}}/iap_tunnel/locations/{{region}}/destGroups/{{group_name}} ```

```sh $ pulumi import gcp:iap/tunnelDestGroup:TunnelDestGroup default {{project}}/{{region}}/{{group_name}} ```

```sh $ pulumi import gcp:iap/tunnelDestGroup:TunnelDestGroup default {{region}}/destGroups/{{group_name}} ```

```sh $ pulumi import gcp:iap/tunnelDestGroup:TunnelDestGroup default {{region}}/{{group_name}} ```

```sh $ pulumi import gcp:iap/tunnelDestGroup:TunnelDestGroup default {{group_name}} ```

func GetTunnelDestGroup

func GetTunnelDestGroup(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelDestGroupState, opts ...pulumi.ResourceOption) (*TunnelDestGroup, error)

GetTunnelDestGroup gets an existing TunnelDestGroup resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelDestGroup

func NewTunnelDestGroup(ctx *pulumi.Context,
	name string, args *TunnelDestGroupArgs, opts ...pulumi.ResourceOption) (*TunnelDestGroup, error)

NewTunnelDestGroup registers a new resource with the given unique name, arguments, and options.

func (*TunnelDestGroup) ElementType

func (*TunnelDestGroup) ElementType() reflect.Type

func (*TunnelDestGroup) ToTunnelDestGroupOutput

func (i *TunnelDestGroup) ToTunnelDestGroupOutput() TunnelDestGroupOutput

func (*TunnelDestGroup) ToTunnelDestGroupOutputWithContext

func (i *TunnelDestGroup) ToTunnelDestGroupOutputWithContext(ctx context.Context) TunnelDestGroupOutput

type TunnelDestGroupArgs

type TunnelDestGroupArgs struct {
	// List of CIDRs that this group applies to.
	Cidrs pulumi.StringArrayInput
	// List of FQDNs that this group applies to.
	Fqdns pulumi.StringArrayInput
	// Unique tunnel destination group name.
	//
	// ***
	GroupName pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	Project pulumi.StringPtrInput
	// The region of the tunnel group. Must be the same as the network resources in the group.
	Region pulumi.StringPtrInput
}

The set of arguments for constructing a TunnelDestGroup resource.

func (TunnelDestGroupArgs) ElementType

func (TunnelDestGroupArgs) ElementType() reflect.Type

type TunnelDestGroupArray

type TunnelDestGroupArray []TunnelDestGroupInput

func (TunnelDestGroupArray) ElementType

func (TunnelDestGroupArray) ElementType() reflect.Type

func (TunnelDestGroupArray) ToTunnelDestGroupArrayOutput

func (i TunnelDestGroupArray) ToTunnelDestGroupArrayOutput() TunnelDestGroupArrayOutput

func (TunnelDestGroupArray) ToTunnelDestGroupArrayOutputWithContext

func (i TunnelDestGroupArray) ToTunnelDestGroupArrayOutputWithContext(ctx context.Context) TunnelDestGroupArrayOutput

type TunnelDestGroupArrayInput

type TunnelDestGroupArrayInput interface {
	pulumi.Input

	ToTunnelDestGroupArrayOutput() TunnelDestGroupArrayOutput
	ToTunnelDestGroupArrayOutputWithContext(context.Context) TunnelDestGroupArrayOutput
}

TunnelDestGroupArrayInput is an input type that accepts TunnelDestGroupArray and TunnelDestGroupArrayOutput values. You can construct a concrete instance of `TunnelDestGroupArrayInput` via:

TunnelDestGroupArray{ TunnelDestGroupArgs{...} }

type TunnelDestGroupArrayOutput

type TunnelDestGroupArrayOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupArrayOutput) ElementType

func (TunnelDestGroupArrayOutput) ElementType() reflect.Type

func (TunnelDestGroupArrayOutput) Index

func (TunnelDestGroupArrayOutput) ToTunnelDestGroupArrayOutput

func (o TunnelDestGroupArrayOutput) ToTunnelDestGroupArrayOutput() TunnelDestGroupArrayOutput

func (TunnelDestGroupArrayOutput) ToTunnelDestGroupArrayOutputWithContext

func (o TunnelDestGroupArrayOutput) ToTunnelDestGroupArrayOutputWithContext(ctx context.Context) TunnelDestGroupArrayOutput

type TunnelDestGroupIamBinding

type TunnelDestGroupIamBinding struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelDestGroupIamBindingConditionPtrOutput `pulumi:"condition"`
	DestGroup pulumi.StringOutput                         `pulumi:"destGroup"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The region of the tunnel group. Must be the same as the network resources in the group.
	// Used to find the parent resource to bind the IAM policy to. If not specified,
	// the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no
	// region is specified, it is taken from the provider configuration.
	Region pulumi.StringOutput `pulumi:"region"`
	// The role that should be applied. Only one
	// `iap.TunnelDestGroupIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelDestGroup. Each of these resources serves a different use case:

* `iap.TunnelDestGroupIamPolicy`: Authoritative. Sets the IAM policy for the tunneldestgroup and replaces any existing policy already attached. * `iap.TunnelDestGroupIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunneldestgroup are preserved. * `iap.TunnelDestGroupIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunneldestgroup are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelDestGroupIamPolicy`: Retrieves the IAM policy for the tunneldestgroup

> **Note:** `iap.TunnelDestGroupIamPolicy` **cannot** be used in conjunction with `iap.TunnelDestGroupIamBinding` and `iap.TunnelDestGroupIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelDestGroupIamBinding` resources **can be** used in conjunction with `iap.TunnelDestGroupIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelDestGroupIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelDestGroupIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelDestGroupIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy TunnelDestGroup Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelDestGroup. Each of these resources serves a different use case:

* `iap.TunnelDestGroupIamPolicy`: Authoritative. Sets the IAM policy for the tunneldestgroup and replaces any existing policy already attached. * `iap.TunnelDestGroupIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunneldestgroup are preserved. * `iap.TunnelDestGroupIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunneldestgroup are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelDestGroupIamPolicy`: Retrieves the IAM policy for the tunneldestgroup

> **Note:** `iap.TunnelDestGroupIamPolicy` **cannot** be used in conjunction with `iap.TunnelDestGroupIamBinding` and `iap.TunnelDestGroupIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelDestGroupIamBinding` resources **can be** used in conjunction with `iap.TunnelDestGroupIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelDestGroupIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelDestGroupIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelDestGroupIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}}

* {{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}}

* {{project}}/{{region}}/{{dest_group}}

* {{region}}/{{dest_group}}

* {{dest_group}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy tunneldestgroup IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/tunnelDestGroupIamBinding:TunnelDestGroupIamBinding editor "projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}} roles/iap.tunnelResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/tunnelDestGroupIamBinding:TunnelDestGroupIamBinding editor "projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}} roles/iap.tunnelResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/tunnelDestGroupIamBinding:TunnelDestGroupIamBinding editor projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelDestGroupIamBinding

func GetTunnelDestGroupIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelDestGroupIamBindingState, opts ...pulumi.ResourceOption) (*TunnelDestGroupIamBinding, error)

GetTunnelDestGroupIamBinding gets an existing TunnelDestGroupIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelDestGroupIamBinding

func NewTunnelDestGroupIamBinding(ctx *pulumi.Context,
	name string, args *TunnelDestGroupIamBindingArgs, opts ...pulumi.ResourceOption) (*TunnelDestGroupIamBinding, error)

NewTunnelDestGroupIamBinding registers a new resource with the given unique name, arguments, and options.

func (*TunnelDestGroupIamBinding) ElementType

func (*TunnelDestGroupIamBinding) ElementType() reflect.Type

func (*TunnelDestGroupIamBinding) ToTunnelDestGroupIamBindingOutput

func (i *TunnelDestGroupIamBinding) ToTunnelDestGroupIamBindingOutput() TunnelDestGroupIamBindingOutput

func (*TunnelDestGroupIamBinding) ToTunnelDestGroupIamBindingOutputWithContext

func (i *TunnelDestGroupIamBinding) ToTunnelDestGroupIamBindingOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingOutput

type TunnelDestGroupIamBindingArgs

type TunnelDestGroupIamBindingArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelDestGroupIamBindingConditionPtrInput
	DestGroup pulumi.StringInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The region of the tunnel group. Must be the same as the network resources in the group.
	// Used to find the parent resource to bind the IAM policy to. If not specified,
	// the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no
	// region is specified, it is taken from the provider configuration.
	Region pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelDestGroupIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a TunnelDestGroupIamBinding resource.

func (TunnelDestGroupIamBindingArgs) ElementType

type TunnelDestGroupIamBindingArray

type TunnelDestGroupIamBindingArray []TunnelDestGroupIamBindingInput

func (TunnelDestGroupIamBindingArray) ElementType

func (TunnelDestGroupIamBindingArray) ToTunnelDestGroupIamBindingArrayOutput

func (i TunnelDestGroupIamBindingArray) ToTunnelDestGroupIamBindingArrayOutput() TunnelDestGroupIamBindingArrayOutput

func (TunnelDestGroupIamBindingArray) ToTunnelDestGroupIamBindingArrayOutputWithContext

func (i TunnelDestGroupIamBindingArray) ToTunnelDestGroupIamBindingArrayOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingArrayOutput

type TunnelDestGroupIamBindingArrayInput

type TunnelDestGroupIamBindingArrayInput interface {
	pulumi.Input

	ToTunnelDestGroupIamBindingArrayOutput() TunnelDestGroupIamBindingArrayOutput
	ToTunnelDestGroupIamBindingArrayOutputWithContext(context.Context) TunnelDestGroupIamBindingArrayOutput
}

TunnelDestGroupIamBindingArrayInput is an input type that accepts TunnelDestGroupIamBindingArray and TunnelDestGroupIamBindingArrayOutput values. You can construct a concrete instance of `TunnelDestGroupIamBindingArrayInput` via:

TunnelDestGroupIamBindingArray{ TunnelDestGroupIamBindingArgs{...} }

type TunnelDestGroupIamBindingArrayOutput

type TunnelDestGroupIamBindingArrayOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamBindingArrayOutput) ElementType

func (TunnelDestGroupIamBindingArrayOutput) Index

func (TunnelDestGroupIamBindingArrayOutput) ToTunnelDestGroupIamBindingArrayOutput

func (o TunnelDestGroupIamBindingArrayOutput) ToTunnelDestGroupIamBindingArrayOutput() TunnelDestGroupIamBindingArrayOutput

func (TunnelDestGroupIamBindingArrayOutput) ToTunnelDestGroupIamBindingArrayOutputWithContext

func (o TunnelDestGroupIamBindingArrayOutput) ToTunnelDestGroupIamBindingArrayOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingArrayOutput

type TunnelDestGroupIamBindingCondition

type TunnelDestGroupIamBindingCondition struct {
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type TunnelDestGroupIamBindingConditionArgs

type TunnelDestGroupIamBindingConditionArgs struct {
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (TunnelDestGroupIamBindingConditionArgs) ElementType

func (TunnelDestGroupIamBindingConditionArgs) ToTunnelDestGroupIamBindingConditionOutput

func (i TunnelDestGroupIamBindingConditionArgs) ToTunnelDestGroupIamBindingConditionOutput() TunnelDestGroupIamBindingConditionOutput

func (TunnelDestGroupIamBindingConditionArgs) ToTunnelDestGroupIamBindingConditionOutputWithContext

func (i TunnelDestGroupIamBindingConditionArgs) ToTunnelDestGroupIamBindingConditionOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingConditionOutput

func (TunnelDestGroupIamBindingConditionArgs) ToTunnelDestGroupIamBindingConditionPtrOutput

func (i TunnelDestGroupIamBindingConditionArgs) ToTunnelDestGroupIamBindingConditionPtrOutput() TunnelDestGroupIamBindingConditionPtrOutput

func (TunnelDestGroupIamBindingConditionArgs) ToTunnelDestGroupIamBindingConditionPtrOutputWithContext

func (i TunnelDestGroupIamBindingConditionArgs) ToTunnelDestGroupIamBindingConditionPtrOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingConditionPtrOutput

type TunnelDestGroupIamBindingConditionInput

type TunnelDestGroupIamBindingConditionInput interface {
	pulumi.Input

	ToTunnelDestGroupIamBindingConditionOutput() TunnelDestGroupIamBindingConditionOutput
	ToTunnelDestGroupIamBindingConditionOutputWithContext(context.Context) TunnelDestGroupIamBindingConditionOutput
}

TunnelDestGroupIamBindingConditionInput is an input type that accepts TunnelDestGroupIamBindingConditionArgs and TunnelDestGroupIamBindingConditionOutput values. You can construct a concrete instance of `TunnelDestGroupIamBindingConditionInput` via:

TunnelDestGroupIamBindingConditionArgs{...}

type TunnelDestGroupIamBindingConditionOutput

type TunnelDestGroupIamBindingConditionOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamBindingConditionOutput) Description

func (TunnelDestGroupIamBindingConditionOutput) ElementType

func (TunnelDestGroupIamBindingConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (TunnelDestGroupIamBindingConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (TunnelDestGroupIamBindingConditionOutput) ToTunnelDestGroupIamBindingConditionOutput

func (o TunnelDestGroupIamBindingConditionOutput) ToTunnelDestGroupIamBindingConditionOutput() TunnelDestGroupIamBindingConditionOutput

func (TunnelDestGroupIamBindingConditionOutput) ToTunnelDestGroupIamBindingConditionOutputWithContext

func (o TunnelDestGroupIamBindingConditionOutput) ToTunnelDestGroupIamBindingConditionOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingConditionOutput

func (TunnelDestGroupIamBindingConditionOutput) ToTunnelDestGroupIamBindingConditionPtrOutput

func (o TunnelDestGroupIamBindingConditionOutput) ToTunnelDestGroupIamBindingConditionPtrOutput() TunnelDestGroupIamBindingConditionPtrOutput

func (TunnelDestGroupIamBindingConditionOutput) ToTunnelDestGroupIamBindingConditionPtrOutputWithContext

func (o TunnelDestGroupIamBindingConditionOutput) ToTunnelDestGroupIamBindingConditionPtrOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingConditionPtrOutput

type TunnelDestGroupIamBindingConditionPtrInput

type TunnelDestGroupIamBindingConditionPtrInput interface {
	pulumi.Input

	ToTunnelDestGroupIamBindingConditionPtrOutput() TunnelDestGroupIamBindingConditionPtrOutput
	ToTunnelDestGroupIamBindingConditionPtrOutputWithContext(context.Context) TunnelDestGroupIamBindingConditionPtrOutput
}

TunnelDestGroupIamBindingConditionPtrInput is an input type that accepts TunnelDestGroupIamBindingConditionArgs, TunnelDestGroupIamBindingConditionPtr and TunnelDestGroupIamBindingConditionPtrOutput values. You can construct a concrete instance of `TunnelDestGroupIamBindingConditionPtrInput` via:

        TunnelDestGroupIamBindingConditionArgs{...}

or:

        nil

type TunnelDestGroupIamBindingConditionPtrOutput

type TunnelDestGroupIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamBindingConditionPtrOutput) Description

func (TunnelDestGroupIamBindingConditionPtrOutput) Elem

func (TunnelDestGroupIamBindingConditionPtrOutput) ElementType

func (TunnelDestGroupIamBindingConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (TunnelDestGroupIamBindingConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (TunnelDestGroupIamBindingConditionPtrOutput) ToTunnelDestGroupIamBindingConditionPtrOutput

func (o TunnelDestGroupIamBindingConditionPtrOutput) ToTunnelDestGroupIamBindingConditionPtrOutput() TunnelDestGroupIamBindingConditionPtrOutput

func (TunnelDestGroupIamBindingConditionPtrOutput) ToTunnelDestGroupIamBindingConditionPtrOutputWithContext

func (o TunnelDestGroupIamBindingConditionPtrOutput) ToTunnelDestGroupIamBindingConditionPtrOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingConditionPtrOutput

type TunnelDestGroupIamBindingInput

type TunnelDestGroupIamBindingInput interface {
	pulumi.Input

	ToTunnelDestGroupIamBindingOutput() TunnelDestGroupIamBindingOutput
	ToTunnelDestGroupIamBindingOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingOutput
}

type TunnelDestGroupIamBindingMap

type TunnelDestGroupIamBindingMap map[string]TunnelDestGroupIamBindingInput

func (TunnelDestGroupIamBindingMap) ElementType

func (TunnelDestGroupIamBindingMap) ToTunnelDestGroupIamBindingMapOutput

func (i TunnelDestGroupIamBindingMap) ToTunnelDestGroupIamBindingMapOutput() TunnelDestGroupIamBindingMapOutput

func (TunnelDestGroupIamBindingMap) ToTunnelDestGroupIamBindingMapOutputWithContext

func (i TunnelDestGroupIamBindingMap) ToTunnelDestGroupIamBindingMapOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingMapOutput

type TunnelDestGroupIamBindingMapInput

type TunnelDestGroupIamBindingMapInput interface {
	pulumi.Input

	ToTunnelDestGroupIamBindingMapOutput() TunnelDestGroupIamBindingMapOutput
	ToTunnelDestGroupIamBindingMapOutputWithContext(context.Context) TunnelDestGroupIamBindingMapOutput
}

TunnelDestGroupIamBindingMapInput is an input type that accepts TunnelDestGroupIamBindingMap and TunnelDestGroupIamBindingMapOutput values. You can construct a concrete instance of `TunnelDestGroupIamBindingMapInput` via:

TunnelDestGroupIamBindingMap{ "key": TunnelDestGroupIamBindingArgs{...} }

type TunnelDestGroupIamBindingMapOutput

type TunnelDestGroupIamBindingMapOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamBindingMapOutput) ElementType

func (TunnelDestGroupIamBindingMapOutput) MapIndex

func (TunnelDestGroupIamBindingMapOutput) ToTunnelDestGroupIamBindingMapOutput

func (o TunnelDestGroupIamBindingMapOutput) ToTunnelDestGroupIamBindingMapOutput() TunnelDestGroupIamBindingMapOutput

func (TunnelDestGroupIamBindingMapOutput) ToTunnelDestGroupIamBindingMapOutputWithContext

func (o TunnelDestGroupIamBindingMapOutput) ToTunnelDestGroupIamBindingMapOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingMapOutput

type TunnelDestGroupIamBindingOutput

type TunnelDestGroupIamBindingOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamBindingOutput) Condition

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (TunnelDestGroupIamBindingOutput) DestGroup

func (TunnelDestGroupIamBindingOutput) ElementType

func (TunnelDestGroupIamBindingOutput) Etag

(Computed) The etag of the IAM policy.

func (TunnelDestGroupIamBindingOutput) Members

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (TunnelDestGroupIamBindingOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (TunnelDestGroupIamBindingOutput) Region

The region of the tunnel group. Must be the same as the network resources in the group. Used to find the parent resource to bind the IAM policy to. If not specified, the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no region is specified, it is taken from the provider configuration.

func (TunnelDestGroupIamBindingOutput) Role

The role that should be applied. Only one `iap.TunnelDestGroupIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (TunnelDestGroupIamBindingOutput) ToTunnelDestGroupIamBindingOutput

func (o TunnelDestGroupIamBindingOutput) ToTunnelDestGroupIamBindingOutput() TunnelDestGroupIamBindingOutput

func (TunnelDestGroupIamBindingOutput) ToTunnelDestGroupIamBindingOutputWithContext

func (o TunnelDestGroupIamBindingOutput) ToTunnelDestGroupIamBindingOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingOutput

type TunnelDestGroupIamBindingState

type TunnelDestGroupIamBindingState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelDestGroupIamBindingConditionPtrInput
	DestGroup pulumi.StringPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The region of the tunnel group. Must be the same as the network resources in the group.
	// Used to find the parent resource to bind the IAM policy to. If not specified,
	// the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no
	// region is specified, it is taken from the provider configuration.
	Region pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelDestGroupIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (TunnelDestGroupIamBindingState) ElementType

type TunnelDestGroupIamMember

type TunnelDestGroupIamMember struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelDestGroupIamMemberConditionPtrOutput `pulumi:"condition"`
	DestGroup pulumi.StringOutput                        `pulumi:"destGroup"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The region of the tunnel group. Must be the same as the network resources in the group.
	// Used to find the parent resource to bind the IAM policy to. If not specified,
	// the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no
	// region is specified, it is taken from the provider configuration.
	Region pulumi.StringOutput `pulumi:"region"`
	// The role that should be applied. Only one
	// `iap.TunnelDestGroupIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelDestGroup. Each of these resources serves a different use case:

* `iap.TunnelDestGroupIamPolicy`: Authoritative. Sets the IAM policy for the tunneldestgroup and replaces any existing policy already attached. * `iap.TunnelDestGroupIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunneldestgroup are preserved. * `iap.TunnelDestGroupIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunneldestgroup are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelDestGroupIamPolicy`: Retrieves the IAM policy for the tunneldestgroup

> **Note:** `iap.TunnelDestGroupIamPolicy` **cannot** be used in conjunction with `iap.TunnelDestGroupIamBinding` and `iap.TunnelDestGroupIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelDestGroupIamBinding` resources **can be** used in conjunction with `iap.TunnelDestGroupIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelDestGroupIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelDestGroupIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelDestGroupIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy TunnelDestGroup Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelDestGroup. Each of these resources serves a different use case:

* `iap.TunnelDestGroupIamPolicy`: Authoritative. Sets the IAM policy for the tunneldestgroup and replaces any existing policy already attached. * `iap.TunnelDestGroupIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunneldestgroup are preserved. * `iap.TunnelDestGroupIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunneldestgroup are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelDestGroupIamPolicy`: Retrieves the IAM policy for the tunneldestgroup

> **Note:** `iap.TunnelDestGroupIamPolicy` **cannot** be used in conjunction with `iap.TunnelDestGroupIamBinding` and `iap.TunnelDestGroupIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelDestGroupIamBinding` resources **can be** used in conjunction with `iap.TunnelDestGroupIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelDestGroupIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelDestGroupIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelDestGroupIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}}

* {{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}}

* {{project}}/{{region}}/{{dest_group}}

* {{region}}/{{dest_group}}

* {{dest_group}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy tunneldestgroup IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/tunnelDestGroupIamMember:TunnelDestGroupIamMember editor "projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}} roles/iap.tunnelResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/tunnelDestGroupIamMember:TunnelDestGroupIamMember editor "projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}} roles/iap.tunnelResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/tunnelDestGroupIamMember:TunnelDestGroupIamMember editor projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelDestGroupIamMember

func GetTunnelDestGroupIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelDestGroupIamMemberState, opts ...pulumi.ResourceOption) (*TunnelDestGroupIamMember, error)

GetTunnelDestGroupIamMember gets an existing TunnelDestGroupIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelDestGroupIamMember

func NewTunnelDestGroupIamMember(ctx *pulumi.Context,
	name string, args *TunnelDestGroupIamMemberArgs, opts ...pulumi.ResourceOption) (*TunnelDestGroupIamMember, error)

NewTunnelDestGroupIamMember registers a new resource with the given unique name, arguments, and options.

func (*TunnelDestGroupIamMember) ElementType

func (*TunnelDestGroupIamMember) ElementType() reflect.Type

func (*TunnelDestGroupIamMember) ToTunnelDestGroupIamMemberOutput

func (i *TunnelDestGroupIamMember) ToTunnelDestGroupIamMemberOutput() TunnelDestGroupIamMemberOutput

func (*TunnelDestGroupIamMember) ToTunnelDestGroupIamMemberOutputWithContext

func (i *TunnelDestGroupIamMember) ToTunnelDestGroupIamMemberOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberOutput

type TunnelDestGroupIamMemberArgs

type TunnelDestGroupIamMemberArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelDestGroupIamMemberConditionPtrInput
	DestGroup pulumi.StringInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The region of the tunnel group. Must be the same as the network resources in the group.
	// Used to find the parent resource to bind the IAM policy to. If not specified,
	// the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no
	// region is specified, it is taken from the provider configuration.
	Region pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelDestGroupIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a TunnelDestGroupIamMember resource.

func (TunnelDestGroupIamMemberArgs) ElementType

type TunnelDestGroupIamMemberArray

type TunnelDestGroupIamMemberArray []TunnelDestGroupIamMemberInput

func (TunnelDestGroupIamMemberArray) ElementType

func (TunnelDestGroupIamMemberArray) ToTunnelDestGroupIamMemberArrayOutput

func (i TunnelDestGroupIamMemberArray) ToTunnelDestGroupIamMemberArrayOutput() TunnelDestGroupIamMemberArrayOutput

func (TunnelDestGroupIamMemberArray) ToTunnelDestGroupIamMemberArrayOutputWithContext

func (i TunnelDestGroupIamMemberArray) ToTunnelDestGroupIamMemberArrayOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberArrayOutput

type TunnelDestGroupIamMemberArrayInput

type TunnelDestGroupIamMemberArrayInput interface {
	pulumi.Input

	ToTunnelDestGroupIamMemberArrayOutput() TunnelDestGroupIamMemberArrayOutput
	ToTunnelDestGroupIamMemberArrayOutputWithContext(context.Context) TunnelDestGroupIamMemberArrayOutput
}

TunnelDestGroupIamMemberArrayInput is an input type that accepts TunnelDestGroupIamMemberArray and TunnelDestGroupIamMemberArrayOutput values. You can construct a concrete instance of `TunnelDestGroupIamMemberArrayInput` via:

TunnelDestGroupIamMemberArray{ TunnelDestGroupIamMemberArgs{...} }

type TunnelDestGroupIamMemberArrayOutput

type TunnelDestGroupIamMemberArrayOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamMemberArrayOutput) ElementType

func (TunnelDestGroupIamMemberArrayOutput) Index

func (TunnelDestGroupIamMemberArrayOutput) ToTunnelDestGroupIamMemberArrayOutput

func (o TunnelDestGroupIamMemberArrayOutput) ToTunnelDestGroupIamMemberArrayOutput() TunnelDestGroupIamMemberArrayOutput

func (TunnelDestGroupIamMemberArrayOutput) ToTunnelDestGroupIamMemberArrayOutputWithContext

func (o TunnelDestGroupIamMemberArrayOutput) ToTunnelDestGroupIamMemberArrayOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberArrayOutput

type TunnelDestGroupIamMemberCondition

type TunnelDestGroupIamMemberCondition struct {
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type TunnelDestGroupIamMemberConditionArgs

type TunnelDestGroupIamMemberConditionArgs struct {
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (TunnelDestGroupIamMemberConditionArgs) ElementType

func (TunnelDestGroupIamMemberConditionArgs) ToTunnelDestGroupIamMemberConditionOutput

func (i TunnelDestGroupIamMemberConditionArgs) ToTunnelDestGroupIamMemberConditionOutput() TunnelDestGroupIamMemberConditionOutput

func (TunnelDestGroupIamMemberConditionArgs) ToTunnelDestGroupIamMemberConditionOutputWithContext

func (i TunnelDestGroupIamMemberConditionArgs) ToTunnelDestGroupIamMemberConditionOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberConditionOutput

func (TunnelDestGroupIamMemberConditionArgs) ToTunnelDestGroupIamMemberConditionPtrOutput

func (i TunnelDestGroupIamMemberConditionArgs) ToTunnelDestGroupIamMemberConditionPtrOutput() TunnelDestGroupIamMemberConditionPtrOutput

func (TunnelDestGroupIamMemberConditionArgs) ToTunnelDestGroupIamMemberConditionPtrOutputWithContext

func (i TunnelDestGroupIamMemberConditionArgs) ToTunnelDestGroupIamMemberConditionPtrOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberConditionPtrOutput

type TunnelDestGroupIamMemberConditionInput

type TunnelDestGroupIamMemberConditionInput interface {
	pulumi.Input

	ToTunnelDestGroupIamMemberConditionOutput() TunnelDestGroupIamMemberConditionOutput
	ToTunnelDestGroupIamMemberConditionOutputWithContext(context.Context) TunnelDestGroupIamMemberConditionOutput
}

TunnelDestGroupIamMemberConditionInput is an input type that accepts TunnelDestGroupIamMemberConditionArgs and TunnelDestGroupIamMemberConditionOutput values. You can construct a concrete instance of `TunnelDestGroupIamMemberConditionInput` via:

TunnelDestGroupIamMemberConditionArgs{...}

type TunnelDestGroupIamMemberConditionOutput

type TunnelDestGroupIamMemberConditionOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamMemberConditionOutput) Description

func (TunnelDestGroupIamMemberConditionOutput) ElementType

func (TunnelDestGroupIamMemberConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (TunnelDestGroupIamMemberConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (TunnelDestGroupIamMemberConditionOutput) ToTunnelDestGroupIamMemberConditionOutput

func (o TunnelDestGroupIamMemberConditionOutput) ToTunnelDestGroupIamMemberConditionOutput() TunnelDestGroupIamMemberConditionOutput

func (TunnelDestGroupIamMemberConditionOutput) ToTunnelDestGroupIamMemberConditionOutputWithContext

func (o TunnelDestGroupIamMemberConditionOutput) ToTunnelDestGroupIamMemberConditionOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberConditionOutput

func (TunnelDestGroupIamMemberConditionOutput) ToTunnelDestGroupIamMemberConditionPtrOutput

func (o TunnelDestGroupIamMemberConditionOutput) ToTunnelDestGroupIamMemberConditionPtrOutput() TunnelDestGroupIamMemberConditionPtrOutput

func (TunnelDestGroupIamMemberConditionOutput) ToTunnelDestGroupIamMemberConditionPtrOutputWithContext

func (o TunnelDestGroupIamMemberConditionOutput) ToTunnelDestGroupIamMemberConditionPtrOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberConditionPtrOutput

type TunnelDestGroupIamMemberConditionPtrInput

type TunnelDestGroupIamMemberConditionPtrInput interface {
	pulumi.Input

	ToTunnelDestGroupIamMemberConditionPtrOutput() TunnelDestGroupIamMemberConditionPtrOutput
	ToTunnelDestGroupIamMemberConditionPtrOutputWithContext(context.Context) TunnelDestGroupIamMemberConditionPtrOutput
}

TunnelDestGroupIamMemberConditionPtrInput is an input type that accepts TunnelDestGroupIamMemberConditionArgs, TunnelDestGroupIamMemberConditionPtr and TunnelDestGroupIamMemberConditionPtrOutput values. You can construct a concrete instance of `TunnelDestGroupIamMemberConditionPtrInput` via:

        TunnelDestGroupIamMemberConditionArgs{...}

or:

        nil

type TunnelDestGroupIamMemberConditionPtrOutput

type TunnelDestGroupIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamMemberConditionPtrOutput) Description

func (TunnelDestGroupIamMemberConditionPtrOutput) Elem

func (TunnelDestGroupIamMemberConditionPtrOutput) ElementType

func (TunnelDestGroupIamMemberConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (TunnelDestGroupIamMemberConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (TunnelDestGroupIamMemberConditionPtrOutput) ToTunnelDestGroupIamMemberConditionPtrOutput

func (o TunnelDestGroupIamMemberConditionPtrOutput) ToTunnelDestGroupIamMemberConditionPtrOutput() TunnelDestGroupIamMemberConditionPtrOutput

func (TunnelDestGroupIamMemberConditionPtrOutput) ToTunnelDestGroupIamMemberConditionPtrOutputWithContext

func (o TunnelDestGroupIamMemberConditionPtrOutput) ToTunnelDestGroupIamMemberConditionPtrOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberConditionPtrOutput

type TunnelDestGroupIamMemberInput

type TunnelDestGroupIamMemberInput interface {
	pulumi.Input

	ToTunnelDestGroupIamMemberOutput() TunnelDestGroupIamMemberOutput
	ToTunnelDestGroupIamMemberOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberOutput
}

type TunnelDestGroupIamMemberMap

type TunnelDestGroupIamMemberMap map[string]TunnelDestGroupIamMemberInput

func (TunnelDestGroupIamMemberMap) ElementType

func (TunnelDestGroupIamMemberMap) ToTunnelDestGroupIamMemberMapOutput

func (i TunnelDestGroupIamMemberMap) ToTunnelDestGroupIamMemberMapOutput() TunnelDestGroupIamMemberMapOutput

func (TunnelDestGroupIamMemberMap) ToTunnelDestGroupIamMemberMapOutputWithContext

func (i TunnelDestGroupIamMemberMap) ToTunnelDestGroupIamMemberMapOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberMapOutput

type TunnelDestGroupIamMemberMapInput

type TunnelDestGroupIamMemberMapInput interface {
	pulumi.Input

	ToTunnelDestGroupIamMemberMapOutput() TunnelDestGroupIamMemberMapOutput
	ToTunnelDestGroupIamMemberMapOutputWithContext(context.Context) TunnelDestGroupIamMemberMapOutput
}

TunnelDestGroupIamMemberMapInput is an input type that accepts TunnelDestGroupIamMemberMap and TunnelDestGroupIamMemberMapOutput values. You can construct a concrete instance of `TunnelDestGroupIamMemberMapInput` via:

TunnelDestGroupIamMemberMap{ "key": TunnelDestGroupIamMemberArgs{...} }

type TunnelDestGroupIamMemberMapOutput

type TunnelDestGroupIamMemberMapOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamMemberMapOutput) ElementType

func (TunnelDestGroupIamMemberMapOutput) MapIndex

func (TunnelDestGroupIamMemberMapOutput) ToTunnelDestGroupIamMemberMapOutput

func (o TunnelDestGroupIamMemberMapOutput) ToTunnelDestGroupIamMemberMapOutput() TunnelDestGroupIamMemberMapOutput

func (TunnelDestGroupIamMemberMapOutput) ToTunnelDestGroupIamMemberMapOutputWithContext

func (o TunnelDestGroupIamMemberMapOutput) ToTunnelDestGroupIamMemberMapOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberMapOutput

type TunnelDestGroupIamMemberOutput

type TunnelDestGroupIamMemberOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamMemberOutput) Condition

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (TunnelDestGroupIamMemberOutput) DestGroup

func (TunnelDestGroupIamMemberOutput) ElementType

func (TunnelDestGroupIamMemberOutput) Etag

(Computed) The etag of the IAM policy.

func (TunnelDestGroupIamMemberOutput) Member

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (TunnelDestGroupIamMemberOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (TunnelDestGroupIamMemberOutput) Region

The region of the tunnel group. Must be the same as the network resources in the group. Used to find the parent resource to bind the IAM policy to. If not specified, the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no region is specified, it is taken from the provider configuration.

func (TunnelDestGroupIamMemberOutput) Role

The role that should be applied. Only one `iap.TunnelDestGroupIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (TunnelDestGroupIamMemberOutput) ToTunnelDestGroupIamMemberOutput

func (o TunnelDestGroupIamMemberOutput) ToTunnelDestGroupIamMemberOutput() TunnelDestGroupIamMemberOutput

func (TunnelDestGroupIamMemberOutput) ToTunnelDestGroupIamMemberOutputWithContext

func (o TunnelDestGroupIamMemberOutput) ToTunnelDestGroupIamMemberOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberOutput

type TunnelDestGroupIamMemberState

type TunnelDestGroupIamMemberState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelDestGroupIamMemberConditionPtrInput
	DestGroup pulumi.StringPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The region of the tunnel group. Must be the same as the network resources in the group.
	// Used to find the parent resource to bind the IAM policy to. If not specified,
	// the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no
	// region is specified, it is taken from the provider configuration.
	Region pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelDestGroupIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (TunnelDestGroupIamMemberState) ElementType

type TunnelDestGroupIamPolicy

type TunnelDestGroupIamPolicy struct {
	pulumi.CustomResourceState

	DestGroup pulumi.StringOutput `pulumi:"destGroup"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The region of the tunnel group. Must be the same as the network resources in the group.
	// Used to find the parent resource to bind the IAM policy to. If not specified,
	// the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no
	// region is specified, it is taken from the provider configuration.
	Region pulumi.StringOutput `pulumi:"region"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelDestGroup. Each of these resources serves a different use case:

* `iap.TunnelDestGroupIamPolicy`: Authoritative. Sets the IAM policy for the tunneldestgroup and replaces any existing policy already attached. * `iap.TunnelDestGroupIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunneldestgroup are preserved. * `iap.TunnelDestGroupIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunneldestgroup are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelDestGroupIamPolicy`: Retrieves the IAM policy for the tunneldestgroup

> **Note:** `iap.TunnelDestGroupIamPolicy` **cannot** be used in conjunction with `iap.TunnelDestGroupIamBinding` and `iap.TunnelDestGroupIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelDestGroupIamBinding` resources **can be** used in conjunction with `iap.TunnelDestGroupIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelDestGroupIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelDestGroupIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelDestGroupIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy TunnelDestGroup Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelDestGroup. Each of these resources serves a different use case:

* `iap.TunnelDestGroupIamPolicy`: Authoritative. Sets the IAM policy for the tunneldestgroup and replaces any existing policy already attached. * `iap.TunnelDestGroupIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunneldestgroup are preserved. * `iap.TunnelDestGroupIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunneldestgroup are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelDestGroupIamPolicy`: Retrieves the IAM policy for the tunneldestgroup

> **Note:** `iap.TunnelDestGroupIamPolicy` **cannot** be used in conjunction with `iap.TunnelDestGroupIamBinding` and `iap.TunnelDestGroupIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelDestGroupIamBinding` resources **can be** used in conjunction with `iap.TunnelDestGroupIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelDestGroupIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelDestGroupIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelDestGroupIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}}

* {{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}}

* {{project}}/{{region}}/{{dest_group}}

* {{region}}/{{dest_group}}

* {{dest_group}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy tunneldestgroup IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/tunnelDestGroupIamPolicy:TunnelDestGroupIamPolicy editor "projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}} roles/iap.tunnelResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/tunnelDestGroupIamPolicy:TunnelDestGroupIamPolicy editor "projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}} roles/iap.tunnelResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/tunnelDestGroupIamPolicy:TunnelDestGroupIamPolicy editor projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelDestGroupIamPolicy

func GetTunnelDestGroupIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelDestGroupIamPolicyState, opts ...pulumi.ResourceOption) (*TunnelDestGroupIamPolicy, error)

GetTunnelDestGroupIamPolicy gets an existing TunnelDestGroupIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelDestGroupIamPolicy

func NewTunnelDestGroupIamPolicy(ctx *pulumi.Context,
	name string, args *TunnelDestGroupIamPolicyArgs, opts ...pulumi.ResourceOption) (*TunnelDestGroupIamPolicy, error)

NewTunnelDestGroupIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*TunnelDestGroupIamPolicy) ElementType

func (*TunnelDestGroupIamPolicy) ElementType() reflect.Type

func (*TunnelDestGroupIamPolicy) ToTunnelDestGroupIamPolicyOutput

func (i *TunnelDestGroupIamPolicy) ToTunnelDestGroupIamPolicyOutput() TunnelDestGroupIamPolicyOutput

func (*TunnelDestGroupIamPolicy) ToTunnelDestGroupIamPolicyOutputWithContext

func (i *TunnelDestGroupIamPolicy) ToTunnelDestGroupIamPolicyOutputWithContext(ctx context.Context) TunnelDestGroupIamPolicyOutput

type TunnelDestGroupIamPolicyArgs

type TunnelDestGroupIamPolicyArgs struct {
	DestGroup pulumi.StringInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The region of the tunnel group. Must be the same as the network resources in the group.
	// Used to find the parent resource to bind the IAM policy to. If not specified,
	// the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no
	// region is specified, it is taken from the provider configuration.
	Region pulumi.StringPtrInput
}

The set of arguments for constructing a TunnelDestGroupIamPolicy resource.

func (TunnelDestGroupIamPolicyArgs) ElementType

type TunnelDestGroupIamPolicyArray

type TunnelDestGroupIamPolicyArray []TunnelDestGroupIamPolicyInput

func (TunnelDestGroupIamPolicyArray) ElementType

func (TunnelDestGroupIamPolicyArray) ToTunnelDestGroupIamPolicyArrayOutput

func (i TunnelDestGroupIamPolicyArray) ToTunnelDestGroupIamPolicyArrayOutput() TunnelDestGroupIamPolicyArrayOutput

func (TunnelDestGroupIamPolicyArray) ToTunnelDestGroupIamPolicyArrayOutputWithContext

func (i TunnelDestGroupIamPolicyArray) ToTunnelDestGroupIamPolicyArrayOutputWithContext(ctx context.Context) TunnelDestGroupIamPolicyArrayOutput

type TunnelDestGroupIamPolicyArrayInput

type TunnelDestGroupIamPolicyArrayInput interface {
	pulumi.Input

	ToTunnelDestGroupIamPolicyArrayOutput() TunnelDestGroupIamPolicyArrayOutput
	ToTunnelDestGroupIamPolicyArrayOutputWithContext(context.Context) TunnelDestGroupIamPolicyArrayOutput
}

TunnelDestGroupIamPolicyArrayInput is an input type that accepts TunnelDestGroupIamPolicyArray and TunnelDestGroupIamPolicyArrayOutput values. You can construct a concrete instance of `TunnelDestGroupIamPolicyArrayInput` via:

TunnelDestGroupIamPolicyArray{ TunnelDestGroupIamPolicyArgs{...} }

type TunnelDestGroupIamPolicyArrayOutput

type TunnelDestGroupIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamPolicyArrayOutput) ElementType

func (TunnelDestGroupIamPolicyArrayOutput) Index

func (TunnelDestGroupIamPolicyArrayOutput) ToTunnelDestGroupIamPolicyArrayOutput

func (o TunnelDestGroupIamPolicyArrayOutput) ToTunnelDestGroupIamPolicyArrayOutput() TunnelDestGroupIamPolicyArrayOutput

func (TunnelDestGroupIamPolicyArrayOutput) ToTunnelDestGroupIamPolicyArrayOutputWithContext

func (o TunnelDestGroupIamPolicyArrayOutput) ToTunnelDestGroupIamPolicyArrayOutputWithContext(ctx context.Context) TunnelDestGroupIamPolicyArrayOutput

type TunnelDestGroupIamPolicyInput

type TunnelDestGroupIamPolicyInput interface {
	pulumi.Input

	ToTunnelDestGroupIamPolicyOutput() TunnelDestGroupIamPolicyOutput
	ToTunnelDestGroupIamPolicyOutputWithContext(ctx context.Context) TunnelDestGroupIamPolicyOutput
}

type TunnelDestGroupIamPolicyMap

type TunnelDestGroupIamPolicyMap map[string]TunnelDestGroupIamPolicyInput

func (TunnelDestGroupIamPolicyMap) ElementType

func (TunnelDestGroupIamPolicyMap) ToTunnelDestGroupIamPolicyMapOutput

func (i TunnelDestGroupIamPolicyMap) ToTunnelDestGroupIamPolicyMapOutput() TunnelDestGroupIamPolicyMapOutput

func (TunnelDestGroupIamPolicyMap) ToTunnelDestGroupIamPolicyMapOutputWithContext

func (i TunnelDestGroupIamPolicyMap) ToTunnelDestGroupIamPolicyMapOutputWithContext(ctx context.Context) TunnelDestGroupIamPolicyMapOutput

type TunnelDestGroupIamPolicyMapInput

type TunnelDestGroupIamPolicyMapInput interface {
	pulumi.Input

	ToTunnelDestGroupIamPolicyMapOutput() TunnelDestGroupIamPolicyMapOutput
	ToTunnelDestGroupIamPolicyMapOutputWithContext(context.Context) TunnelDestGroupIamPolicyMapOutput
}

TunnelDestGroupIamPolicyMapInput is an input type that accepts TunnelDestGroupIamPolicyMap and TunnelDestGroupIamPolicyMapOutput values. You can construct a concrete instance of `TunnelDestGroupIamPolicyMapInput` via:

TunnelDestGroupIamPolicyMap{ "key": TunnelDestGroupIamPolicyArgs{...} }

type TunnelDestGroupIamPolicyMapOutput

type TunnelDestGroupIamPolicyMapOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamPolicyMapOutput) ElementType

func (TunnelDestGroupIamPolicyMapOutput) MapIndex

func (TunnelDestGroupIamPolicyMapOutput) ToTunnelDestGroupIamPolicyMapOutput

func (o TunnelDestGroupIamPolicyMapOutput) ToTunnelDestGroupIamPolicyMapOutput() TunnelDestGroupIamPolicyMapOutput

func (TunnelDestGroupIamPolicyMapOutput) ToTunnelDestGroupIamPolicyMapOutputWithContext

func (o TunnelDestGroupIamPolicyMapOutput) ToTunnelDestGroupIamPolicyMapOutputWithContext(ctx context.Context) TunnelDestGroupIamPolicyMapOutput

type TunnelDestGroupIamPolicyOutput

type TunnelDestGroupIamPolicyOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamPolicyOutput) DestGroup

func (TunnelDestGroupIamPolicyOutput) ElementType

func (TunnelDestGroupIamPolicyOutput) Etag

(Computed) The etag of the IAM policy.

func (TunnelDestGroupIamPolicyOutput) PolicyData

The policy data generated by a `organizations.getIAMPolicy` data source.

func (TunnelDestGroupIamPolicyOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (TunnelDestGroupIamPolicyOutput) Region

The region of the tunnel group. Must be the same as the network resources in the group. Used to find the parent resource to bind the IAM policy to. If not specified, the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no region is specified, it is taken from the provider configuration.

func (TunnelDestGroupIamPolicyOutput) ToTunnelDestGroupIamPolicyOutput

func (o TunnelDestGroupIamPolicyOutput) ToTunnelDestGroupIamPolicyOutput() TunnelDestGroupIamPolicyOutput

func (TunnelDestGroupIamPolicyOutput) ToTunnelDestGroupIamPolicyOutputWithContext

func (o TunnelDestGroupIamPolicyOutput) ToTunnelDestGroupIamPolicyOutputWithContext(ctx context.Context) TunnelDestGroupIamPolicyOutput

type TunnelDestGroupIamPolicyState

type TunnelDestGroupIamPolicyState struct {
	DestGroup pulumi.StringPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The region of the tunnel group. Must be the same as the network resources in the group.
	// Used to find the parent resource to bind the IAM policy to. If not specified,
	// the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no
	// region is specified, it is taken from the provider configuration.
	Region pulumi.StringPtrInput
}

func (TunnelDestGroupIamPolicyState) ElementType

type TunnelDestGroupInput

type TunnelDestGroupInput interface {
	pulumi.Input

	ToTunnelDestGroupOutput() TunnelDestGroupOutput
	ToTunnelDestGroupOutputWithContext(ctx context.Context) TunnelDestGroupOutput
}

type TunnelDestGroupMap

type TunnelDestGroupMap map[string]TunnelDestGroupInput

func (TunnelDestGroupMap) ElementType

func (TunnelDestGroupMap) ElementType() reflect.Type

func (TunnelDestGroupMap) ToTunnelDestGroupMapOutput

func (i TunnelDestGroupMap) ToTunnelDestGroupMapOutput() TunnelDestGroupMapOutput

func (TunnelDestGroupMap) ToTunnelDestGroupMapOutputWithContext

func (i TunnelDestGroupMap) ToTunnelDestGroupMapOutputWithContext(ctx context.Context) TunnelDestGroupMapOutput

type TunnelDestGroupMapInput

type TunnelDestGroupMapInput interface {
	pulumi.Input

	ToTunnelDestGroupMapOutput() TunnelDestGroupMapOutput
	ToTunnelDestGroupMapOutputWithContext(context.Context) TunnelDestGroupMapOutput
}

TunnelDestGroupMapInput is an input type that accepts TunnelDestGroupMap and TunnelDestGroupMapOutput values. You can construct a concrete instance of `TunnelDestGroupMapInput` via:

TunnelDestGroupMap{ "key": TunnelDestGroupArgs{...} }

type TunnelDestGroupMapOutput

type TunnelDestGroupMapOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupMapOutput) ElementType

func (TunnelDestGroupMapOutput) ElementType() reflect.Type

func (TunnelDestGroupMapOutput) MapIndex

func (TunnelDestGroupMapOutput) ToTunnelDestGroupMapOutput

func (o TunnelDestGroupMapOutput) ToTunnelDestGroupMapOutput() TunnelDestGroupMapOutput

func (TunnelDestGroupMapOutput) ToTunnelDestGroupMapOutputWithContext

func (o TunnelDestGroupMapOutput) ToTunnelDestGroupMapOutputWithContext(ctx context.Context) TunnelDestGroupMapOutput

type TunnelDestGroupOutput

type TunnelDestGroupOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupOutput) Cidrs

List of CIDRs that this group applies to.

func (TunnelDestGroupOutput) ElementType

func (TunnelDestGroupOutput) ElementType() reflect.Type

func (TunnelDestGroupOutput) Fqdns

List of FQDNs that this group applies to.

func (TunnelDestGroupOutput) GroupName

Unique tunnel destination group name.

***

func (TunnelDestGroupOutput) Name

Full resource name.

func (TunnelDestGroupOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

func (TunnelDestGroupOutput) Region

The region of the tunnel group. Must be the same as the network resources in the group.

func (TunnelDestGroupOutput) ToTunnelDestGroupOutput

func (o TunnelDestGroupOutput) ToTunnelDestGroupOutput() TunnelDestGroupOutput

func (TunnelDestGroupOutput) ToTunnelDestGroupOutputWithContext

func (o TunnelDestGroupOutput) ToTunnelDestGroupOutputWithContext(ctx context.Context) TunnelDestGroupOutput

type TunnelDestGroupState

type TunnelDestGroupState struct {
	// List of CIDRs that this group applies to.
	Cidrs pulumi.StringArrayInput
	// List of FQDNs that this group applies to.
	Fqdns pulumi.StringArrayInput
	// Unique tunnel destination group name.
	//
	// ***
	GroupName pulumi.StringPtrInput
	// Full resource name.
	Name pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	Project pulumi.StringPtrInput
	// The region of the tunnel group. Must be the same as the network resources in the group.
	Region pulumi.StringPtrInput
}

func (TunnelDestGroupState) ElementType

func (TunnelDestGroupState) ElementType() reflect.Type

type TunnelIamBinding

type TunnelIamBinding struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy Tunnel. Each of these resources serves a different use case:

* `iap.TunnelIamPolicy`: Authoritative. Sets the IAM policy for the tunnel and replaces any existing policy already attached. * `iap.TunnelIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnel are preserved. * `iap.TunnelIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnel are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelIamPolicy`: Retrieves the IAM policy for the tunnel

> **Note:** `iap.TunnelIamPolicy` **cannot** be used in conjunction with `iap.TunnelIamBinding` and `iap.TunnelIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelIamBinding` resources **can be** used in conjunction with `iap.TunnelIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy Tunnel Three different resources help you manage your IAM policy for Identity-Aware Proxy Tunnel. Each of these resources serves a different use case:

* `iap.TunnelIamPolicy`: Authoritative. Sets the IAM policy for the tunnel and replaces any existing policy already attached. * `iap.TunnelIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnel are preserved. * `iap.TunnelIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnel are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelIamPolicy`: Retrieves the IAM policy for the tunnel

> **Note:** `iap.TunnelIamPolicy` **cannot** be used in conjunction with `iap.TunnelIamBinding` and `iap.TunnelIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelIamBinding` resources **can be** used in conjunction with `iap.TunnelIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_tunnel

* {{project}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy tunnel IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/tunnelIamBinding:TunnelIamBinding editor "projects/{{project}}/iap_tunnel roles/iap.tunnelResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/tunnelIamBinding:TunnelIamBinding editor "projects/{{project}}/iap_tunnel roles/iap.tunnelResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/tunnelIamBinding:TunnelIamBinding editor projects/{{project}}/iap_tunnel ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelIamBinding

func GetTunnelIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelIamBindingState, opts ...pulumi.ResourceOption) (*TunnelIamBinding, error)

GetTunnelIamBinding gets an existing TunnelIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelIamBinding

func NewTunnelIamBinding(ctx *pulumi.Context,
	name string, args *TunnelIamBindingArgs, opts ...pulumi.ResourceOption) (*TunnelIamBinding, error)

NewTunnelIamBinding registers a new resource with the given unique name, arguments, and options.

func (*TunnelIamBinding) ElementType

func (*TunnelIamBinding) ElementType() reflect.Type

func (*TunnelIamBinding) ToTunnelIamBindingOutput

func (i *TunnelIamBinding) ToTunnelIamBindingOutput() TunnelIamBindingOutput

func (*TunnelIamBinding) ToTunnelIamBindingOutputWithContext

func (i *TunnelIamBinding) ToTunnelIamBindingOutputWithContext(ctx context.Context) TunnelIamBindingOutput

type TunnelIamBindingArgs

type TunnelIamBindingArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelIamBindingConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a TunnelIamBinding resource.

func (TunnelIamBindingArgs) ElementType

func (TunnelIamBindingArgs) ElementType() reflect.Type

type TunnelIamBindingArray

type TunnelIamBindingArray []TunnelIamBindingInput

func (TunnelIamBindingArray) ElementType

func (TunnelIamBindingArray) ElementType() reflect.Type

func (TunnelIamBindingArray) ToTunnelIamBindingArrayOutput

func (i TunnelIamBindingArray) ToTunnelIamBindingArrayOutput() TunnelIamBindingArrayOutput

func (TunnelIamBindingArray) ToTunnelIamBindingArrayOutputWithContext

func (i TunnelIamBindingArray) ToTunnelIamBindingArrayOutputWithContext(ctx context.Context) TunnelIamBindingArrayOutput

type TunnelIamBindingArrayInput

type TunnelIamBindingArrayInput interface {
	pulumi.Input

	ToTunnelIamBindingArrayOutput() TunnelIamBindingArrayOutput
	ToTunnelIamBindingArrayOutputWithContext(context.Context) TunnelIamBindingArrayOutput
}

TunnelIamBindingArrayInput is an input type that accepts TunnelIamBindingArray and TunnelIamBindingArrayOutput values. You can construct a concrete instance of `TunnelIamBindingArrayInput` via:

TunnelIamBindingArray{ TunnelIamBindingArgs{...} }

type TunnelIamBindingArrayOutput

type TunnelIamBindingArrayOutput struct{ *pulumi.OutputState }

func (TunnelIamBindingArrayOutput) ElementType

func (TunnelIamBindingArrayOutput) Index

func (TunnelIamBindingArrayOutput) ToTunnelIamBindingArrayOutput

func (o TunnelIamBindingArrayOutput) ToTunnelIamBindingArrayOutput() TunnelIamBindingArrayOutput

func (TunnelIamBindingArrayOutput) ToTunnelIamBindingArrayOutputWithContext

func (o TunnelIamBindingArrayOutput) ToTunnelIamBindingArrayOutputWithContext(ctx context.Context) TunnelIamBindingArrayOutput

type TunnelIamBindingCondition

type TunnelIamBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type TunnelIamBindingConditionArgs

type TunnelIamBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (TunnelIamBindingConditionArgs) ElementType

func (TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionOutput

func (i TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionOutput() TunnelIamBindingConditionOutput

func (TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionOutputWithContext

func (i TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionOutputWithContext(ctx context.Context) TunnelIamBindingConditionOutput

func (TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionPtrOutput

func (i TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionPtrOutput() TunnelIamBindingConditionPtrOutput

func (TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionPtrOutputWithContext

func (i TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionPtrOutputWithContext(ctx context.Context) TunnelIamBindingConditionPtrOutput

type TunnelIamBindingConditionInput

type TunnelIamBindingConditionInput interface {
	pulumi.Input

	ToTunnelIamBindingConditionOutput() TunnelIamBindingConditionOutput
	ToTunnelIamBindingConditionOutputWithContext(context.Context) TunnelIamBindingConditionOutput
}

TunnelIamBindingConditionInput is an input type that accepts TunnelIamBindingConditionArgs and TunnelIamBindingConditionOutput values. You can construct a concrete instance of `TunnelIamBindingConditionInput` via:

TunnelIamBindingConditionArgs{...}

type TunnelIamBindingConditionOutput

type TunnelIamBindingConditionOutput struct{ *pulumi.OutputState }

func (TunnelIamBindingConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

func (TunnelIamBindingConditionOutput) ElementType

func (TunnelIamBindingConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (TunnelIamBindingConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionOutput

func (o TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionOutput() TunnelIamBindingConditionOutput

func (TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionOutputWithContext

func (o TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionOutputWithContext(ctx context.Context) TunnelIamBindingConditionOutput

func (TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionPtrOutput

func (o TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionPtrOutput() TunnelIamBindingConditionPtrOutput

func (TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionPtrOutputWithContext

func (o TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionPtrOutputWithContext(ctx context.Context) TunnelIamBindingConditionPtrOutput

type TunnelIamBindingConditionPtrInput

type TunnelIamBindingConditionPtrInput interface {
	pulumi.Input

	ToTunnelIamBindingConditionPtrOutput() TunnelIamBindingConditionPtrOutput
	ToTunnelIamBindingConditionPtrOutputWithContext(context.Context) TunnelIamBindingConditionPtrOutput
}

TunnelIamBindingConditionPtrInput is an input type that accepts TunnelIamBindingConditionArgs, TunnelIamBindingConditionPtr and TunnelIamBindingConditionPtrOutput values. You can construct a concrete instance of `TunnelIamBindingConditionPtrInput` via:

        TunnelIamBindingConditionArgs{...}

or:

        nil

type TunnelIamBindingConditionPtrOutput

type TunnelIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (TunnelIamBindingConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

func (TunnelIamBindingConditionPtrOutput) Elem

func (TunnelIamBindingConditionPtrOutput) ElementType

func (TunnelIamBindingConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (TunnelIamBindingConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (TunnelIamBindingConditionPtrOutput) ToTunnelIamBindingConditionPtrOutput

func (o TunnelIamBindingConditionPtrOutput) ToTunnelIamBindingConditionPtrOutput() TunnelIamBindingConditionPtrOutput

func (TunnelIamBindingConditionPtrOutput) ToTunnelIamBindingConditionPtrOutputWithContext

func (o TunnelIamBindingConditionPtrOutput) ToTunnelIamBindingConditionPtrOutputWithContext(ctx context.Context) TunnelIamBindingConditionPtrOutput

type TunnelIamBindingInput

type TunnelIamBindingInput interface {
	pulumi.Input

	ToTunnelIamBindingOutput() TunnelIamBindingOutput
	ToTunnelIamBindingOutputWithContext(ctx context.Context) TunnelIamBindingOutput
}

type TunnelIamBindingMap

type TunnelIamBindingMap map[string]TunnelIamBindingInput

func (TunnelIamBindingMap) ElementType

func (TunnelIamBindingMap) ElementType() reflect.Type

func (TunnelIamBindingMap) ToTunnelIamBindingMapOutput

func (i TunnelIamBindingMap) ToTunnelIamBindingMapOutput() TunnelIamBindingMapOutput

func (TunnelIamBindingMap) ToTunnelIamBindingMapOutputWithContext

func (i TunnelIamBindingMap) ToTunnelIamBindingMapOutputWithContext(ctx context.Context) TunnelIamBindingMapOutput

type TunnelIamBindingMapInput

type TunnelIamBindingMapInput interface {
	pulumi.Input

	ToTunnelIamBindingMapOutput() TunnelIamBindingMapOutput
	ToTunnelIamBindingMapOutputWithContext(context.Context) TunnelIamBindingMapOutput
}

TunnelIamBindingMapInput is an input type that accepts TunnelIamBindingMap and TunnelIamBindingMapOutput values. You can construct a concrete instance of `TunnelIamBindingMapInput` via:

TunnelIamBindingMap{ "key": TunnelIamBindingArgs{...} }

type TunnelIamBindingMapOutput

type TunnelIamBindingMapOutput struct{ *pulumi.OutputState }

func (TunnelIamBindingMapOutput) ElementType

func (TunnelIamBindingMapOutput) ElementType() reflect.Type

func (TunnelIamBindingMapOutput) MapIndex

func (TunnelIamBindingMapOutput) ToTunnelIamBindingMapOutput

func (o TunnelIamBindingMapOutput) ToTunnelIamBindingMapOutput() TunnelIamBindingMapOutput

func (TunnelIamBindingMapOutput) ToTunnelIamBindingMapOutputWithContext

func (o TunnelIamBindingMapOutput) ToTunnelIamBindingMapOutputWithContext(ctx context.Context) TunnelIamBindingMapOutput

type TunnelIamBindingOutput

type TunnelIamBindingOutput struct{ *pulumi.OutputState }

func (TunnelIamBindingOutput) Condition

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (TunnelIamBindingOutput) ElementType

func (TunnelIamBindingOutput) ElementType() reflect.Type

func (TunnelIamBindingOutput) Etag

(Computed) The etag of the IAM policy.

func (TunnelIamBindingOutput) Members

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (TunnelIamBindingOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (TunnelIamBindingOutput) Role

The role that should be applied. Only one `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (TunnelIamBindingOutput) ToTunnelIamBindingOutput

func (o TunnelIamBindingOutput) ToTunnelIamBindingOutput() TunnelIamBindingOutput

func (TunnelIamBindingOutput) ToTunnelIamBindingOutputWithContext

func (o TunnelIamBindingOutput) ToTunnelIamBindingOutputWithContext(ctx context.Context) TunnelIamBindingOutput

type TunnelIamBindingState

type TunnelIamBindingState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (TunnelIamBindingState) ElementType

func (TunnelIamBindingState) ElementType() reflect.Type

type TunnelIamMember

type TunnelIamMember struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy Tunnel. Each of these resources serves a different use case:

* `iap.TunnelIamPolicy`: Authoritative. Sets the IAM policy for the tunnel and replaces any existing policy already attached. * `iap.TunnelIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnel are preserved. * `iap.TunnelIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnel are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelIamPolicy`: Retrieves the IAM policy for the tunnel

> **Note:** `iap.TunnelIamPolicy` **cannot** be used in conjunction with `iap.TunnelIamBinding` and `iap.TunnelIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelIamBinding` resources **can be** used in conjunction with `iap.TunnelIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy Tunnel Three different resources help you manage your IAM policy for Identity-Aware Proxy Tunnel. Each of these resources serves a different use case:

* `iap.TunnelIamPolicy`: Authoritative. Sets the IAM policy for the tunnel and replaces any existing policy already attached. * `iap.TunnelIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnel are preserved. * `iap.TunnelIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnel are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelIamPolicy`: Retrieves the IAM policy for the tunnel

> **Note:** `iap.TunnelIamPolicy` **cannot** be used in conjunction with `iap.TunnelIamBinding` and `iap.TunnelIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelIamBinding` resources **can be** used in conjunction with `iap.TunnelIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_tunnel

* {{project}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy tunnel IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/tunnelIamMember:TunnelIamMember editor "projects/{{project}}/iap_tunnel roles/iap.tunnelResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/tunnelIamMember:TunnelIamMember editor "projects/{{project}}/iap_tunnel roles/iap.tunnelResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/tunnelIamMember:TunnelIamMember editor projects/{{project}}/iap_tunnel ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelIamMember

func GetTunnelIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelIamMemberState, opts ...pulumi.ResourceOption) (*TunnelIamMember, error)

GetTunnelIamMember gets an existing TunnelIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelIamMember

func NewTunnelIamMember(ctx *pulumi.Context,
	name string, args *TunnelIamMemberArgs, opts ...pulumi.ResourceOption) (*TunnelIamMember, error)

NewTunnelIamMember registers a new resource with the given unique name, arguments, and options.

func (*TunnelIamMember) ElementType

func (*TunnelIamMember) ElementType() reflect.Type

func (*TunnelIamMember) ToTunnelIamMemberOutput

func (i *TunnelIamMember) ToTunnelIamMemberOutput() TunnelIamMemberOutput

func (*TunnelIamMember) ToTunnelIamMemberOutputWithContext

func (i *TunnelIamMember) ToTunnelIamMemberOutputWithContext(ctx context.Context) TunnelIamMemberOutput

type TunnelIamMemberArgs

type TunnelIamMemberArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelIamMemberConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a TunnelIamMember resource.

func (TunnelIamMemberArgs) ElementType

func (TunnelIamMemberArgs) ElementType() reflect.Type

type TunnelIamMemberArray

type TunnelIamMemberArray []TunnelIamMemberInput

func (TunnelIamMemberArray) ElementType

func (TunnelIamMemberArray) ElementType() reflect.Type

func (TunnelIamMemberArray) ToTunnelIamMemberArrayOutput

func (i TunnelIamMemberArray) ToTunnelIamMemberArrayOutput() TunnelIamMemberArrayOutput

func (TunnelIamMemberArray) ToTunnelIamMemberArrayOutputWithContext

func (i TunnelIamMemberArray) ToTunnelIamMemberArrayOutputWithContext(ctx context.Context) TunnelIamMemberArrayOutput

type TunnelIamMemberArrayInput

type TunnelIamMemberArrayInput interface {
	pulumi.Input

	ToTunnelIamMemberArrayOutput() TunnelIamMemberArrayOutput
	ToTunnelIamMemberArrayOutputWithContext(context.Context) TunnelIamMemberArrayOutput
}

TunnelIamMemberArrayInput is an input type that accepts TunnelIamMemberArray and TunnelIamMemberArrayOutput values. You can construct a concrete instance of `TunnelIamMemberArrayInput` via:

TunnelIamMemberArray{ TunnelIamMemberArgs{...} }

type TunnelIamMemberArrayOutput

type TunnelIamMemberArrayOutput struct{ *pulumi.OutputState }

func (TunnelIamMemberArrayOutput) ElementType

func (TunnelIamMemberArrayOutput) ElementType() reflect.Type

func (TunnelIamMemberArrayOutput) Index

func (TunnelIamMemberArrayOutput) ToTunnelIamMemberArrayOutput

func (o TunnelIamMemberArrayOutput) ToTunnelIamMemberArrayOutput() TunnelIamMemberArrayOutput

func (TunnelIamMemberArrayOutput) ToTunnelIamMemberArrayOutputWithContext

func (o TunnelIamMemberArrayOutput) ToTunnelIamMemberArrayOutputWithContext(ctx context.Context) TunnelIamMemberArrayOutput

type TunnelIamMemberCondition

type TunnelIamMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type TunnelIamMemberConditionArgs

type TunnelIamMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (TunnelIamMemberConditionArgs) ElementType

func (TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionOutput

func (i TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionOutput() TunnelIamMemberConditionOutput

func (TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionOutputWithContext

func (i TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionOutputWithContext(ctx context.Context) TunnelIamMemberConditionOutput

func (TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionPtrOutput

func (i TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionPtrOutput() TunnelIamMemberConditionPtrOutput

func (TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionPtrOutputWithContext

func (i TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionPtrOutputWithContext(ctx context.Context) TunnelIamMemberConditionPtrOutput

type TunnelIamMemberConditionInput

type TunnelIamMemberConditionInput interface {
	pulumi.Input

	ToTunnelIamMemberConditionOutput() TunnelIamMemberConditionOutput
	ToTunnelIamMemberConditionOutputWithContext(context.Context) TunnelIamMemberConditionOutput
}

TunnelIamMemberConditionInput is an input type that accepts TunnelIamMemberConditionArgs and TunnelIamMemberConditionOutput values. You can construct a concrete instance of `TunnelIamMemberConditionInput` via:

TunnelIamMemberConditionArgs{...}

type TunnelIamMemberConditionOutput

type TunnelIamMemberConditionOutput struct{ *pulumi.OutputState }

func (TunnelIamMemberConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

func (TunnelIamMemberConditionOutput) ElementType

func (TunnelIamMemberConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (TunnelIamMemberConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionOutput

func (o TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionOutput() TunnelIamMemberConditionOutput

func (TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionOutputWithContext

func (o TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionOutputWithContext(ctx context.Context) TunnelIamMemberConditionOutput

func (TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionPtrOutput

func (o TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionPtrOutput() TunnelIamMemberConditionPtrOutput

func (TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionPtrOutputWithContext

func (o TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionPtrOutputWithContext(ctx context.Context) TunnelIamMemberConditionPtrOutput

type TunnelIamMemberConditionPtrInput

type TunnelIamMemberConditionPtrInput interface {
	pulumi.Input

	ToTunnelIamMemberConditionPtrOutput() TunnelIamMemberConditionPtrOutput
	ToTunnelIamMemberConditionPtrOutputWithContext(context.Context) TunnelIamMemberConditionPtrOutput
}

TunnelIamMemberConditionPtrInput is an input type that accepts TunnelIamMemberConditionArgs, TunnelIamMemberConditionPtr and TunnelIamMemberConditionPtrOutput values. You can construct a concrete instance of `TunnelIamMemberConditionPtrInput` via:

        TunnelIamMemberConditionArgs{...}

or:

        nil

type TunnelIamMemberConditionPtrOutput

type TunnelIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (TunnelIamMemberConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

func (TunnelIamMemberConditionPtrOutput) Elem

func (TunnelIamMemberConditionPtrOutput) ElementType

func (TunnelIamMemberConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (TunnelIamMemberConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (TunnelIamMemberConditionPtrOutput) ToTunnelIamMemberConditionPtrOutput

func (o TunnelIamMemberConditionPtrOutput) ToTunnelIamMemberConditionPtrOutput() TunnelIamMemberConditionPtrOutput

func (TunnelIamMemberConditionPtrOutput) ToTunnelIamMemberConditionPtrOutputWithContext

func (o TunnelIamMemberConditionPtrOutput) ToTunnelIamMemberConditionPtrOutputWithContext(ctx context.Context) TunnelIamMemberConditionPtrOutput

type TunnelIamMemberInput

type TunnelIamMemberInput interface {
	pulumi.Input

	ToTunnelIamMemberOutput() TunnelIamMemberOutput
	ToTunnelIamMemberOutputWithContext(ctx context.Context) TunnelIamMemberOutput
}

type TunnelIamMemberMap

type TunnelIamMemberMap map[string]TunnelIamMemberInput

func (TunnelIamMemberMap) ElementType

func (TunnelIamMemberMap) ElementType() reflect.Type

func (TunnelIamMemberMap) ToTunnelIamMemberMapOutput

func (i TunnelIamMemberMap) ToTunnelIamMemberMapOutput() TunnelIamMemberMapOutput

func (TunnelIamMemberMap) ToTunnelIamMemberMapOutputWithContext

func (i TunnelIamMemberMap) ToTunnelIamMemberMapOutputWithContext(ctx context.Context) TunnelIamMemberMapOutput

type TunnelIamMemberMapInput

type TunnelIamMemberMapInput interface {
	pulumi.Input

	ToTunnelIamMemberMapOutput() TunnelIamMemberMapOutput
	ToTunnelIamMemberMapOutputWithContext(context.Context) TunnelIamMemberMapOutput
}

TunnelIamMemberMapInput is an input type that accepts TunnelIamMemberMap and TunnelIamMemberMapOutput values. You can construct a concrete instance of `TunnelIamMemberMapInput` via:

TunnelIamMemberMap{ "key": TunnelIamMemberArgs{...} }

type TunnelIamMemberMapOutput

type TunnelIamMemberMapOutput struct{ *pulumi.OutputState }

func (TunnelIamMemberMapOutput) ElementType

func (TunnelIamMemberMapOutput) ElementType() reflect.Type

func (TunnelIamMemberMapOutput) MapIndex

func (TunnelIamMemberMapOutput) ToTunnelIamMemberMapOutput

func (o TunnelIamMemberMapOutput) ToTunnelIamMemberMapOutput() TunnelIamMemberMapOutput

func (TunnelIamMemberMapOutput) ToTunnelIamMemberMapOutputWithContext

func (o TunnelIamMemberMapOutput) ToTunnelIamMemberMapOutputWithContext(ctx context.Context) TunnelIamMemberMapOutput

type TunnelIamMemberOutput

type TunnelIamMemberOutput struct{ *pulumi.OutputState }

func (TunnelIamMemberOutput) Condition

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (TunnelIamMemberOutput) ElementType

func (TunnelIamMemberOutput) ElementType() reflect.Type

func (TunnelIamMemberOutput) Etag

(Computed) The etag of the IAM policy.

func (TunnelIamMemberOutput) Member

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (TunnelIamMemberOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (TunnelIamMemberOutput) Role

The role that should be applied. Only one `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (TunnelIamMemberOutput) ToTunnelIamMemberOutput

func (o TunnelIamMemberOutput) ToTunnelIamMemberOutput() TunnelIamMemberOutput

func (TunnelIamMemberOutput) ToTunnelIamMemberOutputWithContext

func (o TunnelIamMemberOutput) ToTunnelIamMemberOutputWithContext(ctx context.Context) TunnelIamMemberOutput

type TunnelIamMemberState

type TunnelIamMemberState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (TunnelIamMemberState) ElementType

func (TunnelIamMemberState) ElementType() reflect.Type

type TunnelIamPolicy

type TunnelIamPolicy struct {
	pulumi.CustomResourceState

	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy Tunnel. Each of these resources serves a different use case:

* `iap.TunnelIamPolicy`: Authoritative. Sets the IAM policy for the tunnel and replaces any existing policy already attached. * `iap.TunnelIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnel are preserved. * `iap.TunnelIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnel are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelIamPolicy`: Retrieves the IAM policy for the tunnel

> **Note:** `iap.TunnelIamPolicy` **cannot** be used in conjunction with `iap.TunnelIamBinding` and `iap.TunnelIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelIamBinding` resources **can be** used in conjunction with `iap.TunnelIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy Tunnel Three different resources help you manage your IAM policy for Identity-Aware Proxy Tunnel. Each of these resources serves a different use case:

* `iap.TunnelIamPolicy`: Authoritative. Sets the IAM policy for the tunnel and replaces any existing policy already attached. * `iap.TunnelIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnel are preserved. * `iap.TunnelIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnel are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelIamPolicy`: Retrieves the IAM policy for the tunnel

> **Note:** `iap.TunnelIamPolicy` **cannot** be used in conjunction with `iap.TunnelIamBinding` and `iap.TunnelIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelIamBinding` resources **can be** used in conjunction with `iap.TunnelIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_tunnel

* {{project}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy tunnel IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/tunnelIamPolicy:TunnelIamPolicy editor "projects/{{project}}/iap_tunnel roles/iap.tunnelResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/tunnelIamPolicy:TunnelIamPolicy editor "projects/{{project}}/iap_tunnel roles/iap.tunnelResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/tunnelIamPolicy:TunnelIamPolicy editor projects/{{project}}/iap_tunnel ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelIamPolicy

func GetTunnelIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelIamPolicyState, opts ...pulumi.ResourceOption) (*TunnelIamPolicy, error)

GetTunnelIamPolicy gets an existing TunnelIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelIamPolicy

func NewTunnelIamPolicy(ctx *pulumi.Context,
	name string, args *TunnelIamPolicyArgs, opts ...pulumi.ResourceOption) (*TunnelIamPolicy, error)

NewTunnelIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*TunnelIamPolicy) ElementType

func (*TunnelIamPolicy) ElementType() reflect.Type

func (*TunnelIamPolicy) ToTunnelIamPolicyOutput

func (i *TunnelIamPolicy) ToTunnelIamPolicyOutput() TunnelIamPolicyOutput

func (*TunnelIamPolicy) ToTunnelIamPolicyOutputWithContext

func (i *TunnelIamPolicy) ToTunnelIamPolicyOutputWithContext(ctx context.Context) TunnelIamPolicyOutput

type TunnelIamPolicyArgs

type TunnelIamPolicyArgs struct {
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
}

The set of arguments for constructing a TunnelIamPolicy resource.

func (TunnelIamPolicyArgs) ElementType

func (TunnelIamPolicyArgs) ElementType() reflect.Type

type TunnelIamPolicyArray

type TunnelIamPolicyArray []TunnelIamPolicyInput

func (TunnelIamPolicyArray) ElementType

func (TunnelIamPolicyArray) ElementType() reflect.Type

func (TunnelIamPolicyArray) ToTunnelIamPolicyArrayOutput

func (i TunnelIamPolicyArray) ToTunnelIamPolicyArrayOutput() TunnelIamPolicyArrayOutput

func (TunnelIamPolicyArray) ToTunnelIamPolicyArrayOutputWithContext

func (i TunnelIamPolicyArray) ToTunnelIamPolicyArrayOutputWithContext(ctx context.Context) TunnelIamPolicyArrayOutput

type TunnelIamPolicyArrayInput

type TunnelIamPolicyArrayInput interface {
	pulumi.Input

	ToTunnelIamPolicyArrayOutput() TunnelIamPolicyArrayOutput
	ToTunnelIamPolicyArrayOutputWithContext(context.Context) TunnelIamPolicyArrayOutput
}

TunnelIamPolicyArrayInput is an input type that accepts TunnelIamPolicyArray and TunnelIamPolicyArrayOutput values. You can construct a concrete instance of `TunnelIamPolicyArrayInput` via:

TunnelIamPolicyArray{ TunnelIamPolicyArgs{...} }

type TunnelIamPolicyArrayOutput

type TunnelIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (TunnelIamPolicyArrayOutput) ElementType

func (TunnelIamPolicyArrayOutput) ElementType() reflect.Type

func (TunnelIamPolicyArrayOutput) Index

func (TunnelIamPolicyArrayOutput) ToTunnelIamPolicyArrayOutput

func (o TunnelIamPolicyArrayOutput) ToTunnelIamPolicyArrayOutput() TunnelIamPolicyArrayOutput

func (TunnelIamPolicyArrayOutput) ToTunnelIamPolicyArrayOutputWithContext

func (o TunnelIamPolicyArrayOutput) ToTunnelIamPolicyArrayOutputWithContext(ctx context.Context) TunnelIamPolicyArrayOutput

type TunnelIamPolicyInput

type TunnelIamPolicyInput interface {
	pulumi.Input

	ToTunnelIamPolicyOutput() TunnelIamPolicyOutput
	ToTunnelIamPolicyOutputWithContext(ctx context.Context) TunnelIamPolicyOutput
}

type TunnelIamPolicyMap

type TunnelIamPolicyMap map[string]TunnelIamPolicyInput

func (TunnelIamPolicyMap) ElementType

func (TunnelIamPolicyMap) ElementType() reflect.Type

func (TunnelIamPolicyMap) ToTunnelIamPolicyMapOutput

func (i TunnelIamPolicyMap) ToTunnelIamPolicyMapOutput() TunnelIamPolicyMapOutput

func (TunnelIamPolicyMap) ToTunnelIamPolicyMapOutputWithContext

func (i TunnelIamPolicyMap) ToTunnelIamPolicyMapOutputWithContext(ctx context.Context) TunnelIamPolicyMapOutput

type TunnelIamPolicyMapInput

type TunnelIamPolicyMapInput interface {
	pulumi.Input

	ToTunnelIamPolicyMapOutput() TunnelIamPolicyMapOutput
	ToTunnelIamPolicyMapOutputWithContext(context.Context) TunnelIamPolicyMapOutput
}

TunnelIamPolicyMapInput is an input type that accepts TunnelIamPolicyMap and TunnelIamPolicyMapOutput values. You can construct a concrete instance of `TunnelIamPolicyMapInput` via:

TunnelIamPolicyMap{ "key": TunnelIamPolicyArgs{...} }

type TunnelIamPolicyMapOutput

type TunnelIamPolicyMapOutput struct{ *pulumi.OutputState }

func (TunnelIamPolicyMapOutput) ElementType

func (TunnelIamPolicyMapOutput) ElementType() reflect.Type

func (TunnelIamPolicyMapOutput) MapIndex

func (TunnelIamPolicyMapOutput) ToTunnelIamPolicyMapOutput

func (o TunnelIamPolicyMapOutput) ToTunnelIamPolicyMapOutput() TunnelIamPolicyMapOutput

func (TunnelIamPolicyMapOutput) ToTunnelIamPolicyMapOutputWithContext

func (o TunnelIamPolicyMapOutput) ToTunnelIamPolicyMapOutputWithContext(ctx context.Context) TunnelIamPolicyMapOutput

type TunnelIamPolicyOutput

type TunnelIamPolicyOutput struct{ *pulumi.OutputState }

func (TunnelIamPolicyOutput) ElementType

func (TunnelIamPolicyOutput) ElementType() reflect.Type

func (TunnelIamPolicyOutput) Etag

(Computed) The etag of the IAM policy.

func (TunnelIamPolicyOutput) PolicyData

func (o TunnelIamPolicyOutput) PolicyData() pulumi.StringOutput

The policy data generated by a `organizations.getIAMPolicy` data source.

func (TunnelIamPolicyOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (TunnelIamPolicyOutput) ToTunnelIamPolicyOutput

func (o TunnelIamPolicyOutput) ToTunnelIamPolicyOutput() TunnelIamPolicyOutput

func (TunnelIamPolicyOutput) ToTunnelIamPolicyOutputWithContext

func (o TunnelIamPolicyOutput) ToTunnelIamPolicyOutputWithContext(ctx context.Context) TunnelIamPolicyOutput

type TunnelIamPolicyState

type TunnelIamPolicyState struct {
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
}

func (TunnelIamPolicyState) ElementType

func (TunnelIamPolicyState) ElementType() reflect.Type

type TunnelInstanceIAMBinding

type TunnelInstanceIAMBinding struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelInstanceIAMBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringOutput `pulumi:"instance"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	Zone pulumi.StringOutput `pulumi:"zone"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelInstance. Each of these resources serves a different use case:

* `iap.TunnelInstanceIAMPolicy`: Authoritative. Sets the IAM policy for the tunnelinstance and replaces any existing policy already attached. * `iap.TunnelInstanceIAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnelinstance are preserved. * `iap.TunnelInstanceIAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnelinstance are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelInstanceIAMPolicy`: Retrieves the IAM policy for the tunnelinstance

> **Note:** `iap.TunnelInstanceIAMPolicy` **cannot** be used in conjunction with `iap.TunnelInstanceIAMBinding` and `iap.TunnelInstanceIAMMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelInstanceIAMBinding` resources **can be** used in conjunction with `iap.TunnelInstanceIAMMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelInstanceIAMPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelInstanceIAMBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelInstanceIAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy TunnelInstance Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelInstance. Each of these resources serves a different use case:

* `iap.TunnelInstanceIAMPolicy`: Authoritative. Sets the IAM policy for the tunnelinstance and replaces any existing policy already attached. * `iap.TunnelInstanceIAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnelinstance are preserved. * `iap.TunnelInstanceIAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnelinstance are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelInstanceIAMPolicy`: Retrieves the IAM policy for the tunnelinstance

> **Note:** `iap.TunnelInstanceIAMPolicy` **cannot** be used in conjunction with `iap.TunnelInstanceIAMBinding` and `iap.TunnelInstanceIAMMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelInstanceIAMBinding` resources **can be** used in conjunction with `iap.TunnelInstanceIAMMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelInstanceIAMPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelInstanceIAMBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelInstanceIAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{name}}

* projects/{{project}}/zones/{{zone}}/instances/{{name}}

* {{project}}/{{zone}}/{{name}}

* {{zone}}/{{name}}

* {{name}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy tunnelinstance IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/tunnelInstanceIAMBinding:TunnelInstanceIAMBinding editor "projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} roles/iap.tunnelResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/tunnelInstanceIAMBinding:TunnelInstanceIAMBinding editor "projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} roles/iap.tunnelResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/tunnelInstanceIAMBinding:TunnelInstanceIAMBinding editor projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelInstanceIAMBinding

func GetTunnelInstanceIAMBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelInstanceIAMBindingState, opts ...pulumi.ResourceOption) (*TunnelInstanceIAMBinding, error)

GetTunnelInstanceIAMBinding gets an existing TunnelInstanceIAMBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelInstanceIAMBinding

func NewTunnelInstanceIAMBinding(ctx *pulumi.Context,
	name string, args *TunnelInstanceIAMBindingArgs, opts ...pulumi.ResourceOption) (*TunnelInstanceIAMBinding, error)

NewTunnelInstanceIAMBinding registers a new resource with the given unique name, arguments, and options.

func (*TunnelInstanceIAMBinding) ElementType

func (*TunnelInstanceIAMBinding) ElementType() reflect.Type

func (*TunnelInstanceIAMBinding) ToTunnelInstanceIAMBindingOutput

func (i *TunnelInstanceIAMBinding) ToTunnelInstanceIAMBindingOutput() TunnelInstanceIAMBindingOutput

func (*TunnelInstanceIAMBinding) ToTunnelInstanceIAMBindingOutputWithContext

func (i *TunnelInstanceIAMBinding) ToTunnelInstanceIAMBindingOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingOutput

type TunnelInstanceIAMBindingArgs

type TunnelInstanceIAMBindingArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelInstanceIAMBindingConditionPtrInput
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	Zone pulumi.StringPtrInput
}

The set of arguments for constructing a TunnelInstanceIAMBinding resource.

func (TunnelInstanceIAMBindingArgs) ElementType

type TunnelInstanceIAMBindingArray

type TunnelInstanceIAMBindingArray []TunnelInstanceIAMBindingInput

func (TunnelInstanceIAMBindingArray) ElementType

func (TunnelInstanceIAMBindingArray) ToTunnelInstanceIAMBindingArrayOutput

func (i TunnelInstanceIAMBindingArray) ToTunnelInstanceIAMBindingArrayOutput() TunnelInstanceIAMBindingArrayOutput

func (TunnelInstanceIAMBindingArray) ToTunnelInstanceIAMBindingArrayOutputWithContext

func (i TunnelInstanceIAMBindingArray) ToTunnelInstanceIAMBindingArrayOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingArrayOutput

type TunnelInstanceIAMBindingArrayInput

type TunnelInstanceIAMBindingArrayInput interface {
	pulumi.Input

	ToTunnelInstanceIAMBindingArrayOutput() TunnelInstanceIAMBindingArrayOutput
	ToTunnelInstanceIAMBindingArrayOutputWithContext(context.Context) TunnelInstanceIAMBindingArrayOutput
}

TunnelInstanceIAMBindingArrayInput is an input type that accepts TunnelInstanceIAMBindingArray and TunnelInstanceIAMBindingArrayOutput values. You can construct a concrete instance of `TunnelInstanceIAMBindingArrayInput` via:

TunnelInstanceIAMBindingArray{ TunnelInstanceIAMBindingArgs{...} }

type TunnelInstanceIAMBindingArrayOutput

type TunnelInstanceIAMBindingArrayOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMBindingArrayOutput) ElementType

func (TunnelInstanceIAMBindingArrayOutput) Index

func (TunnelInstanceIAMBindingArrayOutput) ToTunnelInstanceIAMBindingArrayOutput

func (o TunnelInstanceIAMBindingArrayOutput) ToTunnelInstanceIAMBindingArrayOutput() TunnelInstanceIAMBindingArrayOutput

func (TunnelInstanceIAMBindingArrayOutput) ToTunnelInstanceIAMBindingArrayOutputWithContext

func (o TunnelInstanceIAMBindingArrayOutput) ToTunnelInstanceIAMBindingArrayOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingArrayOutput

type TunnelInstanceIAMBindingCondition

type TunnelInstanceIAMBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type TunnelInstanceIAMBindingConditionArgs

type TunnelInstanceIAMBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (TunnelInstanceIAMBindingConditionArgs) ElementType

func (TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionOutput

func (i TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionOutput() TunnelInstanceIAMBindingConditionOutput

func (TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionOutputWithContext

func (i TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingConditionOutput

func (TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionPtrOutput

func (i TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionPtrOutput() TunnelInstanceIAMBindingConditionPtrOutput

func (TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionPtrOutputWithContext

func (i TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionPtrOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingConditionPtrOutput

type TunnelInstanceIAMBindingConditionInput

type TunnelInstanceIAMBindingConditionInput interface {
	pulumi.Input

	ToTunnelInstanceIAMBindingConditionOutput() TunnelInstanceIAMBindingConditionOutput
	ToTunnelInstanceIAMBindingConditionOutputWithContext(context.Context) TunnelInstanceIAMBindingConditionOutput
}

TunnelInstanceIAMBindingConditionInput is an input type that accepts TunnelInstanceIAMBindingConditionArgs and TunnelInstanceIAMBindingConditionOutput values. You can construct a concrete instance of `TunnelInstanceIAMBindingConditionInput` via:

TunnelInstanceIAMBindingConditionArgs{...}

type TunnelInstanceIAMBindingConditionOutput

type TunnelInstanceIAMBindingConditionOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMBindingConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (TunnelInstanceIAMBindingConditionOutput) ElementType

func (TunnelInstanceIAMBindingConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (TunnelInstanceIAMBindingConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionOutput

func (o TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionOutput() TunnelInstanceIAMBindingConditionOutput

func (TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionOutputWithContext

func (o TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingConditionOutput

func (TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionPtrOutput

func (o TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionPtrOutput() TunnelInstanceIAMBindingConditionPtrOutput

func (TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionPtrOutputWithContext

func (o TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionPtrOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingConditionPtrOutput

type TunnelInstanceIAMBindingConditionPtrInput

type TunnelInstanceIAMBindingConditionPtrInput interface {
	pulumi.Input

	ToTunnelInstanceIAMBindingConditionPtrOutput() TunnelInstanceIAMBindingConditionPtrOutput
	ToTunnelInstanceIAMBindingConditionPtrOutputWithContext(context.Context) TunnelInstanceIAMBindingConditionPtrOutput
}

TunnelInstanceIAMBindingConditionPtrInput is an input type that accepts TunnelInstanceIAMBindingConditionArgs, TunnelInstanceIAMBindingConditionPtr and TunnelInstanceIAMBindingConditionPtrOutput values. You can construct a concrete instance of `TunnelInstanceIAMBindingConditionPtrInput` via:

        TunnelInstanceIAMBindingConditionArgs{...}

or:

        nil

type TunnelInstanceIAMBindingConditionPtrOutput

type TunnelInstanceIAMBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMBindingConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (TunnelInstanceIAMBindingConditionPtrOutput) Elem

func (TunnelInstanceIAMBindingConditionPtrOutput) ElementType

func (TunnelInstanceIAMBindingConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (TunnelInstanceIAMBindingConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (TunnelInstanceIAMBindingConditionPtrOutput) ToTunnelInstanceIAMBindingConditionPtrOutput

func (o TunnelInstanceIAMBindingConditionPtrOutput) ToTunnelInstanceIAMBindingConditionPtrOutput() TunnelInstanceIAMBindingConditionPtrOutput

func (TunnelInstanceIAMBindingConditionPtrOutput) ToTunnelInstanceIAMBindingConditionPtrOutputWithContext

func (o TunnelInstanceIAMBindingConditionPtrOutput) ToTunnelInstanceIAMBindingConditionPtrOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingConditionPtrOutput

type TunnelInstanceIAMBindingInput

type TunnelInstanceIAMBindingInput interface {
	pulumi.Input

	ToTunnelInstanceIAMBindingOutput() TunnelInstanceIAMBindingOutput
	ToTunnelInstanceIAMBindingOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingOutput
}

type TunnelInstanceIAMBindingMap

type TunnelInstanceIAMBindingMap map[string]TunnelInstanceIAMBindingInput

func (TunnelInstanceIAMBindingMap) ElementType

func (TunnelInstanceIAMBindingMap) ToTunnelInstanceIAMBindingMapOutput

func (i TunnelInstanceIAMBindingMap) ToTunnelInstanceIAMBindingMapOutput() TunnelInstanceIAMBindingMapOutput

func (TunnelInstanceIAMBindingMap) ToTunnelInstanceIAMBindingMapOutputWithContext

func (i TunnelInstanceIAMBindingMap) ToTunnelInstanceIAMBindingMapOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingMapOutput

type TunnelInstanceIAMBindingMapInput

type TunnelInstanceIAMBindingMapInput interface {
	pulumi.Input

	ToTunnelInstanceIAMBindingMapOutput() TunnelInstanceIAMBindingMapOutput
	ToTunnelInstanceIAMBindingMapOutputWithContext(context.Context) TunnelInstanceIAMBindingMapOutput
}

TunnelInstanceIAMBindingMapInput is an input type that accepts TunnelInstanceIAMBindingMap and TunnelInstanceIAMBindingMapOutput values. You can construct a concrete instance of `TunnelInstanceIAMBindingMapInput` via:

TunnelInstanceIAMBindingMap{ "key": TunnelInstanceIAMBindingArgs{...} }

type TunnelInstanceIAMBindingMapOutput

type TunnelInstanceIAMBindingMapOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMBindingMapOutput) ElementType

func (TunnelInstanceIAMBindingMapOutput) MapIndex

func (TunnelInstanceIAMBindingMapOutput) ToTunnelInstanceIAMBindingMapOutput

func (o TunnelInstanceIAMBindingMapOutput) ToTunnelInstanceIAMBindingMapOutput() TunnelInstanceIAMBindingMapOutput

func (TunnelInstanceIAMBindingMapOutput) ToTunnelInstanceIAMBindingMapOutputWithContext

func (o TunnelInstanceIAMBindingMapOutput) ToTunnelInstanceIAMBindingMapOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingMapOutput

type TunnelInstanceIAMBindingOutput

type TunnelInstanceIAMBindingOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMBindingOutput) Condition

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (TunnelInstanceIAMBindingOutput) ElementType

func (TunnelInstanceIAMBindingOutput) Etag

(Computed) The etag of the IAM policy.

func (TunnelInstanceIAMBindingOutput) Instance

Used to find the parent resource to bind the IAM policy to

func (TunnelInstanceIAMBindingOutput) Members

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (TunnelInstanceIAMBindingOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (TunnelInstanceIAMBindingOutput) Role

The role that should be applied. Only one `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (TunnelInstanceIAMBindingOutput) ToTunnelInstanceIAMBindingOutput

func (o TunnelInstanceIAMBindingOutput) ToTunnelInstanceIAMBindingOutput() TunnelInstanceIAMBindingOutput

func (TunnelInstanceIAMBindingOutput) ToTunnelInstanceIAMBindingOutputWithContext

func (o TunnelInstanceIAMBindingOutput) ToTunnelInstanceIAMBindingOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingOutput

func (TunnelInstanceIAMBindingOutput) Zone

type TunnelInstanceIAMBindingState

type TunnelInstanceIAMBindingState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelInstanceIAMBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	Zone pulumi.StringPtrInput
}

func (TunnelInstanceIAMBindingState) ElementType

type TunnelInstanceIAMMember

type TunnelInstanceIAMMember struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelInstanceIAMMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringOutput `pulumi:"instance"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	Zone pulumi.StringOutput `pulumi:"zone"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelInstance. Each of these resources serves a different use case:

* `iap.TunnelInstanceIAMPolicy`: Authoritative. Sets the IAM policy for the tunnelinstance and replaces any existing policy already attached. * `iap.TunnelInstanceIAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnelinstance are preserved. * `iap.TunnelInstanceIAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnelinstance are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelInstanceIAMPolicy`: Retrieves the IAM policy for the tunnelinstance

> **Note:** `iap.TunnelInstanceIAMPolicy` **cannot** be used in conjunction with `iap.TunnelInstanceIAMBinding` and `iap.TunnelInstanceIAMMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelInstanceIAMBinding` resources **can be** used in conjunction with `iap.TunnelInstanceIAMMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelInstanceIAMPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelInstanceIAMBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelInstanceIAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy TunnelInstance Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelInstance. Each of these resources serves a different use case:

* `iap.TunnelInstanceIAMPolicy`: Authoritative. Sets the IAM policy for the tunnelinstance and replaces any existing policy already attached. * `iap.TunnelInstanceIAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnelinstance are preserved. * `iap.TunnelInstanceIAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnelinstance are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelInstanceIAMPolicy`: Retrieves the IAM policy for the tunnelinstance

> **Note:** `iap.TunnelInstanceIAMPolicy` **cannot** be used in conjunction with `iap.TunnelInstanceIAMBinding` and `iap.TunnelInstanceIAMMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelInstanceIAMBinding` resources **can be** used in conjunction with `iap.TunnelInstanceIAMMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelInstanceIAMPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelInstanceIAMBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelInstanceIAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{name}}

* projects/{{project}}/zones/{{zone}}/instances/{{name}}

* {{project}}/{{zone}}/{{name}}

* {{zone}}/{{name}}

* {{name}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy tunnelinstance IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/tunnelInstanceIAMMember:TunnelInstanceIAMMember editor "projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} roles/iap.tunnelResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/tunnelInstanceIAMMember:TunnelInstanceIAMMember editor "projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} roles/iap.tunnelResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/tunnelInstanceIAMMember:TunnelInstanceIAMMember editor projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelInstanceIAMMember

func GetTunnelInstanceIAMMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelInstanceIAMMemberState, opts ...pulumi.ResourceOption) (*TunnelInstanceIAMMember, error)

GetTunnelInstanceIAMMember gets an existing TunnelInstanceIAMMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelInstanceIAMMember

func NewTunnelInstanceIAMMember(ctx *pulumi.Context,
	name string, args *TunnelInstanceIAMMemberArgs, opts ...pulumi.ResourceOption) (*TunnelInstanceIAMMember, error)

NewTunnelInstanceIAMMember registers a new resource with the given unique name, arguments, and options.

func (*TunnelInstanceIAMMember) ElementType

func (*TunnelInstanceIAMMember) ElementType() reflect.Type

func (*TunnelInstanceIAMMember) ToTunnelInstanceIAMMemberOutput

func (i *TunnelInstanceIAMMember) ToTunnelInstanceIAMMemberOutput() TunnelInstanceIAMMemberOutput

func (*TunnelInstanceIAMMember) ToTunnelInstanceIAMMemberOutputWithContext

func (i *TunnelInstanceIAMMember) ToTunnelInstanceIAMMemberOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberOutput

type TunnelInstanceIAMMemberArgs

type TunnelInstanceIAMMemberArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelInstanceIAMMemberConditionPtrInput
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	Zone pulumi.StringPtrInput
}

The set of arguments for constructing a TunnelInstanceIAMMember resource.

func (TunnelInstanceIAMMemberArgs) ElementType

type TunnelInstanceIAMMemberArray

type TunnelInstanceIAMMemberArray []TunnelInstanceIAMMemberInput

func (TunnelInstanceIAMMemberArray) ElementType

func (TunnelInstanceIAMMemberArray) ToTunnelInstanceIAMMemberArrayOutput

func (i TunnelInstanceIAMMemberArray) ToTunnelInstanceIAMMemberArrayOutput() TunnelInstanceIAMMemberArrayOutput

func (TunnelInstanceIAMMemberArray) ToTunnelInstanceIAMMemberArrayOutputWithContext

func (i TunnelInstanceIAMMemberArray) ToTunnelInstanceIAMMemberArrayOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberArrayOutput

type TunnelInstanceIAMMemberArrayInput

type TunnelInstanceIAMMemberArrayInput interface {
	pulumi.Input

	ToTunnelInstanceIAMMemberArrayOutput() TunnelInstanceIAMMemberArrayOutput
	ToTunnelInstanceIAMMemberArrayOutputWithContext(context.Context) TunnelInstanceIAMMemberArrayOutput
}

TunnelInstanceIAMMemberArrayInput is an input type that accepts TunnelInstanceIAMMemberArray and TunnelInstanceIAMMemberArrayOutput values. You can construct a concrete instance of `TunnelInstanceIAMMemberArrayInput` via:

TunnelInstanceIAMMemberArray{ TunnelInstanceIAMMemberArgs{...} }

type TunnelInstanceIAMMemberArrayOutput

type TunnelInstanceIAMMemberArrayOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMMemberArrayOutput) ElementType

func (TunnelInstanceIAMMemberArrayOutput) Index

func (TunnelInstanceIAMMemberArrayOutput) ToTunnelInstanceIAMMemberArrayOutput

func (o TunnelInstanceIAMMemberArrayOutput) ToTunnelInstanceIAMMemberArrayOutput() TunnelInstanceIAMMemberArrayOutput

func (TunnelInstanceIAMMemberArrayOutput) ToTunnelInstanceIAMMemberArrayOutputWithContext

func (o TunnelInstanceIAMMemberArrayOutput) ToTunnelInstanceIAMMemberArrayOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberArrayOutput

type TunnelInstanceIAMMemberCondition

type TunnelInstanceIAMMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type TunnelInstanceIAMMemberConditionArgs

type TunnelInstanceIAMMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (TunnelInstanceIAMMemberConditionArgs) ElementType

func (TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionOutput

func (i TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionOutput() TunnelInstanceIAMMemberConditionOutput

func (TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionOutputWithContext

func (i TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberConditionOutput

func (TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionPtrOutput

func (i TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionPtrOutput() TunnelInstanceIAMMemberConditionPtrOutput

func (TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionPtrOutputWithContext

func (i TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionPtrOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberConditionPtrOutput

type TunnelInstanceIAMMemberConditionInput

type TunnelInstanceIAMMemberConditionInput interface {
	pulumi.Input

	ToTunnelInstanceIAMMemberConditionOutput() TunnelInstanceIAMMemberConditionOutput
	ToTunnelInstanceIAMMemberConditionOutputWithContext(context.Context) TunnelInstanceIAMMemberConditionOutput
}

TunnelInstanceIAMMemberConditionInput is an input type that accepts TunnelInstanceIAMMemberConditionArgs and TunnelInstanceIAMMemberConditionOutput values. You can construct a concrete instance of `TunnelInstanceIAMMemberConditionInput` via:

TunnelInstanceIAMMemberConditionArgs{...}

type TunnelInstanceIAMMemberConditionOutput

type TunnelInstanceIAMMemberConditionOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMMemberConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (TunnelInstanceIAMMemberConditionOutput) ElementType

func (TunnelInstanceIAMMemberConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (TunnelInstanceIAMMemberConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionOutput

func (o TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionOutput() TunnelInstanceIAMMemberConditionOutput

func (TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionOutputWithContext

func (o TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberConditionOutput

func (TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionPtrOutput

func (o TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionPtrOutput() TunnelInstanceIAMMemberConditionPtrOutput

func (TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionPtrOutputWithContext

func (o TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionPtrOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberConditionPtrOutput

type TunnelInstanceIAMMemberConditionPtrInput

type TunnelInstanceIAMMemberConditionPtrInput interface {
	pulumi.Input

	ToTunnelInstanceIAMMemberConditionPtrOutput() TunnelInstanceIAMMemberConditionPtrOutput
	ToTunnelInstanceIAMMemberConditionPtrOutputWithContext(context.Context) TunnelInstanceIAMMemberConditionPtrOutput
}

TunnelInstanceIAMMemberConditionPtrInput is an input type that accepts TunnelInstanceIAMMemberConditionArgs, TunnelInstanceIAMMemberConditionPtr and TunnelInstanceIAMMemberConditionPtrOutput values. You can construct a concrete instance of `TunnelInstanceIAMMemberConditionPtrInput` via:

        TunnelInstanceIAMMemberConditionArgs{...}

or:

        nil

type TunnelInstanceIAMMemberConditionPtrOutput

type TunnelInstanceIAMMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMMemberConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (TunnelInstanceIAMMemberConditionPtrOutput) Elem

func (TunnelInstanceIAMMemberConditionPtrOutput) ElementType

func (TunnelInstanceIAMMemberConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (TunnelInstanceIAMMemberConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (TunnelInstanceIAMMemberConditionPtrOutput) ToTunnelInstanceIAMMemberConditionPtrOutput

func (o TunnelInstanceIAMMemberConditionPtrOutput) ToTunnelInstanceIAMMemberConditionPtrOutput() TunnelInstanceIAMMemberConditionPtrOutput

func (TunnelInstanceIAMMemberConditionPtrOutput) ToTunnelInstanceIAMMemberConditionPtrOutputWithContext

func (o TunnelInstanceIAMMemberConditionPtrOutput) ToTunnelInstanceIAMMemberConditionPtrOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberConditionPtrOutput

type TunnelInstanceIAMMemberInput

type TunnelInstanceIAMMemberInput interface {
	pulumi.Input

	ToTunnelInstanceIAMMemberOutput() TunnelInstanceIAMMemberOutput
	ToTunnelInstanceIAMMemberOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberOutput
}

type TunnelInstanceIAMMemberMap

type TunnelInstanceIAMMemberMap map[string]TunnelInstanceIAMMemberInput

func (TunnelInstanceIAMMemberMap) ElementType

func (TunnelInstanceIAMMemberMap) ElementType() reflect.Type

func (TunnelInstanceIAMMemberMap) ToTunnelInstanceIAMMemberMapOutput

func (i TunnelInstanceIAMMemberMap) ToTunnelInstanceIAMMemberMapOutput() TunnelInstanceIAMMemberMapOutput

func (TunnelInstanceIAMMemberMap) ToTunnelInstanceIAMMemberMapOutputWithContext

func (i TunnelInstanceIAMMemberMap) ToTunnelInstanceIAMMemberMapOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberMapOutput

type TunnelInstanceIAMMemberMapInput

type TunnelInstanceIAMMemberMapInput interface {
	pulumi.Input

	ToTunnelInstanceIAMMemberMapOutput() TunnelInstanceIAMMemberMapOutput
	ToTunnelInstanceIAMMemberMapOutputWithContext(context.Context) TunnelInstanceIAMMemberMapOutput
}

TunnelInstanceIAMMemberMapInput is an input type that accepts TunnelInstanceIAMMemberMap and TunnelInstanceIAMMemberMapOutput values. You can construct a concrete instance of `TunnelInstanceIAMMemberMapInput` via:

TunnelInstanceIAMMemberMap{ "key": TunnelInstanceIAMMemberArgs{...} }

type TunnelInstanceIAMMemberMapOutput

type TunnelInstanceIAMMemberMapOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMMemberMapOutput) ElementType

func (TunnelInstanceIAMMemberMapOutput) MapIndex

func (TunnelInstanceIAMMemberMapOutput) ToTunnelInstanceIAMMemberMapOutput

func (o TunnelInstanceIAMMemberMapOutput) ToTunnelInstanceIAMMemberMapOutput() TunnelInstanceIAMMemberMapOutput

func (TunnelInstanceIAMMemberMapOutput) ToTunnelInstanceIAMMemberMapOutputWithContext

func (o TunnelInstanceIAMMemberMapOutput) ToTunnelInstanceIAMMemberMapOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberMapOutput

type TunnelInstanceIAMMemberOutput

type TunnelInstanceIAMMemberOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMMemberOutput) Condition

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (TunnelInstanceIAMMemberOutput) ElementType

func (TunnelInstanceIAMMemberOutput) Etag

(Computed) The etag of the IAM policy.

func (TunnelInstanceIAMMemberOutput) Instance

Used to find the parent resource to bind the IAM policy to

func (TunnelInstanceIAMMemberOutput) Member

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (TunnelInstanceIAMMemberOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (TunnelInstanceIAMMemberOutput) Role

The role that should be applied. Only one `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (TunnelInstanceIAMMemberOutput) ToTunnelInstanceIAMMemberOutput

func (o TunnelInstanceIAMMemberOutput) ToTunnelInstanceIAMMemberOutput() TunnelInstanceIAMMemberOutput

func (TunnelInstanceIAMMemberOutput) ToTunnelInstanceIAMMemberOutputWithContext

func (o TunnelInstanceIAMMemberOutput) ToTunnelInstanceIAMMemberOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberOutput

func (TunnelInstanceIAMMemberOutput) Zone

type TunnelInstanceIAMMemberState

type TunnelInstanceIAMMemberState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelInstanceIAMMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	Zone pulumi.StringPtrInput
}

func (TunnelInstanceIAMMemberState) ElementType

type TunnelInstanceIAMPolicy

type TunnelInstanceIAMPolicy struct {
	pulumi.CustomResourceState

	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringOutput `pulumi:"instance"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	Zone    pulumi.StringOutput `pulumi:"zone"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelInstance. Each of these resources serves a different use case:

* `iap.TunnelInstanceIAMPolicy`: Authoritative. Sets the IAM policy for the tunnelinstance and replaces any existing policy already attached. * `iap.TunnelInstanceIAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnelinstance are preserved. * `iap.TunnelInstanceIAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnelinstance are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelInstanceIAMPolicy`: Retrieves the IAM policy for the tunnelinstance

> **Note:** `iap.TunnelInstanceIAMPolicy` **cannot** be used in conjunction with `iap.TunnelInstanceIAMBinding` and `iap.TunnelInstanceIAMMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelInstanceIAMBinding` resources **can be** used in conjunction with `iap.TunnelInstanceIAMMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelInstanceIAMPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelInstanceIAMBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelInstanceIAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy TunnelInstance Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelInstance. Each of these resources serves a different use case:

* `iap.TunnelInstanceIAMPolicy`: Authoritative. Sets the IAM policy for the tunnelinstance and replaces any existing policy already attached. * `iap.TunnelInstanceIAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnelinstance are preserved. * `iap.TunnelInstanceIAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnelinstance are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelInstanceIAMPolicy`: Retrieves the IAM policy for the tunnelinstance

> **Note:** `iap.TunnelInstanceIAMPolicy` **cannot** be used in conjunction with `iap.TunnelInstanceIAMBinding` and `iap.TunnelInstanceIAMMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelInstanceIAMBinding` resources **can be** used in conjunction with `iap.TunnelInstanceIAMMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelInstanceIAMPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelInstanceIAMBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelInstanceIAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{name}}

* projects/{{project}}/zones/{{zone}}/instances/{{name}}

* {{project}}/{{zone}}/{{name}}

* {{zone}}/{{name}}

* {{name}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy tunnelinstance IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/tunnelInstanceIAMPolicy:TunnelInstanceIAMPolicy editor "projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} roles/iap.tunnelResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/tunnelInstanceIAMPolicy:TunnelInstanceIAMPolicy editor "projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} roles/iap.tunnelResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/tunnelInstanceIAMPolicy:TunnelInstanceIAMPolicy editor projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelInstanceIAMPolicy

func GetTunnelInstanceIAMPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelInstanceIAMPolicyState, opts ...pulumi.ResourceOption) (*TunnelInstanceIAMPolicy, error)

GetTunnelInstanceIAMPolicy gets an existing TunnelInstanceIAMPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelInstanceIAMPolicy

func NewTunnelInstanceIAMPolicy(ctx *pulumi.Context,
	name string, args *TunnelInstanceIAMPolicyArgs, opts ...pulumi.ResourceOption) (*TunnelInstanceIAMPolicy, error)

NewTunnelInstanceIAMPolicy registers a new resource with the given unique name, arguments, and options.

func (*TunnelInstanceIAMPolicy) ElementType

func (*TunnelInstanceIAMPolicy) ElementType() reflect.Type

func (*TunnelInstanceIAMPolicy) ToTunnelInstanceIAMPolicyOutput

func (i *TunnelInstanceIAMPolicy) ToTunnelInstanceIAMPolicyOutput() TunnelInstanceIAMPolicyOutput

func (*TunnelInstanceIAMPolicy) ToTunnelInstanceIAMPolicyOutputWithContext

func (i *TunnelInstanceIAMPolicy) ToTunnelInstanceIAMPolicyOutputWithContext(ctx context.Context) TunnelInstanceIAMPolicyOutput

type TunnelInstanceIAMPolicyArgs

type TunnelInstanceIAMPolicyArgs struct {
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	Zone    pulumi.StringPtrInput
}

The set of arguments for constructing a TunnelInstanceIAMPolicy resource.

func (TunnelInstanceIAMPolicyArgs) ElementType

type TunnelInstanceIAMPolicyArray

type TunnelInstanceIAMPolicyArray []TunnelInstanceIAMPolicyInput

func (TunnelInstanceIAMPolicyArray) ElementType

func (TunnelInstanceIAMPolicyArray) ToTunnelInstanceIAMPolicyArrayOutput

func (i TunnelInstanceIAMPolicyArray) ToTunnelInstanceIAMPolicyArrayOutput() TunnelInstanceIAMPolicyArrayOutput

func (TunnelInstanceIAMPolicyArray) ToTunnelInstanceIAMPolicyArrayOutputWithContext

func (i TunnelInstanceIAMPolicyArray) ToTunnelInstanceIAMPolicyArrayOutputWithContext(ctx context.Context) TunnelInstanceIAMPolicyArrayOutput

type TunnelInstanceIAMPolicyArrayInput

type TunnelInstanceIAMPolicyArrayInput interface {
	pulumi.Input

	ToTunnelInstanceIAMPolicyArrayOutput() TunnelInstanceIAMPolicyArrayOutput
	ToTunnelInstanceIAMPolicyArrayOutputWithContext(context.Context) TunnelInstanceIAMPolicyArrayOutput
}

TunnelInstanceIAMPolicyArrayInput is an input type that accepts TunnelInstanceIAMPolicyArray and TunnelInstanceIAMPolicyArrayOutput values. You can construct a concrete instance of `TunnelInstanceIAMPolicyArrayInput` via:

TunnelInstanceIAMPolicyArray{ TunnelInstanceIAMPolicyArgs{...} }

type TunnelInstanceIAMPolicyArrayOutput

type TunnelInstanceIAMPolicyArrayOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMPolicyArrayOutput) ElementType

func (TunnelInstanceIAMPolicyArrayOutput) Index

func (TunnelInstanceIAMPolicyArrayOutput) ToTunnelInstanceIAMPolicyArrayOutput

func (o TunnelInstanceIAMPolicyArrayOutput) ToTunnelInstanceIAMPolicyArrayOutput() TunnelInstanceIAMPolicyArrayOutput

func (TunnelInstanceIAMPolicyArrayOutput) ToTunnelInstanceIAMPolicyArrayOutputWithContext

func (o TunnelInstanceIAMPolicyArrayOutput) ToTunnelInstanceIAMPolicyArrayOutputWithContext(ctx context.Context) TunnelInstanceIAMPolicyArrayOutput

type TunnelInstanceIAMPolicyInput

type TunnelInstanceIAMPolicyInput interface {
	pulumi.Input

	ToTunnelInstanceIAMPolicyOutput() TunnelInstanceIAMPolicyOutput
	ToTunnelInstanceIAMPolicyOutputWithContext(ctx context.Context) TunnelInstanceIAMPolicyOutput
}

type TunnelInstanceIAMPolicyMap

type TunnelInstanceIAMPolicyMap map[string]TunnelInstanceIAMPolicyInput

func (TunnelInstanceIAMPolicyMap) ElementType

func (TunnelInstanceIAMPolicyMap) ElementType() reflect.Type

func (TunnelInstanceIAMPolicyMap) ToTunnelInstanceIAMPolicyMapOutput

func (i TunnelInstanceIAMPolicyMap) ToTunnelInstanceIAMPolicyMapOutput() TunnelInstanceIAMPolicyMapOutput

func (TunnelInstanceIAMPolicyMap) ToTunnelInstanceIAMPolicyMapOutputWithContext

func (i TunnelInstanceIAMPolicyMap) ToTunnelInstanceIAMPolicyMapOutputWithContext(ctx context.Context) TunnelInstanceIAMPolicyMapOutput

type TunnelInstanceIAMPolicyMapInput

type TunnelInstanceIAMPolicyMapInput interface {
	pulumi.Input

	ToTunnelInstanceIAMPolicyMapOutput() TunnelInstanceIAMPolicyMapOutput
	ToTunnelInstanceIAMPolicyMapOutputWithContext(context.Context) TunnelInstanceIAMPolicyMapOutput
}

TunnelInstanceIAMPolicyMapInput is an input type that accepts TunnelInstanceIAMPolicyMap and TunnelInstanceIAMPolicyMapOutput values. You can construct a concrete instance of `TunnelInstanceIAMPolicyMapInput` via:

TunnelInstanceIAMPolicyMap{ "key": TunnelInstanceIAMPolicyArgs{...} }

type TunnelInstanceIAMPolicyMapOutput

type TunnelInstanceIAMPolicyMapOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMPolicyMapOutput) ElementType

func (TunnelInstanceIAMPolicyMapOutput) MapIndex

func (TunnelInstanceIAMPolicyMapOutput) ToTunnelInstanceIAMPolicyMapOutput

func (o TunnelInstanceIAMPolicyMapOutput) ToTunnelInstanceIAMPolicyMapOutput() TunnelInstanceIAMPolicyMapOutput

func (TunnelInstanceIAMPolicyMapOutput) ToTunnelInstanceIAMPolicyMapOutputWithContext

func (o TunnelInstanceIAMPolicyMapOutput) ToTunnelInstanceIAMPolicyMapOutputWithContext(ctx context.Context) TunnelInstanceIAMPolicyMapOutput

type TunnelInstanceIAMPolicyOutput

type TunnelInstanceIAMPolicyOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMPolicyOutput) ElementType

func (TunnelInstanceIAMPolicyOutput) Etag

(Computed) The etag of the IAM policy.

func (TunnelInstanceIAMPolicyOutput) Instance

Used to find the parent resource to bind the IAM policy to

func (TunnelInstanceIAMPolicyOutput) PolicyData

The policy data generated by a `organizations.getIAMPolicy` data source.

func (TunnelInstanceIAMPolicyOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (TunnelInstanceIAMPolicyOutput) ToTunnelInstanceIAMPolicyOutput

func (o TunnelInstanceIAMPolicyOutput) ToTunnelInstanceIAMPolicyOutput() TunnelInstanceIAMPolicyOutput

func (TunnelInstanceIAMPolicyOutput) ToTunnelInstanceIAMPolicyOutputWithContext

func (o TunnelInstanceIAMPolicyOutput) ToTunnelInstanceIAMPolicyOutputWithContext(ctx context.Context) TunnelInstanceIAMPolicyOutput

func (TunnelInstanceIAMPolicyOutput) Zone

type TunnelInstanceIAMPolicyState

type TunnelInstanceIAMPolicyState struct {
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	Zone    pulumi.StringPtrInput
}

func (TunnelInstanceIAMPolicyState) ElementType

type WebBackendServiceIamBinding

type WebBackendServiceIamBinding struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebBackendServiceIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringOutput `pulumi:"webBackendService"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebBackendService. Each of these resources serves a different use case:

* `iap.WebBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webbackendservice and replaces any existing policy already attached. * `iap.WebBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webbackendservice are preserved. * `iap.WebBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebBackendServiceIamPolicy`: Retrieves the IAM policy for the webbackendservice

> **Note:** `iap.WebBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebBackendServiceIamBinding` and `iap.WebBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebBackendServiceIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
			Condition: &iap.WebBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebBackendService Three different resources help you manage your IAM policy for Identity-Aware Proxy WebBackendService. Each of these resources serves a different use case:

* `iap.WebBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webbackendservice and replaces any existing policy already attached. * `iap.WebBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webbackendservice are preserved. * `iap.WebBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebBackendServiceIamPolicy`: Retrieves the IAM policy for the webbackendservice

> **Note:** `iap.WebBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebBackendServiceIamBinding` and `iap.WebBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebBackendServiceIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
			Condition: &iap.WebBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/compute/services/{{name}}

* {{project}}/{{name}}

* {{name}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webbackendservice IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webBackendServiceIamBinding:WebBackendServiceIamBinding editor "projects/{{project}}/iap_web/compute/services/{{web_backend_service}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webBackendServiceIamBinding:WebBackendServiceIamBinding editor "projects/{{project}}/iap_web/compute/services/{{web_backend_service}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webBackendServiceIamBinding:WebBackendServiceIamBinding editor projects/{{project}}/iap_web/compute/services/{{web_backend_service}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebBackendServiceIamBinding

func GetWebBackendServiceIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebBackendServiceIamBindingState, opts ...pulumi.ResourceOption) (*WebBackendServiceIamBinding, error)

GetWebBackendServiceIamBinding gets an existing WebBackendServiceIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebBackendServiceIamBinding

func NewWebBackendServiceIamBinding(ctx *pulumi.Context,
	name string, args *WebBackendServiceIamBindingArgs, opts ...pulumi.ResourceOption) (*WebBackendServiceIamBinding, error)

NewWebBackendServiceIamBinding registers a new resource with the given unique name, arguments, and options.

func (*WebBackendServiceIamBinding) ElementType

func (*WebBackendServiceIamBinding) ElementType() reflect.Type

func (*WebBackendServiceIamBinding) ToWebBackendServiceIamBindingOutput

func (i *WebBackendServiceIamBinding) ToWebBackendServiceIamBindingOutput() WebBackendServiceIamBindingOutput

func (*WebBackendServiceIamBinding) ToWebBackendServiceIamBindingOutputWithContext

func (i *WebBackendServiceIamBinding) ToWebBackendServiceIamBindingOutputWithContext(ctx context.Context) WebBackendServiceIamBindingOutput

type WebBackendServiceIamBindingArgs

type WebBackendServiceIamBindingArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebBackendServiceIamBindingConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringInput
}

The set of arguments for constructing a WebBackendServiceIamBinding resource.

func (WebBackendServiceIamBindingArgs) ElementType

type WebBackendServiceIamBindingArray

type WebBackendServiceIamBindingArray []WebBackendServiceIamBindingInput

func (WebBackendServiceIamBindingArray) ElementType

func (WebBackendServiceIamBindingArray) ToWebBackendServiceIamBindingArrayOutput

func (i WebBackendServiceIamBindingArray) ToWebBackendServiceIamBindingArrayOutput() WebBackendServiceIamBindingArrayOutput

func (WebBackendServiceIamBindingArray) ToWebBackendServiceIamBindingArrayOutputWithContext

func (i WebBackendServiceIamBindingArray) ToWebBackendServiceIamBindingArrayOutputWithContext(ctx context.Context) WebBackendServiceIamBindingArrayOutput

type WebBackendServiceIamBindingArrayInput

type WebBackendServiceIamBindingArrayInput interface {
	pulumi.Input

	ToWebBackendServiceIamBindingArrayOutput() WebBackendServiceIamBindingArrayOutput
	ToWebBackendServiceIamBindingArrayOutputWithContext(context.Context) WebBackendServiceIamBindingArrayOutput
}

WebBackendServiceIamBindingArrayInput is an input type that accepts WebBackendServiceIamBindingArray and WebBackendServiceIamBindingArrayOutput values. You can construct a concrete instance of `WebBackendServiceIamBindingArrayInput` via:

WebBackendServiceIamBindingArray{ WebBackendServiceIamBindingArgs{...} }

type WebBackendServiceIamBindingArrayOutput

type WebBackendServiceIamBindingArrayOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamBindingArrayOutput) ElementType

func (WebBackendServiceIamBindingArrayOutput) Index

func (WebBackendServiceIamBindingArrayOutput) ToWebBackendServiceIamBindingArrayOutput

func (o WebBackendServiceIamBindingArrayOutput) ToWebBackendServiceIamBindingArrayOutput() WebBackendServiceIamBindingArrayOutput

func (WebBackendServiceIamBindingArrayOutput) ToWebBackendServiceIamBindingArrayOutputWithContext

func (o WebBackendServiceIamBindingArrayOutput) ToWebBackendServiceIamBindingArrayOutputWithContext(ctx context.Context) WebBackendServiceIamBindingArrayOutput

type WebBackendServiceIamBindingCondition

type WebBackendServiceIamBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebBackendServiceIamBindingConditionArgs

type WebBackendServiceIamBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebBackendServiceIamBindingConditionArgs) ElementType

func (WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionOutput

func (i WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionOutput() WebBackendServiceIamBindingConditionOutput

func (WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionOutputWithContext

func (i WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionOutputWithContext(ctx context.Context) WebBackendServiceIamBindingConditionOutput

func (WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionPtrOutput

func (i WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionPtrOutput() WebBackendServiceIamBindingConditionPtrOutput

func (WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionPtrOutputWithContext

func (i WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) WebBackendServiceIamBindingConditionPtrOutput

type WebBackendServiceIamBindingConditionInput

type WebBackendServiceIamBindingConditionInput interface {
	pulumi.Input

	ToWebBackendServiceIamBindingConditionOutput() WebBackendServiceIamBindingConditionOutput
	ToWebBackendServiceIamBindingConditionOutputWithContext(context.Context) WebBackendServiceIamBindingConditionOutput
}

WebBackendServiceIamBindingConditionInput is an input type that accepts WebBackendServiceIamBindingConditionArgs and WebBackendServiceIamBindingConditionOutput values. You can construct a concrete instance of `WebBackendServiceIamBindingConditionInput` via:

WebBackendServiceIamBindingConditionArgs{...}

type WebBackendServiceIamBindingConditionOutput

type WebBackendServiceIamBindingConditionOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamBindingConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebBackendServiceIamBindingConditionOutput) ElementType

func (WebBackendServiceIamBindingConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebBackendServiceIamBindingConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionOutput

func (o WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionOutput() WebBackendServiceIamBindingConditionOutput

func (WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionOutputWithContext

func (o WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionOutputWithContext(ctx context.Context) WebBackendServiceIamBindingConditionOutput

func (WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionPtrOutput

func (o WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionPtrOutput() WebBackendServiceIamBindingConditionPtrOutput

func (WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionPtrOutputWithContext

func (o WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) WebBackendServiceIamBindingConditionPtrOutput

type WebBackendServiceIamBindingConditionPtrInput

type WebBackendServiceIamBindingConditionPtrInput interface {
	pulumi.Input

	ToWebBackendServiceIamBindingConditionPtrOutput() WebBackendServiceIamBindingConditionPtrOutput
	ToWebBackendServiceIamBindingConditionPtrOutputWithContext(context.Context) WebBackendServiceIamBindingConditionPtrOutput
}

WebBackendServiceIamBindingConditionPtrInput is an input type that accepts WebBackendServiceIamBindingConditionArgs, WebBackendServiceIamBindingConditionPtr and WebBackendServiceIamBindingConditionPtrOutput values. You can construct a concrete instance of `WebBackendServiceIamBindingConditionPtrInput` via:

        WebBackendServiceIamBindingConditionArgs{...}

or:

        nil

type WebBackendServiceIamBindingConditionPtrOutput

type WebBackendServiceIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamBindingConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebBackendServiceIamBindingConditionPtrOutput) Elem

func (WebBackendServiceIamBindingConditionPtrOutput) ElementType

func (WebBackendServiceIamBindingConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebBackendServiceIamBindingConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebBackendServiceIamBindingConditionPtrOutput) ToWebBackendServiceIamBindingConditionPtrOutput

func (o WebBackendServiceIamBindingConditionPtrOutput) ToWebBackendServiceIamBindingConditionPtrOutput() WebBackendServiceIamBindingConditionPtrOutput

func (WebBackendServiceIamBindingConditionPtrOutput) ToWebBackendServiceIamBindingConditionPtrOutputWithContext

func (o WebBackendServiceIamBindingConditionPtrOutput) ToWebBackendServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) WebBackendServiceIamBindingConditionPtrOutput

type WebBackendServiceIamBindingInput

type WebBackendServiceIamBindingInput interface {
	pulumi.Input

	ToWebBackendServiceIamBindingOutput() WebBackendServiceIamBindingOutput
	ToWebBackendServiceIamBindingOutputWithContext(ctx context.Context) WebBackendServiceIamBindingOutput
}

type WebBackendServiceIamBindingMap

type WebBackendServiceIamBindingMap map[string]WebBackendServiceIamBindingInput

func (WebBackendServiceIamBindingMap) ElementType

func (WebBackendServiceIamBindingMap) ToWebBackendServiceIamBindingMapOutput

func (i WebBackendServiceIamBindingMap) ToWebBackendServiceIamBindingMapOutput() WebBackendServiceIamBindingMapOutput

func (WebBackendServiceIamBindingMap) ToWebBackendServiceIamBindingMapOutputWithContext

func (i WebBackendServiceIamBindingMap) ToWebBackendServiceIamBindingMapOutputWithContext(ctx context.Context) WebBackendServiceIamBindingMapOutput

type WebBackendServiceIamBindingMapInput

type WebBackendServiceIamBindingMapInput interface {
	pulumi.Input

	ToWebBackendServiceIamBindingMapOutput() WebBackendServiceIamBindingMapOutput
	ToWebBackendServiceIamBindingMapOutputWithContext(context.Context) WebBackendServiceIamBindingMapOutput
}

WebBackendServiceIamBindingMapInput is an input type that accepts WebBackendServiceIamBindingMap and WebBackendServiceIamBindingMapOutput values. You can construct a concrete instance of `WebBackendServiceIamBindingMapInput` via:

WebBackendServiceIamBindingMap{ "key": WebBackendServiceIamBindingArgs{...} }

type WebBackendServiceIamBindingMapOutput

type WebBackendServiceIamBindingMapOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamBindingMapOutput) ElementType

func (WebBackendServiceIamBindingMapOutput) MapIndex

func (WebBackendServiceIamBindingMapOutput) ToWebBackendServiceIamBindingMapOutput

func (o WebBackendServiceIamBindingMapOutput) ToWebBackendServiceIamBindingMapOutput() WebBackendServiceIamBindingMapOutput

func (WebBackendServiceIamBindingMapOutput) ToWebBackendServiceIamBindingMapOutputWithContext

func (o WebBackendServiceIamBindingMapOutput) ToWebBackendServiceIamBindingMapOutputWithContext(ctx context.Context) WebBackendServiceIamBindingMapOutput

type WebBackendServiceIamBindingOutput

type WebBackendServiceIamBindingOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamBindingOutput) Condition

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebBackendServiceIamBindingOutput) ElementType

func (WebBackendServiceIamBindingOutput) Etag

(Computed) The etag of the IAM policy.

func (WebBackendServiceIamBindingOutput) Members

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebBackendServiceIamBindingOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebBackendServiceIamBindingOutput) Role

The role that should be applied. Only one `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebBackendServiceIamBindingOutput) ToWebBackendServiceIamBindingOutput

func (o WebBackendServiceIamBindingOutput) ToWebBackendServiceIamBindingOutput() WebBackendServiceIamBindingOutput

func (WebBackendServiceIamBindingOutput) ToWebBackendServiceIamBindingOutputWithContext

func (o WebBackendServiceIamBindingOutput) ToWebBackendServiceIamBindingOutputWithContext(ctx context.Context) WebBackendServiceIamBindingOutput

func (WebBackendServiceIamBindingOutput) WebBackendService

Used to find the parent resource to bind the IAM policy to

type WebBackendServiceIamBindingState

type WebBackendServiceIamBindingState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebBackendServiceIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringPtrInput
}

func (WebBackendServiceIamBindingState) ElementType

type WebBackendServiceIamMember

type WebBackendServiceIamMember struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebBackendServiceIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringOutput `pulumi:"webBackendService"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebBackendService. Each of these resources serves a different use case:

* `iap.WebBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webbackendservice and replaces any existing policy already attached. * `iap.WebBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webbackendservice are preserved. * `iap.WebBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebBackendServiceIamPolicy`: Retrieves the IAM policy for the webbackendservice

> **Note:** `iap.WebBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebBackendServiceIamBinding` and `iap.WebBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebBackendServiceIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
			Condition: &iap.WebBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebBackendService Three different resources help you manage your IAM policy for Identity-Aware Proxy WebBackendService. Each of these resources serves a different use case:

* `iap.WebBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webbackendservice and replaces any existing policy already attached. * `iap.WebBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webbackendservice are preserved. * `iap.WebBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebBackendServiceIamPolicy`: Retrieves the IAM policy for the webbackendservice

> **Note:** `iap.WebBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebBackendServiceIamBinding` and `iap.WebBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebBackendServiceIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
			Condition: &iap.WebBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/compute/services/{{name}}

* {{project}}/{{name}}

* {{name}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webbackendservice IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webBackendServiceIamMember:WebBackendServiceIamMember editor "projects/{{project}}/iap_web/compute/services/{{web_backend_service}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webBackendServiceIamMember:WebBackendServiceIamMember editor "projects/{{project}}/iap_web/compute/services/{{web_backend_service}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webBackendServiceIamMember:WebBackendServiceIamMember editor projects/{{project}}/iap_web/compute/services/{{web_backend_service}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebBackendServiceIamMember

func GetWebBackendServiceIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebBackendServiceIamMemberState, opts ...pulumi.ResourceOption) (*WebBackendServiceIamMember, error)

GetWebBackendServiceIamMember gets an existing WebBackendServiceIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebBackendServiceIamMember

func NewWebBackendServiceIamMember(ctx *pulumi.Context,
	name string, args *WebBackendServiceIamMemberArgs, opts ...pulumi.ResourceOption) (*WebBackendServiceIamMember, error)

NewWebBackendServiceIamMember registers a new resource with the given unique name, arguments, and options.

func (*WebBackendServiceIamMember) ElementType

func (*WebBackendServiceIamMember) ElementType() reflect.Type

func (*WebBackendServiceIamMember) ToWebBackendServiceIamMemberOutput

func (i *WebBackendServiceIamMember) ToWebBackendServiceIamMemberOutput() WebBackendServiceIamMemberOutput

func (*WebBackendServiceIamMember) ToWebBackendServiceIamMemberOutputWithContext

func (i *WebBackendServiceIamMember) ToWebBackendServiceIamMemberOutputWithContext(ctx context.Context) WebBackendServiceIamMemberOutput

type WebBackendServiceIamMemberArgs

type WebBackendServiceIamMemberArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebBackendServiceIamMemberConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringInput
}

The set of arguments for constructing a WebBackendServiceIamMember resource.

func (WebBackendServiceIamMemberArgs) ElementType

type WebBackendServiceIamMemberArray

type WebBackendServiceIamMemberArray []WebBackendServiceIamMemberInput

func (WebBackendServiceIamMemberArray) ElementType

func (WebBackendServiceIamMemberArray) ToWebBackendServiceIamMemberArrayOutput

func (i WebBackendServiceIamMemberArray) ToWebBackendServiceIamMemberArrayOutput() WebBackendServiceIamMemberArrayOutput

func (WebBackendServiceIamMemberArray) ToWebBackendServiceIamMemberArrayOutputWithContext

func (i WebBackendServiceIamMemberArray) ToWebBackendServiceIamMemberArrayOutputWithContext(ctx context.Context) WebBackendServiceIamMemberArrayOutput

type WebBackendServiceIamMemberArrayInput

type WebBackendServiceIamMemberArrayInput interface {
	pulumi.Input

	ToWebBackendServiceIamMemberArrayOutput() WebBackendServiceIamMemberArrayOutput
	ToWebBackendServiceIamMemberArrayOutputWithContext(context.Context) WebBackendServiceIamMemberArrayOutput
}

WebBackendServiceIamMemberArrayInput is an input type that accepts WebBackendServiceIamMemberArray and WebBackendServiceIamMemberArrayOutput values. You can construct a concrete instance of `WebBackendServiceIamMemberArrayInput` via:

WebBackendServiceIamMemberArray{ WebBackendServiceIamMemberArgs{...} }

type WebBackendServiceIamMemberArrayOutput

type WebBackendServiceIamMemberArrayOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamMemberArrayOutput) ElementType

func (WebBackendServiceIamMemberArrayOutput) Index

func (WebBackendServiceIamMemberArrayOutput) ToWebBackendServiceIamMemberArrayOutput

func (o WebBackendServiceIamMemberArrayOutput) ToWebBackendServiceIamMemberArrayOutput() WebBackendServiceIamMemberArrayOutput

func (WebBackendServiceIamMemberArrayOutput) ToWebBackendServiceIamMemberArrayOutputWithContext

func (o WebBackendServiceIamMemberArrayOutput) ToWebBackendServiceIamMemberArrayOutputWithContext(ctx context.Context) WebBackendServiceIamMemberArrayOutput

type WebBackendServiceIamMemberCondition

type WebBackendServiceIamMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebBackendServiceIamMemberConditionArgs

type WebBackendServiceIamMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebBackendServiceIamMemberConditionArgs) ElementType

func (WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionOutput

func (i WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionOutput() WebBackendServiceIamMemberConditionOutput

func (WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionOutputWithContext

func (i WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionOutputWithContext(ctx context.Context) WebBackendServiceIamMemberConditionOutput

func (WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionPtrOutput

func (i WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionPtrOutput() WebBackendServiceIamMemberConditionPtrOutput

func (WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionPtrOutputWithContext

func (i WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) WebBackendServiceIamMemberConditionPtrOutput

type WebBackendServiceIamMemberConditionInput

type WebBackendServiceIamMemberConditionInput interface {
	pulumi.Input

	ToWebBackendServiceIamMemberConditionOutput() WebBackendServiceIamMemberConditionOutput
	ToWebBackendServiceIamMemberConditionOutputWithContext(context.Context) WebBackendServiceIamMemberConditionOutput
}

WebBackendServiceIamMemberConditionInput is an input type that accepts WebBackendServiceIamMemberConditionArgs and WebBackendServiceIamMemberConditionOutput values. You can construct a concrete instance of `WebBackendServiceIamMemberConditionInput` via:

WebBackendServiceIamMemberConditionArgs{...}

type WebBackendServiceIamMemberConditionOutput

type WebBackendServiceIamMemberConditionOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamMemberConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebBackendServiceIamMemberConditionOutput) ElementType

func (WebBackendServiceIamMemberConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebBackendServiceIamMemberConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionOutput

func (o WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionOutput() WebBackendServiceIamMemberConditionOutput

func (WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionOutputWithContext

func (o WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionOutputWithContext(ctx context.Context) WebBackendServiceIamMemberConditionOutput

func (WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionPtrOutput

func (o WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionPtrOutput() WebBackendServiceIamMemberConditionPtrOutput

func (WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionPtrOutputWithContext

func (o WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) WebBackendServiceIamMemberConditionPtrOutput

type WebBackendServiceIamMemberConditionPtrInput

type WebBackendServiceIamMemberConditionPtrInput interface {
	pulumi.Input

	ToWebBackendServiceIamMemberConditionPtrOutput() WebBackendServiceIamMemberConditionPtrOutput
	ToWebBackendServiceIamMemberConditionPtrOutputWithContext(context.Context) WebBackendServiceIamMemberConditionPtrOutput
}

WebBackendServiceIamMemberConditionPtrInput is an input type that accepts WebBackendServiceIamMemberConditionArgs, WebBackendServiceIamMemberConditionPtr and WebBackendServiceIamMemberConditionPtrOutput values. You can construct a concrete instance of `WebBackendServiceIamMemberConditionPtrInput` via:

        WebBackendServiceIamMemberConditionArgs{...}

or:

        nil

type WebBackendServiceIamMemberConditionPtrOutput

type WebBackendServiceIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamMemberConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebBackendServiceIamMemberConditionPtrOutput) Elem

func (WebBackendServiceIamMemberConditionPtrOutput) ElementType

func (WebBackendServiceIamMemberConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebBackendServiceIamMemberConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebBackendServiceIamMemberConditionPtrOutput) ToWebBackendServiceIamMemberConditionPtrOutput

func (o WebBackendServiceIamMemberConditionPtrOutput) ToWebBackendServiceIamMemberConditionPtrOutput() WebBackendServiceIamMemberConditionPtrOutput

func (WebBackendServiceIamMemberConditionPtrOutput) ToWebBackendServiceIamMemberConditionPtrOutputWithContext

func (o WebBackendServiceIamMemberConditionPtrOutput) ToWebBackendServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) WebBackendServiceIamMemberConditionPtrOutput

type WebBackendServiceIamMemberInput

type WebBackendServiceIamMemberInput interface {
	pulumi.Input

	ToWebBackendServiceIamMemberOutput() WebBackendServiceIamMemberOutput
	ToWebBackendServiceIamMemberOutputWithContext(ctx context.Context) WebBackendServiceIamMemberOutput
}

type WebBackendServiceIamMemberMap

type WebBackendServiceIamMemberMap map[string]WebBackendServiceIamMemberInput

func (WebBackendServiceIamMemberMap) ElementType

func (WebBackendServiceIamMemberMap) ToWebBackendServiceIamMemberMapOutput

func (i WebBackendServiceIamMemberMap) ToWebBackendServiceIamMemberMapOutput() WebBackendServiceIamMemberMapOutput

func (WebBackendServiceIamMemberMap) ToWebBackendServiceIamMemberMapOutputWithContext

func (i WebBackendServiceIamMemberMap) ToWebBackendServiceIamMemberMapOutputWithContext(ctx context.Context) WebBackendServiceIamMemberMapOutput

type WebBackendServiceIamMemberMapInput

type WebBackendServiceIamMemberMapInput interface {
	pulumi.Input

	ToWebBackendServiceIamMemberMapOutput() WebBackendServiceIamMemberMapOutput
	ToWebBackendServiceIamMemberMapOutputWithContext(context.Context) WebBackendServiceIamMemberMapOutput
}

WebBackendServiceIamMemberMapInput is an input type that accepts WebBackendServiceIamMemberMap and WebBackendServiceIamMemberMapOutput values. You can construct a concrete instance of `WebBackendServiceIamMemberMapInput` via:

WebBackendServiceIamMemberMap{ "key": WebBackendServiceIamMemberArgs{...} }

type WebBackendServiceIamMemberMapOutput

type WebBackendServiceIamMemberMapOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamMemberMapOutput) ElementType

func (WebBackendServiceIamMemberMapOutput) MapIndex

func (WebBackendServiceIamMemberMapOutput) ToWebBackendServiceIamMemberMapOutput

func (o WebBackendServiceIamMemberMapOutput) ToWebBackendServiceIamMemberMapOutput() WebBackendServiceIamMemberMapOutput

func (WebBackendServiceIamMemberMapOutput) ToWebBackendServiceIamMemberMapOutputWithContext

func (o WebBackendServiceIamMemberMapOutput) ToWebBackendServiceIamMemberMapOutputWithContext(ctx context.Context) WebBackendServiceIamMemberMapOutput

type WebBackendServiceIamMemberOutput

type WebBackendServiceIamMemberOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamMemberOutput) Condition

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebBackendServiceIamMemberOutput) ElementType

func (WebBackendServiceIamMemberOutput) Etag

(Computed) The etag of the IAM policy.

func (WebBackendServiceIamMemberOutput) Member

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebBackendServiceIamMemberOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebBackendServiceIamMemberOutput) Role

The role that should be applied. Only one `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebBackendServiceIamMemberOutput) ToWebBackendServiceIamMemberOutput

func (o WebBackendServiceIamMemberOutput) ToWebBackendServiceIamMemberOutput() WebBackendServiceIamMemberOutput

func (WebBackendServiceIamMemberOutput) ToWebBackendServiceIamMemberOutputWithContext

func (o WebBackendServiceIamMemberOutput) ToWebBackendServiceIamMemberOutputWithContext(ctx context.Context) WebBackendServiceIamMemberOutput

func (WebBackendServiceIamMemberOutput) WebBackendService

Used to find the parent resource to bind the IAM policy to

type WebBackendServiceIamMemberState

type WebBackendServiceIamMemberState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebBackendServiceIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringPtrInput
}

func (WebBackendServiceIamMemberState) ElementType

type WebBackendServiceIamPolicy

type WebBackendServiceIamPolicy struct {
	pulumi.CustomResourceState

	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringOutput `pulumi:"webBackendService"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebBackendService. Each of these resources serves a different use case:

* `iap.WebBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webbackendservice and replaces any existing policy already attached. * `iap.WebBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webbackendservice are preserved. * `iap.WebBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebBackendServiceIamPolicy`: Retrieves the IAM policy for the webbackendservice

> **Note:** `iap.WebBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebBackendServiceIamBinding` and `iap.WebBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebBackendServiceIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
			Condition: &iap.WebBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebBackendService Three different resources help you manage your IAM policy for Identity-Aware Proxy WebBackendService. Each of these resources serves a different use case:

* `iap.WebBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webbackendservice and replaces any existing policy already attached. * `iap.WebBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webbackendservice are preserved. * `iap.WebBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebBackendServiceIamPolicy`: Retrieves the IAM policy for the webbackendservice

> **Note:** `iap.WebBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebBackendServiceIamBinding` and `iap.WebBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebBackendServiceIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
			Condition: &iap.WebBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/compute/services/{{name}}

* {{project}}/{{name}}

* {{name}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webbackendservice IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webBackendServiceIamPolicy:WebBackendServiceIamPolicy editor "projects/{{project}}/iap_web/compute/services/{{web_backend_service}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webBackendServiceIamPolicy:WebBackendServiceIamPolicy editor "projects/{{project}}/iap_web/compute/services/{{web_backend_service}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webBackendServiceIamPolicy:WebBackendServiceIamPolicy editor projects/{{project}}/iap_web/compute/services/{{web_backend_service}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebBackendServiceIamPolicy

func GetWebBackendServiceIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebBackendServiceIamPolicyState, opts ...pulumi.ResourceOption) (*WebBackendServiceIamPolicy, error)

GetWebBackendServiceIamPolicy gets an existing WebBackendServiceIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebBackendServiceIamPolicy

func NewWebBackendServiceIamPolicy(ctx *pulumi.Context,
	name string, args *WebBackendServiceIamPolicyArgs, opts ...pulumi.ResourceOption) (*WebBackendServiceIamPolicy, error)

NewWebBackendServiceIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*WebBackendServiceIamPolicy) ElementType

func (*WebBackendServiceIamPolicy) ElementType() reflect.Type

func (*WebBackendServiceIamPolicy) ToWebBackendServiceIamPolicyOutput

func (i *WebBackendServiceIamPolicy) ToWebBackendServiceIamPolicyOutput() WebBackendServiceIamPolicyOutput

func (*WebBackendServiceIamPolicy) ToWebBackendServiceIamPolicyOutputWithContext

func (i *WebBackendServiceIamPolicy) ToWebBackendServiceIamPolicyOutputWithContext(ctx context.Context) WebBackendServiceIamPolicyOutput

type WebBackendServiceIamPolicyArgs

type WebBackendServiceIamPolicyArgs struct {
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringInput
}

The set of arguments for constructing a WebBackendServiceIamPolicy resource.

func (WebBackendServiceIamPolicyArgs) ElementType

type WebBackendServiceIamPolicyArray

type WebBackendServiceIamPolicyArray []WebBackendServiceIamPolicyInput

func (WebBackendServiceIamPolicyArray) ElementType

func (WebBackendServiceIamPolicyArray) ToWebBackendServiceIamPolicyArrayOutput

func (i WebBackendServiceIamPolicyArray) ToWebBackendServiceIamPolicyArrayOutput() WebBackendServiceIamPolicyArrayOutput

func (WebBackendServiceIamPolicyArray) ToWebBackendServiceIamPolicyArrayOutputWithContext

func (i WebBackendServiceIamPolicyArray) ToWebBackendServiceIamPolicyArrayOutputWithContext(ctx context.Context) WebBackendServiceIamPolicyArrayOutput

type WebBackendServiceIamPolicyArrayInput

type WebBackendServiceIamPolicyArrayInput interface {
	pulumi.Input

	ToWebBackendServiceIamPolicyArrayOutput() WebBackendServiceIamPolicyArrayOutput
	ToWebBackendServiceIamPolicyArrayOutputWithContext(context.Context) WebBackendServiceIamPolicyArrayOutput
}

WebBackendServiceIamPolicyArrayInput is an input type that accepts WebBackendServiceIamPolicyArray and WebBackendServiceIamPolicyArrayOutput values. You can construct a concrete instance of `WebBackendServiceIamPolicyArrayInput` via:

WebBackendServiceIamPolicyArray{ WebBackendServiceIamPolicyArgs{...} }

type WebBackendServiceIamPolicyArrayOutput

type WebBackendServiceIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamPolicyArrayOutput) ElementType

func (WebBackendServiceIamPolicyArrayOutput) Index

func (WebBackendServiceIamPolicyArrayOutput) ToWebBackendServiceIamPolicyArrayOutput

func (o WebBackendServiceIamPolicyArrayOutput) ToWebBackendServiceIamPolicyArrayOutput() WebBackendServiceIamPolicyArrayOutput

func (WebBackendServiceIamPolicyArrayOutput) ToWebBackendServiceIamPolicyArrayOutputWithContext

func (o WebBackendServiceIamPolicyArrayOutput) ToWebBackendServiceIamPolicyArrayOutputWithContext(ctx context.Context) WebBackendServiceIamPolicyArrayOutput

type WebBackendServiceIamPolicyInput

type WebBackendServiceIamPolicyInput interface {
	pulumi.Input

	ToWebBackendServiceIamPolicyOutput() WebBackendServiceIamPolicyOutput
	ToWebBackendServiceIamPolicyOutputWithContext(ctx context.Context) WebBackendServiceIamPolicyOutput
}

type WebBackendServiceIamPolicyMap

type WebBackendServiceIamPolicyMap map[string]WebBackendServiceIamPolicyInput

func (WebBackendServiceIamPolicyMap) ElementType

func (WebBackendServiceIamPolicyMap) ToWebBackendServiceIamPolicyMapOutput

func (i WebBackendServiceIamPolicyMap) ToWebBackendServiceIamPolicyMapOutput() WebBackendServiceIamPolicyMapOutput

func (WebBackendServiceIamPolicyMap) ToWebBackendServiceIamPolicyMapOutputWithContext

func (i WebBackendServiceIamPolicyMap) ToWebBackendServiceIamPolicyMapOutputWithContext(ctx context.Context) WebBackendServiceIamPolicyMapOutput

type WebBackendServiceIamPolicyMapInput

type WebBackendServiceIamPolicyMapInput interface {
	pulumi.Input

	ToWebBackendServiceIamPolicyMapOutput() WebBackendServiceIamPolicyMapOutput
	ToWebBackendServiceIamPolicyMapOutputWithContext(context.Context) WebBackendServiceIamPolicyMapOutput
}

WebBackendServiceIamPolicyMapInput is an input type that accepts WebBackendServiceIamPolicyMap and WebBackendServiceIamPolicyMapOutput values. You can construct a concrete instance of `WebBackendServiceIamPolicyMapInput` via:

WebBackendServiceIamPolicyMap{ "key": WebBackendServiceIamPolicyArgs{...} }

type WebBackendServiceIamPolicyMapOutput

type WebBackendServiceIamPolicyMapOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamPolicyMapOutput) ElementType

func (WebBackendServiceIamPolicyMapOutput) MapIndex

func (WebBackendServiceIamPolicyMapOutput) ToWebBackendServiceIamPolicyMapOutput

func (o WebBackendServiceIamPolicyMapOutput) ToWebBackendServiceIamPolicyMapOutput() WebBackendServiceIamPolicyMapOutput

func (WebBackendServiceIamPolicyMapOutput) ToWebBackendServiceIamPolicyMapOutputWithContext

func (o WebBackendServiceIamPolicyMapOutput) ToWebBackendServiceIamPolicyMapOutputWithContext(ctx context.Context) WebBackendServiceIamPolicyMapOutput

type WebBackendServiceIamPolicyOutput

type WebBackendServiceIamPolicyOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamPolicyOutput) ElementType

func (WebBackendServiceIamPolicyOutput) Etag

(Computed) The etag of the IAM policy.

func (WebBackendServiceIamPolicyOutput) PolicyData

The policy data generated by a `organizations.getIAMPolicy` data source.

func (WebBackendServiceIamPolicyOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebBackendServiceIamPolicyOutput) ToWebBackendServiceIamPolicyOutput

func (o WebBackendServiceIamPolicyOutput) ToWebBackendServiceIamPolicyOutput() WebBackendServiceIamPolicyOutput

func (WebBackendServiceIamPolicyOutput) ToWebBackendServiceIamPolicyOutputWithContext

func (o WebBackendServiceIamPolicyOutput) ToWebBackendServiceIamPolicyOutputWithContext(ctx context.Context) WebBackendServiceIamPolicyOutput

func (WebBackendServiceIamPolicyOutput) WebBackendService

Used to find the parent resource to bind the IAM policy to

type WebBackendServiceIamPolicyState

type WebBackendServiceIamPolicyState struct {
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringPtrInput
}

func (WebBackendServiceIamPolicyState) ElementType

type WebIamBinding

type WebIamBinding struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy Web. Each of these resources serves a different use case:

* `iap.WebIamPolicy`: Authoritative. Sets the IAM policy for the web and replaces any existing policy already attached. * `iap.WebIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the web are preserved. * `iap.WebIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the web are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebIamPolicy`: Retrieves the IAM policy for the web

> **Note:** `iap.WebIamPolicy` **cannot** be used in conjunction with `iap.WebIamBinding` and `iap.WebIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebIamBinding` resources **can be** used in conjunction with `iap.WebIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy Web Three different resources help you manage your IAM policy for Identity-Aware Proxy Web. Each of these resources serves a different use case:

* `iap.WebIamPolicy`: Authoritative. Sets the IAM policy for the web and replaces any existing policy already attached. * `iap.WebIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the web are preserved. * `iap.WebIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the web are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebIamPolicy`: Retrieves the IAM policy for the web

> **Note:** `iap.WebIamPolicy` **cannot** be used in conjunction with `iap.WebIamBinding` and `iap.WebIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebIamBinding` resources **can be** used in conjunction with `iap.WebIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web

* {{project}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy web IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webIamBinding:WebIamBinding editor "projects/{{project}}/iap_web roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webIamBinding:WebIamBinding editor "projects/{{project}}/iap_web roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webIamBinding:WebIamBinding editor projects/{{project}}/iap_web ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebIamBinding

func GetWebIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebIamBindingState, opts ...pulumi.ResourceOption) (*WebIamBinding, error)

GetWebIamBinding gets an existing WebIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebIamBinding

func NewWebIamBinding(ctx *pulumi.Context,
	name string, args *WebIamBindingArgs, opts ...pulumi.ResourceOption) (*WebIamBinding, error)

NewWebIamBinding registers a new resource with the given unique name, arguments, and options.

func (*WebIamBinding) ElementType

func (*WebIamBinding) ElementType() reflect.Type

func (*WebIamBinding) ToWebIamBindingOutput

func (i *WebIamBinding) ToWebIamBindingOutput() WebIamBindingOutput

func (*WebIamBinding) ToWebIamBindingOutputWithContext

func (i *WebIamBinding) ToWebIamBindingOutputWithContext(ctx context.Context) WebIamBindingOutput

type WebIamBindingArgs

type WebIamBindingArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebIamBindingConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a WebIamBinding resource.

func (WebIamBindingArgs) ElementType

func (WebIamBindingArgs) ElementType() reflect.Type

type WebIamBindingArray

type WebIamBindingArray []WebIamBindingInput

func (WebIamBindingArray) ElementType

func (WebIamBindingArray) ElementType() reflect.Type

func (WebIamBindingArray) ToWebIamBindingArrayOutput

func (i WebIamBindingArray) ToWebIamBindingArrayOutput() WebIamBindingArrayOutput

func (WebIamBindingArray) ToWebIamBindingArrayOutputWithContext

func (i WebIamBindingArray) ToWebIamBindingArrayOutputWithContext(ctx context.Context) WebIamBindingArrayOutput

type WebIamBindingArrayInput

type WebIamBindingArrayInput interface {
	pulumi.Input

	ToWebIamBindingArrayOutput() WebIamBindingArrayOutput
	ToWebIamBindingArrayOutputWithContext(context.Context) WebIamBindingArrayOutput
}

WebIamBindingArrayInput is an input type that accepts WebIamBindingArray and WebIamBindingArrayOutput values. You can construct a concrete instance of `WebIamBindingArrayInput` via:

WebIamBindingArray{ WebIamBindingArgs{...} }

type WebIamBindingArrayOutput

type WebIamBindingArrayOutput struct{ *pulumi.OutputState }

func (WebIamBindingArrayOutput) ElementType

func (WebIamBindingArrayOutput) ElementType() reflect.Type

func (WebIamBindingArrayOutput) Index

func (WebIamBindingArrayOutput) ToWebIamBindingArrayOutput

func (o WebIamBindingArrayOutput) ToWebIamBindingArrayOutput() WebIamBindingArrayOutput

func (WebIamBindingArrayOutput) ToWebIamBindingArrayOutputWithContext

func (o WebIamBindingArrayOutput) ToWebIamBindingArrayOutputWithContext(ctx context.Context) WebIamBindingArrayOutput

type WebIamBindingCondition

type WebIamBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebIamBindingConditionArgs

type WebIamBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebIamBindingConditionArgs) ElementType

func (WebIamBindingConditionArgs) ElementType() reflect.Type

func (WebIamBindingConditionArgs) ToWebIamBindingConditionOutput

func (i WebIamBindingConditionArgs) ToWebIamBindingConditionOutput() WebIamBindingConditionOutput

func (WebIamBindingConditionArgs) ToWebIamBindingConditionOutputWithContext

func (i WebIamBindingConditionArgs) ToWebIamBindingConditionOutputWithContext(ctx context.Context) WebIamBindingConditionOutput

func (WebIamBindingConditionArgs) ToWebIamBindingConditionPtrOutput

func (i WebIamBindingConditionArgs) ToWebIamBindingConditionPtrOutput() WebIamBindingConditionPtrOutput

func (WebIamBindingConditionArgs) ToWebIamBindingConditionPtrOutputWithContext

func (i WebIamBindingConditionArgs) ToWebIamBindingConditionPtrOutputWithContext(ctx context.Context) WebIamBindingConditionPtrOutput

type WebIamBindingConditionInput

type WebIamBindingConditionInput interface {
	pulumi.Input

	ToWebIamBindingConditionOutput() WebIamBindingConditionOutput
	ToWebIamBindingConditionOutputWithContext(context.Context) WebIamBindingConditionOutput
}

WebIamBindingConditionInput is an input type that accepts WebIamBindingConditionArgs and WebIamBindingConditionOutput values. You can construct a concrete instance of `WebIamBindingConditionInput` via:

WebIamBindingConditionArgs{...}

type WebIamBindingConditionOutput

type WebIamBindingConditionOutput struct{ *pulumi.OutputState }

func (WebIamBindingConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebIamBindingConditionOutput) ElementType

func (WebIamBindingConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebIamBindingConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebIamBindingConditionOutput) ToWebIamBindingConditionOutput

func (o WebIamBindingConditionOutput) ToWebIamBindingConditionOutput() WebIamBindingConditionOutput

func (WebIamBindingConditionOutput) ToWebIamBindingConditionOutputWithContext

func (o WebIamBindingConditionOutput) ToWebIamBindingConditionOutputWithContext(ctx context.Context) WebIamBindingConditionOutput

func (WebIamBindingConditionOutput) ToWebIamBindingConditionPtrOutput

func (o WebIamBindingConditionOutput) ToWebIamBindingConditionPtrOutput() WebIamBindingConditionPtrOutput

func (WebIamBindingConditionOutput) ToWebIamBindingConditionPtrOutputWithContext

func (o WebIamBindingConditionOutput) ToWebIamBindingConditionPtrOutputWithContext(ctx context.Context) WebIamBindingConditionPtrOutput

type WebIamBindingConditionPtrInput

type WebIamBindingConditionPtrInput interface {
	pulumi.Input

	ToWebIamBindingConditionPtrOutput() WebIamBindingConditionPtrOutput
	ToWebIamBindingConditionPtrOutputWithContext(context.Context) WebIamBindingConditionPtrOutput
}

WebIamBindingConditionPtrInput is an input type that accepts WebIamBindingConditionArgs, WebIamBindingConditionPtr and WebIamBindingConditionPtrOutput values. You can construct a concrete instance of `WebIamBindingConditionPtrInput` via:

        WebIamBindingConditionArgs{...}

or:

        nil

type WebIamBindingConditionPtrOutput

type WebIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (WebIamBindingConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebIamBindingConditionPtrOutput) Elem

func (WebIamBindingConditionPtrOutput) ElementType

func (WebIamBindingConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebIamBindingConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebIamBindingConditionPtrOutput) ToWebIamBindingConditionPtrOutput

func (o WebIamBindingConditionPtrOutput) ToWebIamBindingConditionPtrOutput() WebIamBindingConditionPtrOutput

func (WebIamBindingConditionPtrOutput) ToWebIamBindingConditionPtrOutputWithContext

func (o WebIamBindingConditionPtrOutput) ToWebIamBindingConditionPtrOutputWithContext(ctx context.Context) WebIamBindingConditionPtrOutput

type WebIamBindingInput

type WebIamBindingInput interface {
	pulumi.Input

	ToWebIamBindingOutput() WebIamBindingOutput
	ToWebIamBindingOutputWithContext(ctx context.Context) WebIamBindingOutput
}

type WebIamBindingMap

type WebIamBindingMap map[string]WebIamBindingInput

func (WebIamBindingMap) ElementType

func (WebIamBindingMap) ElementType() reflect.Type

func (WebIamBindingMap) ToWebIamBindingMapOutput

func (i WebIamBindingMap) ToWebIamBindingMapOutput() WebIamBindingMapOutput

func (WebIamBindingMap) ToWebIamBindingMapOutputWithContext

func (i WebIamBindingMap) ToWebIamBindingMapOutputWithContext(ctx context.Context) WebIamBindingMapOutput

type WebIamBindingMapInput

type WebIamBindingMapInput interface {
	pulumi.Input

	ToWebIamBindingMapOutput() WebIamBindingMapOutput
	ToWebIamBindingMapOutputWithContext(context.Context) WebIamBindingMapOutput
}

WebIamBindingMapInput is an input type that accepts WebIamBindingMap and WebIamBindingMapOutput values. You can construct a concrete instance of `WebIamBindingMapInput` via:

WebIamBindingMap{ "key": WebIamBindingArgs{...} }

type WebIamBindingMapOutput

type WebIamBindingMapOutput struct{ *pulumi.OutputState }

func (WebIamBindingMapOutput) ElementType

func (WebIamBindingMapOutput) ElementType() reflect.Type

func (WebIamBindingMapOutput) MapIndex

func (WebIamBindingMapOutput) ToWebIamBindingMapOutput

func (o WebIamBindingMapOutput) ToWebIamBindingMapOutput() WebIamBindingMapOutput

func (WebIamBindingMapOutput) ToWebIamBindingMapOutputWithContext

func (o WebIamBindingMapOutput) ToWebIamBindingMapOutputWithContext(ctx context.Context) WebIamBindingMapOutput

type WebIamBindingOutput

type WebIamBindingOutput struct{ *pulumi.OutputState }

func (WebIamBindingOutput) Condition

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebIamBindingOutput) ElementType

func (WebIamBindingOutput) ElementType() reflect.Type

func (WebIamBindingOutput) Etag

(Computed) The etag of the IAM policy.

func (WebIamBindingOutput) Members

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebIamBindingOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebIamBindingOutput) Role

The role that should be applied. Only one `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebIamBindingOutput) ToWebIamBindingOutput

func (o WebIamBindingOutput) ToWebIamBindingOutput() WebIamBindingOutput

func (WebIamBindingOutput) ToWebIamBindingOutputWithContext

func (o WebIamBindingOutput) ToWebIamBindingOutputWithContext(ctx context.Context) WebIamBindingOutput

type WebIamBindingState

type WebIamBindingState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (WebIamBindingState) ElementType

func (WebIamBindingState) ElementType() reflect.Type

type WebIamMember

type WebIamMember struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy Web. Each of these resources serves a different use case:

* `iap.WebIamPolicy`: Authoritative. Sets the IAM policy for the web and replaces any existing policy already attached. * `iap.WebIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the web are preserved. * `iap.WebIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the web are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebIamPolicy`: Retrieves the IAM policy for the web

> **Note:** `iap.WebIamPolicy` **cannot** be used in conjunction with `iap.WebIamBinding` and `iap.WebIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebIamBinding` resources **can be** used in conjunction with `iap.WebIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy Web Three different resources help you manage your IAM policy for Identity-Aware Proxy Web. Each of these resources serves a different use case:

* `iap.WebIamPolicy`: Authoritative. Sets the IAM policy for the web and replaces any existing policy already attached. * `iap.WebIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the web are preserved. * `iap.WebIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the web are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebIamPolicy`: Retrieves the IAM policy for the web

> **Note:** `iap.WebIamPolicy` **cannot** be used in conjunction with `iap.WebIamBinding` and `iap.WebIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebIamBinding` resources **can be** used in conjunction with `iap.WebIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web

* {{project}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy web IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webIamMember:WebIamMember editor "projects/{{project}}/iap_web roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webIamMember:WebIamMember editor "projects/{{project}}/iap_web roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webIamMember:WebIamMember editor projects/{{project}}/iap_web ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebIamMember

func GetWebIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebIamMemberState, opts ...pulumi.ResourceOption) (*WebIamMember, error)

GetWebIamMember gets an existing WebIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebIamMember

func NewWebIamMember(ctx *pulumi.Context,
	name string, args *WebIamMemberArgs, opts ...pulumi.ResourceOption) (*WebIamMember, error)

NewWebIamMember registers a new resource with the given unique name, arguments, and options.

func (*WebIamMember) ElementType

func (*WebIamMember) ElementType() reflect.Type

func (*WebIamMember) ToWebIamMemberOutput

func (i *WebIamMember) ToWebIamMemberOutput() WebIamMemberOutput

func (*WebIamMember) ToWebIamMemberOutputWithContext

func (i *WebIamMember) ToWebIamMemberOutputWithContext(ctx context.Context) WebIamMemberOutput

type WebIamMemberArgs

type WebIamMemberArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebIamMemberConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a WebIamMember resource.

func (WebIamMemberArgs) ElementType

func (WebIamMemberArgs) ElementType() reflect.Type

type WebIamMemberArray

type WebIamMemberArray []WebIamMemberInput

func (WebIamMemberArray) ElementType

func (WebIamMemberArray) ElementType() reflect.Type

func (WebIamMemberArray) ToWebIamMemberArrayOutput

func (i WebIamMemberArray) ToWebIamMemberArrayOutput() WebIamMemberArrayOutput

func (WebIamMemberArray) ToWebIamMemberArrayOutputWithContext

func (i WebIamMemberArray) ToWebIamMemberArrayOutputWithContext(ctx context.Context) WebIamMemberArrayOutput

type WebIamMemberArrayInput

type WebIamMemberArrayInput interface {
	pulumi.Input

	ToWebIamMemberArrayOutput() WebIamMemberArrayOutput
	ToWebIamMemberArrayOutputWithContext(context.Context) WebIamMemberArrayOutput
}

WebIamMemberArrayInput is an input type that accepts WebIamMemberArray and WebIamMemberArrayOutput values. You can construct a concrete instance of `WebIamMemberArrayInput` via:

WebIamMemberArray{ WebIamMemberArgs{...} }

type WebIamMemberArrayOutput

type WebIamMemberArrayOutput struct{ *pulumi.OutputState }

func (WebIamMemberArrayOutput) ElementType

func (WebIamMemberArrayOutput) ElementType() reflect.Type

func (WebIamMemberArrayOutput) Index

func (WebIamMemberArrayOutput) ToWebIamMemberArrayOutput

func (o WebIamMemberArrayOutput) ToWebIamMemberArrayOutput() WebIamMemberArrayOutput

func (WebIamMemberArrayOutput) ToWebIamMemberArrayOutputWithContext

func (o WebIamMemberArrayOutput) ToWebIamMemberArrayOutputWithContext(ctx context.Context) WebIamMemberArrayOutput

type WebIamMemberCondition

type WebIamMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebIamMemberConditionArgs

type WebIamMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebIamMemberConditionArgs) ElementType

func (WebIamMemberConditionArgs) ElementType() reflect.Type

func (WebIamMemberConditionArgs) ToWebIamMemberConditionOutput

func (i WebIamMemberConditionArgs) ToWebIamMemberConditionOutput() WebIamMemberConditionOutput

func (WebIamMemberConditionArgs) ToWebIamMemberConditionOutputWithContext

func (i WebIamMemberConditionArgs) ToWebIamMemberConditionOutputWithContext(ctx context.Context) WebIamMemberConditionOutput

func (WebIamMemberConditionArgs) ToWebIamMemberConditionPtrOutput

func (i WebIamMemberConditionArgs) ToWebIamMemberConditionPtrOutput() WebIamMemberConditionPtrOutput

func (WebIamMemberConditionArgs) ToWebIamMemberConditionPtrOutputWithContext

func (i WebIamMemberConditionArgs) ToWebIamMemberConditionPtrOutputWithContext(ctx context.Context) WebIamMemberConditionPtrOutput

type WebIamMemberConditionInput

type WebIamMemberConditionInput interface {
	pulumi.Input

	ToWebIamMemberConditionOutput() WebIamMemberConditionOutput
	ToWebIamMemberConditionOutputWithContext(context.Context) WebIamMemberConditionOutput
}

WebIamMemberConditionInput is an input type that accepts WebIamMemberConditionArgs and WebIamMemberConditionOutput values. You can construct a concrete instance of `WebIamMemberConditionInput` via:

WebIamMemberConditionArgs{...}

type WebIamMemberConditionOutput

type WebIamMemberConditionOutput struct{ *pulumi.OutputState }

func (WebIamMemberConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebIamMemberConditionOutput) ElementType

func (WebIamMemberConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebIamMemberConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebIamMemberConditionOutput) ToWebIamMemberConditionOutput

func (o WebIamMemberConditionOutput) ToWebIamMemberConditionOutput() WebIamMemberConditionOutput

func (WebIamMemberConditionOutput) ToWebIamMemberConditionOutputWithContext

func (o WebIamMemberConditionOutput) ToWebIamMemberConditionOutputWithContext(ctx context.Context) WebIamMemberConditionOutput

func (WebIamMemberConditionOutput) ToWebIamMemberConditionPtrOutput

func (o WebIamMemberConditionOutput) ToWebIamMemberConditionPtrOutput() WebIamMemberConditionPtrOutput

func (WebIamMemberConditionOutput) ToWebIamMemberConditionPtrOutputWithContext

func (o WebIamMemberConditionOutput) ToWebIamMemberConditionPtrOutputWithContext(ctx context.Context) WebIamMemberConditionPtrOutput

type WebIamMemberConditionPtrInput

type WebIamMemberConditionPtrInput interface {
	pulumi.Input

	ToWebIamMemberConditionPtrOutput() WebIamMemberConditionPtrOutput
	ToWebIamMemberConditionPtrOutputWithContext(context.Context) WebIamMemberConditionPtrOutput
}

WebIamMemberConditionPtrInput is an input type that accepts WebIamMemberConditionArgs, WebIamMemberConditionPtr and WebIamMemberConditionPtrOutput values. You can construct a concrete instance of `WebIamMemberConditionPtrInput` via:

        WebIamMemberConditionArgs{...}

or:

        nil

type WebIamMemberConditionPtrOutput

type WebIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (WebIamMemberConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebIamMemberConditionPtrOutput) Elem

func (WebIamMemberConditionPtrOutput) ElementType

func (WebIamMemberConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebIamMemberConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebIamMemberConditionPtrOutput) ToWebIamMemberConditionPtrOutput

func (o WebIamMemberConditionPtrOutput) ToWebIamMemberConditionPtrOutput() WebIamMemberConditionPtrOutput

func (WebIamMemberConditionPtrOutput) ToWebIamMemberConditionPtrOutputWithContext

func (o WebIamMemberConditionPtrOutput) ToWebIamMemberConditionPtrOutputWithContext(ctx context.Context) WebIamMemberConditionPtrOutput

type WebIamMemberInput

type WebIamMemberInput interface {
	pulumi.Input

	ToWebIamMemberOutput() WebIamMemberOutput
	ToWebIamMemberOutputWithContext(ctx context.Context) WebIamMemberOutput
}

type WebIamMemberMap

type WebIamMemberMap map[string]WebIamMemberInput

func (WebIamMemberMap) ElementType

func (WebIamMemberMap) ElementType() reflect.Type

func (WebIamMemberMap) ToWebIamMemberMapOutput

func (i WebIamMemberMap) ToWebIamMemberMapOutput() WebIamMemberMapOutput

func (WebIamMemberMap) ToWebIamMemberMapOutputWithContext

func (i WebIamMemberMap) ToWebIamMemberMapOutputWithContext(ctx context.Context) WebIamMemberMapOutput

type WebIamMemberMapInput

type WebIamMemberMapInput interface {
	pulumi.Input

	ToWebIamMemberMapOutput() WebIamMemberMapOutput
	ToWebIamMemberMapOutputWithContext(context.Context) WebIamMemberMapOutput
}

WebIamMemberMapInput is an input type that accepts WebIamMemberMap and WebIamMemberMapOutput values. You can construct a concrete instance of `WebIamMemberMapInput` via:

WebIamMemberMap{ "key": WebIamMemberArgs{...} }

type WebIamMemberMapOutput

type WebIamMemberMapOutput struct{ *pulumi.OutputState }

func (WebIamMemberMapOutput) ElementType

func (WebIamMemberMapOutput) ElementType() reflect.Type

func (WebIamMemberMapOutput) MapIndex

func (WebIamMemberMapOutput) ToWebIamMemberMapOutput

func (o WebIamMemberMapOutput) ToWebIamMemberMapOutput() WebIamMemberMapOutput

func (WebIamMemberMapOutput) ToWebIamMemberMapOutputWithContext

func (o WebIamMemberMapOutput) ToWebIamMemberMapOutputWithContext(ctx context.Context) WebIamMemberMapOutput

type WebIamMemberOutput

type WebIamMemberOutput struct{ *pulumi.OutputState }

func (WebIamMemberOutput) Condition

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebIamMemberOutput) ElementType

func (WebIamMemberOutput) ElementType() reflect.Type

func (WebIamMemberOutput) Etag

(Computed) The etag of the IAM policy.

func (WebIamMemberOutput) Member

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebIamMemberOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebIamMemberOutput) Role

The role that should be applied. Only one `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebIamMemberOutput) ToWebIamMemberOutput

func (o WebIamMemberOutput) ToWebIamMemberOutput() WebIamMemberOutput

func (WebIamMemberOutput) ToWebIamMemberOutputWithContext

func (o WebIamMemberOutput) ToWebIamMemberOutputWithContext(ctx context.Context) WebIamMemberOutput

type WebIamMemberState

type WebIamMemberState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (WebIamMemberState) ElementType

func (WebIamMemberState) ElementType() reflect.Type

type WebIamPolicy

type WebIamPolicy struct {
	pulumi.CustomResourceState

	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy Web. Each of these resources serves a different use case:

* `iap.WebIamPolicy`: Authoritative. Sets the IAM policy for the web and replaces any existing policy already attached. * `iap.WebIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the web are preserved. * `iap.WebIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the web are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebIamPolicy`: Retrieves the IAM policy for the web

> **Note:** `iap.WebIamPolicy` **cannot** be used in conjunction with `iap.WebIamBinding` and `iap.WebIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebIamBinding` resources **can be** used in conjunction with `iap.WebIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy Web Three different resources help you manage your IAM policy for Identity-Aware Proxy Web. Each of these resources serves a different use case:

* `iap.WebIamPolicy`: Authoritative. Sets the IAM policy for the web and replaces any existing policy already attached. * `iap.WebIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the web are preserved. * `iap.WebIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the web are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebIamPolicy`: Retrieves the IAM policy for the web

> **Note:** `iap.WebIamPolicy` **cannot** be used in conjunction with `iap.WebIamBinding` and `iap.WebIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebIamBinding` resources **can be** used in conjunction with `iap.WebIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web

* {{project}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy web IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webIamPolicy:WebIamPolicy editor "projects/{{project}}/iap_web roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webIamPolicy:WebIamPolicy editor "projects/{{project}}/iap_web roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webIamPolicy:WebIamPolicy editor projects/{{project}}/iap_web ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebIamPolicy

func GetWebIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebIamPolicyState, opts ...pulumi.ResourceOption) (*WebIamPolicy, error)

GetWebIamPolicy gets an existing WebIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebIamPolicy

func NewWebIamPolicy(ctx *pulumi.Context,
	name string, args *WebIamPolicyArgs, opts ...pulumi.ResourceOption) (*WebIamPolicy, error)

NewWebIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*WebIamPolicy) ElementType

func (*WebIamPolicy) ElementType() reflect.Type

func (*WebIamPolicy) ToWebIamPolicyOutput

func (i *WebIamPolicy) ToWebIamPolicyOutput() WebIamPolicyOutput

func (*WebIamPolicy) ToWebIamPolicyOutputWithContext

func (i *WebIamPolicy) ToWebIamPolicyOutputWithContext(ctx context.Context) WebIamPolicyOutput

type WebIamPolicyArgs

type WebIamPolicyArgs struct {
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
}

The set of arguments for constructing a WebIamPolicy resource.

func (WebIamPolicyArgs) ElementType

func (WebIamPolicyArgs) ElementType() reflect.Type

type WebIamPolicyArray

type WebIamPolicyArray []WebIamPolicyInput

func (WebIamPolicyArray) ElementType

func (WebIamPolicyArray) ElementType() reflect.Type

func (WebIamPolicyArray) ToWebIamPolicyArrayOutput

func (i WebIamPolicyArray) ToWebIamPolicyArrayOutput() WebIamPolicyArrayOutput

func (WebIamPolicyArray) ToWebIamPolicyArrayOutputWithContext

func (i WebIamPolicyArray) ToWebIamPolicyArrayOutputWithContext(ctx context.Context) WebIamPolicyArrayOutput

type WebIamPolicyArrayInput

type WebIamPolicyArrayInput interface {
	pulumi.Input

	ToWebIamPolicyArrayOutput() WebIamPolicyArrayOutput
	ToWebIamPolicyArrayOutputWithContext(context.Context) WebIamPolicyArrayOutput
}

WebIamPolicyArrayInput is an input type that accepts WebIamPolicyArray and WebIamPolicyArrayOutput values. You can construct a concrete instance of `WebIamPolicyArrayInput` via:

WebIamPolicyArray{ WebIamPolicyArgs{...} }

type WebIamPolicyArrayOutput

type WebIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (WebIamPolicyArrayOutput) ElementType

func (WebIamPolicyArrayOutput) ElementType() reflect.Type

func (WebIamPolicyArrayOutput) Index

func (WebIamPolicyArrayOutput) ToWebIamPolicyArrayOutput

func (o WebIamPolicyArrayOutput) ToWebIamPolicyArrayOutput() WebIamPolicyArrayOutput

func (WebIamPolicyArrayOutput) ToWebIamPolicyArrayOutputWithContext

func (o WebIamPolicyArrayOutput) ToWebIamPolicyArrayOutputWithContext(ctx context.Context) WebIamPolicyArrayOutput

type WebIamPolicyInput

type WebIamPolicyInput interface {
	pulumi.Input

	ToWebIamPolicyOutput() WebIamPolicyOutput
	ToWebIamPolicyOutputWithContext(ctx context.Context) WebIamPolicyOutput
}

type WebIamPolicyMap

type WebIamPolicyMap map[string]WebIamPolicyInput

func (WebIamPolicyMap) ElementType

func (WebIamPolicyMap) ElementType() reflect.Type

func (WebIamPolicyMap) ToWebIamPolicyMapOutput

func (i WebIamPolicyMap) ToWebIamPolicyMapOutput() WebIamPolicyMapOutput

func (WebIamPolicyMap) ToWebIamPolicyMapOutputWithContext

func (i WebIamPolicyMap) ToWebIamPolicyMapOutputWithContext(ctx context.Context) WebIamPolicyMapOutput

type WebIamPolicyMapInput

type WebIamPolicyMapInput interface {
	pulumi.Input

	ToWebIamPolicyMapOutput() WebIamPolicyMapOutput
	ToWebIamPolicyMapOutputWithContext(context.Context) WebIamPolicyMapOutput
}

WebIamPolicyMapInput is an input type that accepts WebIamPolicyMap and WebIamPolicyMapOutput values. You can construct a concrete instance of `WebIamPolicyMapInput` via:

WebIamPolicyMap{ "key": WebIamPolicyArgs{...} }

type WebIamPolicyMapOutput

type WebIamPolicyMapOutput struct{ *pulumi.OutputState }

func (WebIamPolicyMapOutput) ElementType

func (WebIamPolicyMapOutput) ElementType() reflect.Type

func (WebIamPolicyMapOutput) MapIndex

func (WebIamPolicyMapOutput) ToWebIamPolicyMapOutput

func (o WebIamPolicyMapOutput) ToWebIamPolicyMapOutput() WebIamPolicyMapOutput

func (WebIamPolicyMapOutput) ToWebIamPolicyMapOutputWithContext

func (o WebIamPolicyMapOutput) ToWebIamPolicyMapOutputWithContext(ctx context.Context) WebIamPolicyMapOutput

type WebIamPolicyOutput

type WebIamPolicyOutput struct{ *pulumi.OutputState }

func (WebIamPolicyOutput) ElementType

func (WebIamPolicyOutput) ElementType() reflect.Type

func (WebIamPolicyOutput) Etag

(Computed) The etag of the IAM policy.

func (WebIamPolicyOutput) PolicyData

func (o WebIamPolicyOutput) PolicyData() pulumi.StringOutput

The policy data generated by a `organizations.getIAMPolicy` data source.

func (WebIamPolicyOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebIamPolicyOutput) ToWebIamPolicyOutput

func (o WebIamPolicyOutput) ToWebIamPolicyOutput() WebIamPolicyOutput

func (WebIamPolicyOutput) ToWebIamPolicyOutputWithContext

func (o WebIamPolicyOutput) ToWebIamPolicyOutputWithContext(ctx context.Context) WebIamPolicyOutput

type WebIamPolicyState

type WebIamPolicyState struct {
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
}

func (WebIamPolicyState) ElementType

func (WebIamPolicyState) ElementType() reflect.Type

type WebRegionBackendServiceIamBinding

type WebRegionBackendServiceIamBinding struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebRegionBackendServiceIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	Region  pulumi.StringOutput `pulumi:"region"`
	// The role that should be applied. Only one
	// `iap.WebRegionBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// Used to find the parent resource to bind the IAM policy to
	WebRegionBackendService pulumi.StringOutput `pulumi:"webRegionBackendService"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebRegionBackendService. Each of these resources serves a different use case:

* `iap.WebRegionBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webregionbackendservice and replaces any existing policy already attached. * `iap.WebRegionBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webregionbackendservice are preserved. * `iap.WebRegionBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webregionbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebRegionBackendServiceIamPolicy`: Retrieves the IAM policy for the webregionbackendservice

> **Note:** `iap.WebRegionBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebRegionBackendServiceIamBinding` and `iap.WebRegionBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebRegionBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebRegionBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebRegionBackendServiceIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebRegionBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebRegionBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebRegionBackendService Three different resources help you manage your IAM policy for Identity-Aware Proxy WebRegionBackendService. Each of these resources serves a different use case:

* `iap.WebRegionBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webregionbackendservice and replaces any existing policy already attached. * `iap.WebRegionBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webregionbackendservice are preserved. * `iap.WebRegionBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webregionbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebRegionBackendServiceIamPolicy`: Retrieves the IAM policy for the webregionbackendservice

> **Note:** `iap.WebRegionBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebRegionBackendServiceIamBinding` and `iap.WebRegionBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebRegionBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebRegionBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebRegionBackendServiceIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebRegionBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebRegionBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/compute-{{region}}/services/{{name}}

* {{project}}/{{region}}/{{name}}

* {{region}}/{{name}}

* {{name}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webregionbackendservice IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webRegionBackendServiceIamBinding:WebRegionBackendServiceIamBinding editor "projects/{{project}}/iap_web/compute-{{region}}/services/{{web_region_backend_service}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webRegionBackendServiceIamBinding:WebRegionBackendServiceIamBinding editor "projects/{{project}}/iap_web/compute-{{region}}/services/{{web_region_backend_service}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webRegionBackendServiceIamBinding:WebRegionBackendServiceIamBinding editor projects/{{project}}/iap_web/compute-{{region}}/services/{{web_region_backend_service}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebRegionBackendServiceIamBinding

func GetWebRegionBackendServiceIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebRegionBackendServiceIamBindingState, opts ...pulumi.ResourceOption) (*WebRegionBackendServiceIamBinding, error)

GetWebRegionBackendServiceIamBinding gets an existing WebRegionBackendServiceIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebRegionBackendServiceIamBinding

func NewWebRegionBackendServiceIamBinding(ctx *pulumi.Context,
	name string, args *WebRegionBackendServiceIamBindingArgs, opts ...pulumi.ResourceOption) (*WebRegionBackendServiceIamBinding, error)

NewWebRegionBackendServiceIamBinding registers a new resource with the given unique name, arguments, and options.

func (*WebRegionBackendServiceIamBinding) ElementType

func (*WebRegionBackendServiceIamBinding) ToWebRegionBackendServiceIamBindingOutput

func (i *WebRegionBackendServiceIamBinding) ToWebRegionBackendServiceIamBindingOutput() WebRegionBackendServiceIamBindingOutput

func (*WebRegionBackendServiceIamBinding) ToWebRegionBackendServiceIamBindingOutputWithContext

func (i *WebRegionBackendServiceIamBinding) ToWebRegionBackendServiceIamBindingOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingOutput

type WebRegionBackendServiceIamBindingArgs

type WebRegionBackendServiceIamBindingArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebRegionBackendServiceIamBindingConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	Region  pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebRegionBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// Used to find the parent resource to bind the IAM policy to
	WebRegionBackendService pulumi.StringInput
}

The set of arguments for constructing a WebRegionBackendServiceIamBinding resource.

func (WebRegionBackendServiceIamBindingArgs) ElementType

type WebRegionBackendServiceIamBindingArray

type WebRegionBackendServiceIamBindingArray []WebRegionBackendServiceIamBindingInput

func (WebRegionBackendServiceIamBindingArray) ElementType

func (WebRegionBackendServiceIamBindingArray) ToWebRegionBackendServiceIamBindingArrayOutput

func (i WebRegionBackendServiceIamBindingArray) ToWebRegionBackendServiceIamBindingArrayOutput() WebRegionBackendServiceIamBindingArrayOutput

func (WebRegionBackendServiceIamBindingArray) ToWebRegionBackendServiceIamBindingArrayOutputWithContext

func (i WebRegionBackendServiceIamBindingArray) ToWebRegionBackendServiceIamBindingArrayOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingArrayOutput

type WebRegionBackendServiceIamBindingArrayInput

type WebRegionBackendServiceIamBindingArrayInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamBindingArrayOutput() WebRegionBackendServiceIamBindingArrayOutput
	ToWebRegionBackendServiceIamBindingArrayOutputWithContext(context.Context) WebRegionBackendServiceIamBindingArrayOutput
}

WebRegionBackendServiceIamBindingArrayInput is an input type that accepts WebRegionBackendServiceIamBindingArray and WebRegionBackendServiceIamBindingArrayOutput values. You can construct a concrete instance of `WebRegionBackendServiceIamBindingArrayInput` via:

WebRegionBackendServiceIamBindingArray{ WebRegionBackendServiceIamBindingArgs{...} }

type WebRegionBackendServiceIamBindingArrayOutput

type WebRegionBackendServiceIamBindingArrayOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamBindingArrayOutput) ElementType

func (WebRegionBackendServiceIamBindingArrayOutput) Index

func (WebRegionBackendServiceIamBindingArrayOutput) ToWebRegionBackendServiceIamBindingArrayOutput

func (o WebRegionBackendServiceIamBindingArrayOutput) ToWebRegionBackendServiceIamBindingArrayOutput() WebRegionBackendServiceIamBindingArrayOutput

func (WebRegionBackendServiceIamBindingArrayOutput) ToWebRegionBackendServiceIamBindingArrayOutputWithContext

func (o WebRegionBackendServiceIamBindingArrayOutput) ToWebRegionBackendServiceIamBindingArrayOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingArrayOutput

type WebRegionBackendServiceIamBindingCondition

type WebRegionBackendServiceIamBindingCondition struct {
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebRegionBackendServiceIamBindingConditionArgs

type WebRegionBackendServiceIamBindingConditionArgs struct {
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebRegionBackendServiceIamBindingConditionArgs) ElementType

func (WebRegionBackendServiceIamBindingConditionArgs) ToWebRegionBackendServiceIamBindingConditionOutput

func (i WebRegionBackendServiceIamBindingConditionArgs) ToWebRegionBackendServiceIamBindingConditionOutput() WebRegionBackendServiceIamBindingConditionOutput

func (WebRegionBackendServiceIamBindingConditionArgs) ToWebRegionBackendServiceIamBindingConditionOutputWithContext

func (i WebRegionBackendServiceIamBindingConditionArgs) ToWebRegionBackendServiceIamBindingConditionOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingConditionOutput

func (WebRegionBackendServiceIamBindingConditionArgs) ToWebRegionBackendServiceIamBindingConditionPtrOutput

func (i WebRegionBackendServiceIamBindingConditionArgs) ToWebRegionBackendServiceIamBindingConditionPtrOutput() WebRegionBackendServiceIamBindingConditionPtrOutput

func (WebRegionBackendServiceIamBindingConditionArgs) ToWebRegionBackendServiceIamBindingConditionPtrOutputWithContext

func (i WebRegionBackendServiceIamBindingConditionArgs) ToWebRegionBackendServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingConditionPtrOutput

type WebRegionBackendServiceIamBindingConditionInput

type WebRegionBackendServiceIamBindingConditionInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamBindingConditionOutput() WebRegionBackendServiceIamBindingConditionOutput
	ToWebRegionBackendServiceIamBindingConditionOutputWithContext(context.Context) WebRegionBackendServiceIamBindingConditionOutput
}

WebRegionBackendServiceIamBindingConditionInput is an input type that accepts WebRegionBackendServiceIamBindingConditionArgs and WebRegionBackendServiceIamBindingConditionOutput values. You can construct a concrete instance of `WebRegionBackendServiceIamBindingConditionInput` via:

WebRegionBackendServiceIamBindingConditionArgs{...}

type WebRegionBackendServiceIamBindingConditionOutput

type WebRegionBackendServiceIamBindingConditionOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamBindingConditionOutput) Description

func (WebRegionBackendServiceIamBindingConditionOutput) ElementType

func (WebRegionBackendServiceIamBindingConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebRegionBackendServiceIamBindingConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebRegionBackendServiceIamBindingConditionOutput) ToWebRegionBackendServiceIamBindingConditionOutput

func (o WebRegionBackendServiceIamBindingConditionOutput) ToWebRegionBackendServiceIamBindingConditionOutput() WebRegionBackendServiceIamBindingConditionOutput

func (WebRegionBackendServiceIamBindingConditionOutput) ToWebRegionBackendServiceIamBindingConditionOutputWithContext

func (o WebRegionBackendServiceIamBindingConditionOutput) ToWebRegionBackendServiceIamBindingConditionOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingConditionOutput

func (WebRegionBackendServiceIamBindingConditionOutput) ToWebRegionBackendServiceIamBindingConditionPtrOutput

func (o WebRegionBackendServiceIamBindingConditionOutput) ToWebRegionBackendServiceIamBindingConditionPtrOutput() WebRegionBackendServiceIamBindingConditionPtrOutput

func (WebRegionBackendServiceIamBindingConditionOutput) ToWebRegionBackendServiceIamBindingConditionPtrOutputWithContext

func (o WebRegionBackendServiceIamBindingConditionOutput) ToWebRegionBackendServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingConditionPtrOutput

type WebRegionBackendServiceIamBindingConditionPtrInput

type WebRegionBackendServiceIamBindingConditionPtrInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamBindingConditionPtrOutput() WebRegionBackendServiceIamBindingConditionPtrOutput
	ToWebRegionBackendServiceIamBindingConditionPtrOutputWithContext(context.Context) WebRegionBackendServiceIamBindingConditionPtrOutput
}

WebRegionBackendServiceIamBindingConditionPtrInput is an input type that accepts WebRegionBackendServiceIamBindingConditionArgs, WebRegionBackendServiceIamBindingConditionPtr and WebRegionBackendServiceIamBindingConditionPtrOutput values. You can construct a concrete instance of `WebRegionBackendServiceIamBindingConditionPtrInput` via:

        WebRegionBackendServiceIamBindingConditionArgs{...}

or:

        nil

type WebRegionBackendServiceIamBindingConditionPtrOutput

type WebRegionBackendServiceIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamBindingConditionPtrOutput) Description

func (WebRegionBackendServiceIamBindingConditionPtrOutput) Elem

func (WebRegionBackendServiceIamBindingConditionPtrOutput) ElementType

func (WebRegionBackendServiceIamBindingConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebRegionBackendServiceIamBindingConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebRegionBackendServiceIamBindingConditionPtrOutput) ToWebRegionBackendServiceIamBindingConditionPtrOutput

func (o WebRegionBackendServiceIamBindingConditionPtrOutput) ToWebRegionBackendServiceIamBindingConditionPtrOutput() WebRegionBackendServiceIamBindingConditionPtrOutput

func (WebRegionBackendServiceIamBindingConditionPtrOutput) ToWebRegionBackendServiceIamBindingConditionPtrOutputWithContext

func (o WebRegionBackendServiceIamBindingConditionPtrOutput) ToWebRegionBackendServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingConditionPtrOutput

type WebRegionBackendServiceIamBindingInput

type WebRegionBackendServiceIamBindingInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamBindingOutput() WebRegionBackendServiceIamBindingOutput
	ToWebRegionBackendServiceIamBindingOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingOutput
}

type WebRegionBackendServiceIamBindingMap

type WebRegionBackendServiceIamBindingMap map[string]WebRegionBackendServiceIamBindingInput

func (WebRegionBackendServiceIamBindingMap) ElementType

func (WebRegionBackendServiceIamBindingMap) ToWebRegionBackendServiceIamBindingMapOutput

func (i WebRegionBackendServiceIamBindingMap) ToWebRegionBackendServiceIamBindingMapOutput() WebRegionBackendServiceIamBindingMapOutput

func (WebRegionBackendServiceIamBindingMap) ToWebRegionBackendServiceIamBindingMapOutputWithContext

func (i WebRegionBackendServiceIamBindingMap) ToWebRegionBackendServiceIamBindingMapOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingMapOutput

type WebRegionBackendServiceIamBindingMapInput

type WebRegionBackendServiceIamBindingMapInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamBindingMapOutput() WebRegionBackendServiceIamBindingMapOutput
	ToWebRegionBackendServiceIamBindingMapOutputWithContext(context.Context) WebRegionBackendServiceIamBindingMapOutput
}

WebRegionBackendServiceIamBindingMapInput is an input type that accepts WebRegionBackendServiceIamBindingMap and WebRegionBackendServiceIamBindingMapOutput values. You can construct a concrete instance of `WebRegionBackendServiceIamBindingMapInput` via:

WebRegionBackendServiceIamBindingMap{ "key": WebRegionBackendServiceIamBindingArgs{...} }

type WebRegionBackendServiceIamBindingMapOutput

type WebRegionBackendServiceIamBindingMapOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamBindingMapOutput) ElementType

func (WebRegionBackendServiceIamBindingMapOutput) MapIndex

func (WebRegionBackendServiceIamBindingMapOutput) ToWebRegionBackendServiceIamBindingMapOutput

func (o WebRegionBackendServiceIamBindingMapOutput) ToWebRegionBackendServiceIamBindingMapOutput() WebRegionBackendServiceIamBindingMapOutput

func (WebRegionBackendServiceIamBindingMapOutput) ToWebRegionBackendServiceIamBindingMapOutputWithContext

func (o WebRegionBackendServiceIamBindingMapOutput) ToWebRegionBackendServiceIamBindingMapOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingMapOutput

type WebRegionBackendServiceIamBindingOutput

type WebRegionBackendServiceIamBindingOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamBindingOutput) Condition

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebRegionBackendServiceIamBindingOutput) ElementType

func (WebRegionBackendServiceIamBindingOutput) Etag

(Computed) The etag of the IAM policy.

func (WebRegionBackendServiceIamBindingOutput) Members

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebRegionBackendServiceIamBindingOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebRegionBackendServiceIamBindingOutput) Region

func (WebRegionBackendServiceIamBindingOutput) Role

The role that should be applied. Only one `iap.WebRegionBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebRegionBackendServiceIamBindingOutput) ToWebRegionBackendServiceIamBindingOutput

func (o WebRegionBackendServiceIamBindingOutput) ToWebRegionBackendServiceIamBindingOutput() WebRegionBackendServiceIamBindingOutput

func (WebRegionBackendServiceIamBindingOutput) ToWebRegionBackendServiceIamBindingOutputWithContext

func (o WebRegionBackendServiceIamBindingOutput) ToWebRegionBackendServiceIamBindingOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingOutput

func (WebRegionBackendServiceIamBindingOutput) WebRegionBackendService

func (o WebRegionBackendServiceIamBindingOutput) WebRegionBackendService() pulumi.StringOutput

Used to find the parent resource to bind the IAM policy to

type WebRegionBackendServiceIamBindingState

type WebRegionBackendServiceIamBindingState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebRegionBackendServiceIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	Region  pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebRegionBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	WebRegionBackendService pulumi.StringPtrInput
}

func (WebRegionBackendServiceIamBindingState) ElementType

type WebRegionBackendServiceIamMember

type WebRegionBackendServiceIamMember struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebRegionBackendServiceIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	Region  pulumi.StringOutput `pulumi:"region"`
	// The role that should be applied. Only one
	// `iap.WebRegionBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// Used to find the parent resource to bind the IAM policy to
	WebRegionBackendService pulumi.StringOutput `pulumi:"webRegionBackendService"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebRegionBackendService. Each of these resources serves a different use case:

* `iap.WebRegionBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webregionbackendservice and replaces any existing policy already attached. * `iap.WebRegionBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webregionbackendservice are preserved. * `iap.WebRegionBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webregionbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebRegionBackendServiceIamPolicy`: Retrieves the IAM policy for the webregionbackendservice

> **Note:** `iap.WebRegionBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebRegionBackendServiceIamBinding` and `iap.WebRegionBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebRegionBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebRegionBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebRegionBackendServiceIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebRegionBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebRegionBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebRegionBackendService Three different resources help you manage your IAM policy for Identity-Aware Proxy WebRegionBackendService. Each of these resources serves a different use case:

* `iap.WebRegionBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webregionbackendservice and replaces any existing policy already attached. * `iap.WebRegionBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webregionbackendservice are preserved. * `iap.WebRegionBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webregionbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebRegionBackendServiceIamPolicy`: Retrieves the IAM policy for the webregionbackendservice

> **Note:** `iap.WebRegionBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebRegionBackendServiceIamBinding` and `iap.WebRegionBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebRegionBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebRegionBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebRegionBackendServiceIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebRegionBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebRegionBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/compute-{{region}}/services/{{name}}

* {{project}}/{{region}}/{{name}}

* {{region}}/{{name}}

* {{name}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webregionbackendservice IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webRegionBackendServiceIamMember:WebRegionBackendServiceIamMember editor "projects/{{project}}/iap_web/compute-{{region}}/services/{{web_region_backend_service}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webRegionBackendServiceIamMember:WebRegionBackendServiceIamMember editor "projects/{{project}}/iap_web/compute-{{region}}/services/{{web_region_backend_service}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webRegionBackendServiceIamMember:WebRegionBackendServiceIamMember editor projects/{{project}}/iap_web/compute-{{region}}/services/{{web_region_backend_service}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebRegionBackendServiceIamMember

func GetWebRegionBackendServiceIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebRegionBackendServiceIamMemberState, opts ...pulumi.ResourceOption) (*WebRegionBackendServiceIamMember, error)

GetWebRegionBackendServiceIamMember gets an existing WebRegionBackendServiceIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebRegionBackendServiceIamMember

func NewWebRegionBackendServiceIamMember(ctx *pulumi.Context,
	name string, args *WebRegionBackendServiceIamMemberArgs, opts ...pulumi.ResourceOption) (*WebRegionBackendServiceIamMember, error)

NewWebRegionBackendServiceIamMember registers a new resource with the given unique name, arguments, and options.

func (*WebRegionBackendServiceIamMember) ElementType

func (*WebRegionBackendServiceIamMember) ToWebRegionBackendServiceIamMemberOutput

func (i *WebRegionBackendServiceIamMember) ToWebRegionBackendServiceIamMemberOutput() WebRegionBackendServiceIamMemberOutput

func (*WebRegionBackendServiceIamMember) ToWebRegionBackendServiceIamMemberOutputWithContext

func (i *WebRegionBackendServiceIamMember) ToWebRegionBackendServiceIamMemberOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberOutput

type WebRegionBackendServiceIamMemberArgs

type WebRegionBackendServiceIamMemberArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebRegionBackendServiceIamMemberConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	Region  pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebRegionBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// Used to find the parent resource to bind the IAM policy to
	WebRegionBackendService pulumi.StringInput
}

The set of arguments for constructing a WebRegionBackendServiceIamMember resource.

func (WebRegionBackendServiceIamMemberArgs) ElementType

type WebRegionBackendServiceIamMemberArray

type WebRegionBackendServiceIamMemberArray []WebRegionBackendServiceIamMemberInput

func (WebRegionBackendServiceIamMemberArray) ElementType

func (WebRegionBackendServiceIamMemberArray) ToWebRegionBackendServiceIamMemberArrayOutput

func (i WebRegionBackendServiceIamMemberArray) ToWebRegionBackendServiceIamMemberArrayOutput() WebRegionBackendServiceIamMemberArrayOutput

func (WebRegionBackendServiceIamMemberArray) ToWebRegionBackendServiceIamMemberArrayOutputWithContext

func (i WebRegionBackendServiceIamMemberArray) ToWebRegionBackendServiceIamMemberArrayOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberArrayOutput

type WebRegionBackendServiceIamMemberArrayInput

type WebRegionBackendServiceIamMemberArrayInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamMemberArrayOutput() WebRegionBackendServiceIamMemberArrayOutput
	ToWebRegionBackendServiceIamMemberArrayOutputWithContext(context.Context) WebRegionBackendServiceIamMemberArrayOutput
}

WebRegionBackendServiceIamMemberArrayInput is an input type that accepts WebRegionBackendServiceIamMemberArray and WebRegionBackendServiceIamMemberArrayOutput values. You can construct a concrete instance of `WebRegionBackendServiceIamMemberArrayInput` via:

WebRegionBackendServiceIamMemberArray{ WebRegionBackendServiceIamMemberArgs{...} }

type WebRegionBackendServiceIamMemberArrayOutput

type WebRegionBackendServiceIamMemberArrayOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamMemberArrayOutput) ElementType

func (WebRegionBackendServiceIamMemberArrayOutput) Index

func (WebRegionBackendServiceIamMemberArrayOutput) ToWebRegionBackendServiceIamMemberArrayOutput

func (o WebRegionBackendServiceIamMemberArrayOutput) ToWebRegionBackendServiceIamMemberArrayOutput() WebRegionBackendServiceIamMemberArrayOutput

func (WebRegionBackendServiceIamMemberArrayOutput) ToWebRegionBackendServiceIamMemberArrayOutputWithContext

func (o WebRegionBackendServiceIamMemberArrayOutput) ToWebRegionBackendServiceIamMemberArrayOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberArrayOutput

type WebRegionBackendServiceIamMemberCondition

type WebRegionBackendServiceIamMemberCondition struct {
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebRegionBackendServiceIamMemberConditionArgs

type WebRegionBackendServiceIamMemberConditionArgs struct {
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebRegionBackendServiceIamMemberConditionArgs) ElementType

func (WebRegionBackendServiceIamMemberConditionArgs) ToWebRegionBackendServiceIamMemberConditionOutput

func (i WebRegionBackendServiceIamMemberConditionArgs) ToWebRegionBackendServiceIamMemberConditionOutput() WebRegionBackendServiceIamMemberConditionOutput

func (WebRegionBackendServiceIamMemberConditionArgs) ToWebRegionBackendServiceIamMemberConditionOutputWithContext

func (i WebRegionBackendServiceIamMemberConditionArgs) ToWebRegionBackendServiceIamMemberConditionOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberConditionOutput

func (WebRegionBackendServiceIamMemberConditionArgs) ToWebRegionBackendServiceIamMemberConditionPtrOutput

func (i WebRegionBackendServiceIamMemberConditionArgs) ToWebRegionBackendServiceIamMemberConditionPtrOutput() WebRegionBackendServiceIamMemberConditionPtrOutput

func (WebRegionBackendServiceIamMemberConditionArgs) ToWebRegionBackendServiceIamMemberConditionPtrOutputWithContext

func (i WebRegionBackendServiceIamMemberConditionArgs) ToWebRegionBackendServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberConditionPtrOutput

type WebRegionBackendServiceIamMemberConditionInput

type WebRegionBackendServiceIamMemberConditionInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamMemberConditionOutput() WebRegionBackendServiceIamMemberConditionOutput
	ToWebRegionBackendServiceIamMemberConditionOutputWithContext(context.Context) WebRegionBackendServiceIamMemberConditionOutput
}

WebRegionBackendServiceIamMemberConditionInput is an input type that accepts WebRegionBackendServiceIamMemberConditionArgs and WebRegionBackendServiceIamMemberConditionOutput values. You can construct a concrete instance of `WebRegionBackendServiceIamMemberConditionInput` via:

WebRegionBackendServiceIamMemberConditionArgs{...}

type WebRegionBackendServiceIamMemberConditionOutput

type WebRegionBackendServiceIamMemberConditionOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamMemberConditionOutput) Description

func (WebRegionBackendServiceIamMemberConditionOutput) ElementType

func (WebRegionBackendServiceIamMemberConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebRegionBackendServiceIamMemberConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebRegionBackendServiceIamMemberConditionOutput) ToWebRegionBackendServiceIamMemberConditionOutput

func (o WebRegionBackendServiceIamMemberConditionOutput) ToWebRegionBackendServiceIamMemberConditionOutput() WebRegionBackendServiceIamMemberConditionOutput

func (WebRegionBackendServiceIamMemberConditionOutput) ToWebRegionBackendServiceIamMemberConditionOutputWithContext

func (o WebRegionBackendServiceIamMemberConditionOutput) ToWebRegionBackendServiceIamMemberConditionOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberConditionOutput

func (WebRegionBackendServiceIamMemberConditionOutput) ToWebRegionBackendServiceIamMemberConditionPtrOutput

func (o WebRegionBackendServiceIamMemberConditionOutput) ToWebRegionBackendServiceIamMemberConditionPtrOutput() WebRegionBackendServiceIamMemberConditionPtrOutput

func (WebRegionBackendServiceIamMemberConditionOutput) ToWebRegionBackendServiceIamMemberConditionPtrOutputWithContext

func (o WebRegionBackendServiceIamMemberConditionOutput) ToWebRegionBackendServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberConditionPtrOutput

type WebRegionBackendServiceIamMemberConditionPtrInput

type WebRegionBackendServiceIamMemberConditionPtrInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamMemberConditionPtrOutput() WebRegionBackendServiceIamMemberConditionPtrOutput
	ToWebRegionBackendServiceIamMemberConditionPtrOutputWithContext(context.Context) WebRegionBackendServiceIamMemberConditionPtrOutput
}

WebRegionBackendServiceIamMemberConditionPtrInput is an input type that accepts WebRegionBackendServiceIamMemberConditionArgs, WebRegionBackendServiceIamMemberConditionPtr and WebRegionBackendServiceIamMemberConditionPtrOutput values. You can construct a concrete instance of `WebRegionBackendServiceIamMemberConditionPtrInput` via:

        WebRegionBackendServiceIamMemberConditionArgs{...}

or:

        nil

type WebRegionBackendServiceIamMemberConditionPtrOutput

type WebRegionBackendServiceIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamMemberConditionPtrOutput) Description

func (WebRegionBackendServiceIamMemberConditionPtrOutput) Elem

func (WebRegionBackendServiceIamMemberConditionPtrOutput) ElementType

func (WebRegionBackendServiceIamMemberConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebRegionBackendServiceIamMemberConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebRegionBackendServiceIamMemberConditionPtrOutput) ToWebRegionBackendServiceIamMemberConditionPtrOutput

func (o WebRegionBackendServiceIamMemberConditionPtrOutput) ToWebRegionBackendServiceIamMemberConditionPtrOutput() WebRegionBackendServiceIamMemberConditionPtrOutput

func (WebRegionBackendServiceIamMemberConditionPtrOutput) ToWebRegionBackendServiceIamMemberConditionPtrOutputWithContext

func (o WebRegionBackendServiceIamMemberConditionPtrOutput) ToWebRegionBackendServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberConditionPtrOutput

type WebRegionBackendServiceIamMemberInput

type WebRegionBackendServiceIamMemberInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamMemberOutput() WebRegionBackendServiceIamMemberOutput
	ToWebRegionBackendServiceIamMemberOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberOutput
}

type WebRegionBackendServiceIamMemberMap

type WebRegionBackendServiceIamMemberMap map[string]WebRegionBackendServiceIamMemberInput

func (WebRegionBackendServiceIamMemberMap) ElementType

func (WebRegionBackendServiceIamMemberMap) ToWebRegionBackendServiceIamMemberMapOutput

func (i WebRegionBackendServiceIamMemberMap) ToWebRegionBackendServiceIamMemberMapOutput() WebRegionBackendServiceIamMemberMapOutput

func (WebRegionBackendServiceIamMemberMap) ToWebRegionBackendServiceIamMemberMapOutputWithContext

func (i WebRegionBackendServiceIamMemberMap) ToWebRegionBackendServiceIamMemberMapOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberMapOutput

type WebRegionBackendServiceIamMemberMapInput

type WebRegionBackendServiceIamMemberMapInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamMemberMapOutput() WebRegionBackendServiceIamMemberMapOutput
	ToWebRegionBackendServiceIamMemberMapOutputWithContext(context.Context) WebRegionBackendServiceIamMemberMapOutput
}

WebRegionBackendServiceIamMemberMapInput is an input type that accepts WebRegionBackendServiceIamMemberMap and WebRegionBackendServiceIamMemberMapOutput values. You can construct a concrete instance of `WebRegionBackendServiceIamMemberMapInput` via:

WebRegionBackendServiceIamMemberMap{ "key": WebRegionBackendServiceIamMemberArgs{...} }

type WebRegionBackendServiceIamMemberMapOutput

type WebRegionBackendServiceIamMemberMapOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamMemberMapOutput) ElementType

func (WebRegionBackendServiceIamMemberMapOutput) MapIndex

func (WebRegionBackendServiceIamMemberMapOutput) ToWebRegionBackendServiceIamMemberMapOutput

func (o WebRegionBackendServiceIamMemberMapOutput) ToWebRegionBackendServiceIamMemberMapOutput() WebRegionBackendServiceIamMemberMapOutput

func (WebRegionBackendServiceIamMemberMapOutput) ToWebRegionBackendServiceIamMemberMapOutputWithContext

func (o WebRegionBackendServiceIamMemberMapOutput) ToWebRegionBackendServiceIamMemberMapOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberMapOutput

type WebRegionBackendServiceIamMemberOutput

type WebRegionBackendServiceIamMemberOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamMemberOutput) Condition

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebRegionBackendServiceIamMemberOutput) ElementType

func (WebRegionBackendServiceIamMemberOutput) Etag

(Computed) The etag of the IAM policy.

func (WebRegionBackendServiceIamMemberOutput) Member

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebRegionBackendServiceIamMemberOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebRegionBackendServiceIamMemberOutput) Region

func (WebRegionBackendServiceIamMemberOutput) Role

The role that should be applied. Only one `iap.WebRegionBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebRegionBackendServiceIamMemberOutput) ToWebRegionBackendServiceIamMemberOutput

func (o WebRegionBackendServiceIamMemberOutput) ToWebRegionBackendServiceIamMemberOutput() WebRegionBackendServiceIamMemberOutput

func (WebRegionBackendServiceIamMemberOutput) ToWebRegionBackendServiceIamMemberOutputWithContext

func (o WebRegionBackendServiceIamMemberOutput) ToWebRegionBackendServiceIamMemberOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberOutput

func (WebRegionBackendServiceIamMemberOutput) WebRegionBackendService

func (o WebRegionBackendServiceIamMemberOutput) WebRegionBackendService() pulumi.StringOutput

Used to find the parent resource to bind the IAM policy to

type WebRegionBackendServiceIamMemberState

type WebRegionBackendServiceIamMemberState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebRegionBackendServiceIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	Region  pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebRegionBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	WebRegionBackendService pulumi.StringPtrInput
}

func (WebRegionBackendServiceIamMemberState) ElementType

type WebRegionBackendServiceIamPolicy

type WebRegionBackendServiceIamPolicy struct {
	pulumi.CustomResourceState

	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	Region  pulumi.StringOutput `pulumi:"region"`
	// Used to find the parent resource to bind the IAM policy to
	WebRegionBackendService pulumi.StringOutput `pulumi:"webRegionBackendService"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebRegionBackendService. Each of these resources serves a different use case:

* `iap.WebRegionBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webregionbackendservice and replaces any existing policy already attached. * `iap.WebRegionBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webregionbackendservice are preserved. * `iap.WebRegionBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webregionbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebRegionBackendServiceIamPolicy`: Retrieves the IAM policy for the webregionbackendservice

> **Note:** `iap.WebRegionBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebRegionBackendServiceIamBinding` and `iap.WebRegionBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebRegionBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebRegionBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebRegionBackendServiceIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebRegionBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebRegionBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebRegionBackendService Three different resources help you manage your IAM policy for Identity-Aware Proxy WebRegionBackendService. Each of these resources serves a different use case:

* `iap.WebRegionBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webregionbackendservice and replaces any existing policy already attached. * `iap.WebRegionBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webregionbackendservice are preserved. * `iap.WebRegionBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webregionbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebRegionBackendServiceIamPolicy`: Retrieves the IAM policy for the webregionbackendservice

> **Note:** `iap.WebRegionBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebRegionBackendServiceIamBinding` and `iap.WebRegionBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebRegionBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebRegionBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebRegionBackendServiceIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebRegionBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebRegionBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/compute-{{region}}/services/{{name}}

* {{project}}/{{region}}/{{name}}

* {{region}}/{{name}}

* {{name}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webregionbackendservice IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webRegionBackendServiceIamPolicy:WebRegionBackendServiceIamPolicy editor "projects/{{project}}/iap_web/compute-{{region}}/services/{{web_region_backend_service}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webRegionBackendServiceIamPolicy:WebRegionBackendServiceIamPolicy editor "projects/{{project}}/iap_web/compute-{{region}}/services/{{web_region_backend_service}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webRegionBackendServiceIamPolicy:WebRegionBackendServiceIamPolicy editor projects/{{project}}/iap_web/compute-{{region}}/services/{{web_region_backend_service}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebRegionBackendServiceIamPolicy

func GetWebRegionBackendServiceIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebRegionBackendServiceIamPolicyState, opts ...pulumi.ResourceOption) (*WebRegionBackendServiceIamPolicy, error)

GetWebRegionBackendServiceIamPolicy gets an existing WebRegionBackendServiceIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebRegionBackendServiceIamPolicy

func NewWebRegionBackendServiceIamPolicy(ctx *pulumi.Context,
	name string, args *WebRegionBackendServiceIamPolicyArgs, opts ...pulumi.ResourceOption) (*WebRegionBackendServiceIamPolicy, error)

NewWebRegionBackendServiceIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*WebRegionBackendServiceIamPolicy) ElementType

func (*WebRegionBackendServiceIamPolicy) ToWebRegionBackendServiceIamPolicyOutput

func (i *WebRegionBackendServiceIamPolicy) ToWebRegionBackendServiceIamPolicyOutput() WebRegionBackendServiceIamPolicyOutput

func (*WebRegionBackendServiceIamPolicy) ToWebRegionBackendServiceIamPolicyOutputWithContext

func (i *WebRegionBackendServiceIamPolicy) ToWebRegionBackendServiceIamPolicyOutputWithContext(ctx context.Context) WebRegionBackendServiceIamPolicyOutput

type WebRegionBackendServiceIamPolicyArgs

type WebRegionBackendServiceIamPolicyArgs struct {
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	Region  pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	WebRegionBackendService pulumi.StringInput
}

The set of arguments for constructing a WebRegionBackendServiceIamPolicy resource.

func (WebRegionBackendServiceIamPolicyArgs) ElementType

type WebRegionBackendServiceIamPolicyArray

type WebRegionBackendServiceIamPolicyArray []WebRegionBackendServiceIamPolicyInput

func (WebRegionBackendServiceIamPolicyArray) ElementType

func (WebRegionBackendServiceIamPolicyArray) ToWebRegionBackendServiceIamPolicyArrayOutput

func (i WebRegionBackendServiceIamPolicyArray) ToWebRegionBackendServiceIamPolicyArrayOutput() WebRegionBackendServiceIamPolicyArrayOutput

func (WebRegionBackendServiceIamPolicyArray) ToWebRegionBackendServiceIamPolicyArrayOutputWithContext

func (i WebRegionBackendServiceIamPolicyArray) ToWebRegionBackendServiceIamPolicyArrayOutputWithContext(ctx context.Context) WebRegionBackendServiceIamPolicyArrayOutput

type WebRegionBackendServiceIamPolicyArrayInput

type WebRegionBackendServiceIamPolicyArrayInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamPolicyArrayOutput() WebRegionBackendServiceIamPolicyArrayOutput
	ToWebRegionBackendServiceIamPolicyArrayOutputWithContext(context.Context) WebRegionBackendServiceIamPolicyArrayOutput
}

WebRegionBackendServiceIamPolicyArrayInput is an input type that accepts WebRegionBackendServiceIamPolicyArray and WebRegionBackendServiceIamPolicyArrayOutput values. You can construct a concrete instance of `WebRegionBackendServiceIamPolicyArrayInput` via:

WebRegionBackendServiceIamPolicyArray{ WebRegionBackendServiceIamPolicyArgs{...} }

type WebRegionBackendServiceIamPolicyArrayOutput

type WebRegionBackendServiceIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamPolicyArrayOutput) ElementType

func (WebRegionBackendServiceIamPolicyArrayOutput) Index

func (WebRegionBackendServiceIamPolicyArrayOutput) ToWebRegionBackendServiceIamPolicyArrayOutput

func (o WebRegionBackendServiceIamPolicyArrayOutput) ToWebRegionBackendServiceIamPolicyArrayOutput() WebRegionBackendServiceIamPolicyArrayOutput

func (WebRegionBackendServiceIamPolicyArrayOutput) ToWebRegionBackendServiceIamPolicyArrayOutputWithContext

func (o WebRegionBackendServiceIamPolicyArrayOutput) ToWebRegionBackendServiceIamPolicyArrayOutputWithContext(ctx context.Context) WebRegionBackendServiceIamPolicyArrayOutput

type WebRegionBackendServiceIamPolicyInput

type WebRegionBackendServiceIamPolicyInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamPolicyOutput() WebRegionBackendServiceIamPolicyOutput
	ToWebRegionBackendServiceIamPolicyOutputWithContext(ctx context.Context) WebRegionBackendServiceIamPolicyOutput
}

type WebRegionBackendServiceIamPolicyMap

type WebRegionBackendServiceIamPolicyMap map[string]WebRegionBackendServiceIamPolicyInput

func (WebRegionBackendServiceIamPolicyMap) ElementType

func (WebRegionBackendServiceIamPolicyMap) ToWebRegionBackendServiceIamPolicyMapOutput

func (i WebRegionBackendServiceIamPolicyMap) ToWebRegionBackendServiceIamPolicyMapOutput() WebRegionBackendServiceIamPolicyMapOutput

func (WebRegionBackendServiceIamPolicyMap) ToWebRegionBackendServiceIamPolicyMapOutputWithContext

func (i WebRegionBackendServiceIamPolicyMap) ToWebRegionBackendServiceIamPolicyMapOutputWithContext(ctx context.Context) WebRegionBackendServiceIamPolicyMapOutput

type WebRegionBackendServiceIamPolicyMapInput

type WebRegionBackendServiceIamPolicyMapInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamPolicyMapOutput() WebRegionBackendServiceIamPolicyMapOutput
	ToWebRegionBackendServiceIamPolicyMapOutputWithContext(context.Context) WebRegionBackendServiceIamPolicyMapOutput
}

WebRegionBackendServiceIamPolicyMapInput is an input type that accepts WebRegionBackendServiceIamPolicyMap and WebRegionBackendServiceIamPolicyMapOutput values. You can construct a concrete instance of `WebRegionBackendServiceIamPolicyMapInput` via:

WebRegionBackendServiceIamPolicyMap{ "key": WebRegionBackendServiceIamPolicyArgs{...} }

type WebRegionBackendServiceIamPolicyMapOutput

type WebRegionBackendServiceIamPolicyMapOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamPolicyMapOutput) ElementType

func (WebRegionBackendServiceIamPolicyMapOutput) MapIndex

func (WebRegionBackendServiceIamPolicyMapOutput) ToWebRegionBackendServiceIamPolicyMapOutput

func (o WebRegionBackendServiceIamPolicyMapOutput) ToWebRegionBackendServiceIamPolicyMapOutput() WebRegionBackendServiceIamPolicyMapOutput

func (WebRegionBackendServiceIamPolicyMapOutput) ToWebRegionBackendServiceIamPolicyMapOutputWithContext

func (o WebRegionBackendServiceIamPolicyMapOutput) ToWebRegionBackendServiceIamPolicyMapOutputWithContext(ctx context.Context) WebRegionBackendServiceIamPolicyMapOutput

type WebRegionBackendServiceIamPolicyOutput

type WebRegionBackendServiceIamPolicyOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamPolicyOutput) ElementType

func (WebRegionBackendServiceIamPolicyOutput) Etag

(Computed) The etag of the IAM policy.

func (WebRegionBackendServiceIamPolicyOutput) PolicyData

The policy data generated by a `organizations.getIAMPolicy` data source.

func (WebRegionBackendServiceIamPolicyOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebRegionBackendServiceIamPolicyOutput) Region

func (WebRegionBackendServiceIamPolicyOutput) ToWebRegionBackendServiceIamPolicyOutput

func (o WebRegionBackendServiceIamPolicyOutput) ToWebRegionBackendServiceIamPolicyOutput() WebRegionBackendServiceIamPolicyOutput

func (WebRegionBackendServiceIamPolicyOutput) ToWebRegionBackendServiceIamPolicyOutputWithContext

func (o WebRegionBackendServiceIamPolicyOutput) ToWebRegionBackendServiceIamPolicyOutputWithContext(ctx context.Context) WebRegionBackendServiceIamPolicyOutput

func (WebRegionBackendServiceIamPolicyOutput) WebRegionBackendService

func (o WebRegionBackendServiceIamPolicyOutput) WebRegionBackendService() pulumi.StringOutput

Used to find the parent resource to bind the IAM policy to

type WebRegionBackendServiceIamPolicyState

type WebRegionBackendServiceIamPolicyState struct {
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	Region  pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	WebRegionBackendService pulumi.StringPtrInput
}

func (WebRegionBackendServiceIamPolicyState) ElementType

type WebTypeAppEngingIamBinding

type WebTypeAppEngingIamBinding struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeAppEngingIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeAppEngine. Each of these resources serves a different use case:

* `iap.WebTypeAppEngingIamPolicy`: Authoritative. Sets the IAM policy for the webtypeappengine and replaces any existing policy already attached. * `iap.WebTypeAppEngingIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypeappengine are preserved. * `iap.WebTypeAppEngingIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypeappengine are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeAppEngingIamPolicy`: Retrieves the IAM policy for the webtypeappengine

> **Note:** `iap.WebTypeAppEngingIamPolicy` **cannot** be used in conjunction with `iap.WebTypeAppEngingIamBinding` and `iap.WebTypeAppEngingIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeAppEngingIamBinding` resources **can be** used in conjunction with `iap.WebTypeAppEngingIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeAppEngingIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeAppEngingIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeAppEngingIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebTypeAppEngine Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeAppEngine. Each of these resources serves a different use case:

* `iap.WebTypeAppEngingIamPolicy`: Authoritative. Sets the IAM policy for the webtypeappengine and replaces any existing policy already attached. * `iap.WebTypeAppEngingIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypeappengine are preserved. * `iap.WebTypeAppEngingIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypeappengine are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeAppEngingIamPolicy`: Retrieves the IAM policy for the webtypeappengine

> **Note:** `iap.WebTypeAppEngingIamPolicy` **cannot** be used in conjunction with `iap.WebTypeAppEngingIamBinding` and `iap.WebTypeAppEngingIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeAppEngingIamBinding` resources **can be** used in conjunction with `iap.WebTypeAppEngingIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeAppEngingIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeAppEngingIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeAppEngingIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/appengine-{{appId}}

* {{project}}/{{appId}}

* {{appId}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webtypeappengine IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webTypeAppEngingIamBinding:WebTypeAppEngingIamBinding editor "projects/{{project}}/iap_web/appengine-{{appId}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webTypeAppEngingIamBinding:WebTypeAppEngingIamBinding editor "projects/{{project}}/iap_web/appengine-{{appId}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webTypeAppEngingIamBinding:WebTypeAppEngingIamBinding editor projects/{{project}}/iap_web/appengine-{{appId}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebTypeAppEngingIamBinding

func GetWebTypeAppEngingIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebTypeAppEngingIamBindingState, opts ...pulumi.ResourceOption) (*WebTypeAppEngingIamBinding, error)

GetWebTypeAppEngingIamBinding gets an existing WebTypeAppEngingIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebTypeAppEngingIamBinding

func NewWebTypeAppEngingIamBinding(ctx *pulumi.Context,
	name string, args *WebTypeAppEngingIamBindingArgs, opts ...pulumi.ResourceOption) (*WebTypeAppEngingIamBinding, error)

NewWebTypeAppEngingIamBinding registers a new resource with the given unique name, arguments, and options.

func (*WebTypeAppEngingIamBinding) ElementType

func (*WebTypeAppEngingIamBinding) ElementType() reflect.Type

func (*WebTypeAppEngingIamBinding) ToWebTypeAppEngingIamBindingOutput

func (i *WebTypeAppEngingIamBinding) ToWebTypeAppEngingIamBindingOutput() WebTypeAppEngingIamBindingOutput

func (*WebTypeAppEngingIamBinding) ToWebTypeAppEngingIamBindingOutputWithContext

func (i *WebTypeAppEngingIamBinding) ToWebTypeAppEngingIamBindingOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingOutput

type WebTypeAppEngingIamBindingArgs

type WebTypeAppEngingIamBindingArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeAppEngingIamBindingConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a WebTypeAppEngingIamBinding resource.

func (WebTypeAppEngingIamBindingArgs) ElementType

type WebTypeAppEngingIamBindingArray

type WebTypeAppEngingIamBindingArray []WebTypeAppEngingIamBindingInput

func (WebTypeAppEngingIamBindingArray) ElementType

func (WebTypeAppEngingIamBindingArray) ToWebTypeAppEngingIamBindingArrayOutput

func (i WebTypeAppEngingIamBindingArray) ToWebTypeAppEngingIamBindingArrayOutput() WebTypeAppEngingIamBindingArrayOutput

func (WebTypeAppEngingIamBindingArray) ToWebTypeAppEngingIamBindingArrayOutputWithContext

func (i WebTypeAppEngingIamBindingArray) ToWebTypeAppEngingIamBindingArrayOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingArrayOutput

type WebTypeAppEngingIamBindingArrayInput

type WebTypeAppEngingIamBindingArrayInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamBindingArrayOutput() WebTypeAppEngingIamBindingArrayOutput
	ToWebTypeAppEngingIamBindingArrayOutputWithContext(context.Context) WebTypeAppEngingIamBindingArrayOutput
}

WebTypeAppEngingIamBindingArrayInput is an input type that accepts WebTypeAppEngingIamBindingArray and WebTypeAppEngingIamBindingArrayOutput values. You can construct a concrete instance of `WebTypeAppEngingIamBindingArrayInput` via:

WebTypeAppEngingIamBindingArray{ WebTypeAppEngingIamBindingArgs{...} }

type WebTypeAppEngingIamBindingArrayOutput

type WebTypeAppEngingIamBindingArrayOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamBindingArrayOutput) ElementType

func (WebTypeAppEngingIamBindingArrayOutput) Index

func (WebTypeAppEngingIamBindingArrayOutput) ToWebTypeAppEngingIamBindingArrayOutput

func (o WebTypeAppEngingIamBindingArrayOutput) ToWebTypeAppEngingIamBindingArrayOutput() WebTypeAppEngingIamBindingArrayOutput

func (WebTypeAppEngingIamBindingArrayOutput) ToWebTypeAppEngingIamBindingArrayOutputWithContext

func (o WebTypeAppEngingIamBindingArrayOutput) ToWebTypeAppEngingIamBindingArrayOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingArrayOutput

type WebTypeAppEngingIamBindingCondition

type WebTypeAppEngingIamBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebTypeAppEngingIamBindingConditionArgs

type WebTypeAppEngingIamBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebTypeAppEngingIamBindingConditionArgs) ElementType

func (WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionOutput

func (i WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionOutput() WebTypeAppEngingIamBindingConditionOutput

func (WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionOutputWithContext

func (i WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingConditionOutput

func (WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionPtrOutput

func (i WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionPtrOutput() WebTypeAppEngingIamBindingConditionPtrOutput

func (WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionPtrOutputWithContext

func (i WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionPtrOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingConditionPtrOutput

type WebTypeAppEngingIamBindingConditionInput

type WebTypeAppEngingIamBindingConditionInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamBindingConditionOutput() WebTypeAppEngingIamBindingConditionOutput
	ToWebTypeAppEngingIamBindingConditionOutputWithContext(context.Context) WebTypeAppEngingIamBindingConditionOutput
}

WebTypeAppEngingIamBindingConditionInput is an input type that accepts WebTypeAppEngingIamBindingConditionArgs and WebTypeAppEngingIamBindingConditionOutput values. You can construct a concrete instance of `WebTypeAppEngingIamBindingConditionInput` via:

WebTypeAppEngingIamBindingConditionArgs{...}

type WebTypeAppEngingIamBindingConditionOutput

type WebTypeAppEngingIamBindingConditionOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamBindingConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeAppEngingIamBindingConditionOutput) ElementType

func (WebTypeAppEngingIamBindingConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeAppEngingIamBindingConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionOutput

func (o WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionOutput() WebTypeAppEngingIamBindingConditionOutput

func (WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionOutputWithContext

func (o WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingConditionOutput

func (WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionPtrOutput

func (o WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionPtrOutput() WebTypeAppEngingIamBindingConditionPtrOutput

func (WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionPtrOutputWithContext

func (o WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionPtrOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingConditionPtrOutput

type WebTypeAppEngingIamBindingConditionPtrInput

type WebTypeAppEngingIamBindingConditionPtrInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamBindingConditionPtrOutput() WebTypeAppEngingIamBindingConditionPtrOutput
	ToWebTypeAppEngingIamBindingConditionPtrOutputWithContext(context.Context) WebTypeAppEngingIamBindingConditionPtrOutput
}

WebTypeAppEngingIamBindingConditionPtrInput is an input type that accepts WebTypeAppEngingIamBindingConditionArgs, WebTypeAppEngingIamBindingConditionPtr and WebTypeAppEngingIamBindingConditionPtrOutput values. You can construct a concrete instance of `WebTypeAppEngingIamBindingConditionPtrInput` via:

        WebTypeAppEngingIamBindingConditionArgs{...}

or:

        nil

type WebTypeAppEngingIamBindingConditionPtrOutput

type WebTypeAppEngingIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamBindingConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeAppEngingIamBindingConditionPtrOutput) Elem

func (WebTypeAppEngingIamBindingConditionPtrOutput) ElementType

func (WebTypeAppEngingIamBindingConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeAppEngingIamBindingConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeAppEngingIamBindingConditionPtrOutput) ToWebTypeAppEngingIamBindingConditionPtrOutput

func (o WebTypeAppEngingIamBindingConditionPtrOutput) ToWebTypeAppEngingIamBindingConditionPtrOutput() WebTypeAppEngingIamBindingConditionPtrOutput

func (WebTypeAppEngingIamBindingConditionPtrOutput) ToWebTypeAppEngingIamBindingConditionPtrOutputWithContext

func (o WebTypeAppEngingIamBindingConditionPtrOutput) ToWebTypeAppEngingIamBindingConditionPtrOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingConditionPtrOutput

type WebTypeAppEngingIamBindingInput

type WebTypeAppEngingIamBindingInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamBindingOutput() WebTypeAppEngingIamBindingOutput
	ToWebTypeAppEngingIamBindingOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingOutput
}

type WebTypeAppEngingIamBindingMap

type WebTypeAppEngingIamBindingMap map[string]WebTypeAppEngingIamBindingInput

func (WebTypeAppEngingIamBindingMap) ElementType

func (WebTypeAppEngingIamBindingMap) ToWebTypeAppEngingIamBindingMapOutput

func (i WebTypeAppEngingIamBindingMap) ToWebTypeAppEngingIamBindingMapOutput() WebTypeAppEngingIamBindingMapOutput

func (WebTypeAppEngingIamBindingMap) ToWebTypeAppEngingIamBindingMapOutputWithContext

func (i WebTypeAppEngingIamBindingMap) ToWebTypeAppEngingIamBindingMapOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingMapOutput

type WebTypeAppEngingIamBindingMapInput

type WebTypeAppEngingIamBindingMapInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamBindingMapOutput() WebTypeAppEngingIamBindingMapOutput
	ToWebTypeAppEngingIamBindingMapOutputWithContext(context.Context) WebTypeAppEngingIamBindingMapOutput
}

WebTypeAppEngingIamBindingMapInput is an input type that accepts WebTypeAppEngingIamBindingMap and WebTypeAppEngingIamBindingMapOutput values. You can construct a concrete instance of `WebTypeAppEngingIamBindingMapInput` via:

WebTypeAppEngingIamBindingMap{ "key": WebTypeAppEngingIamBindingArgs{...} }

type WebTypeAppEngingIamBindingMapOutput

type WebTypeAppEngingIamBindingMapOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamBindingMapOutput) ElementType

func (WebTypeAppEngingIamBindingMapOutput) MapIndex

func (WebTypeAppEngingIamBindingMapOutput) ToWebTypeAppEngingIamBindingMapOutput

func (o WebTypeAppEngingIamBindingMapOutput) ToWebTypeAppEngingIamBindingMapOutput() WebTypeAppEngingIamBindingMapOutput

func (WebTypeAppEngingIamBindingMapOutput) ToWebTypeAppEngingIamBindingMapOutputWithContext

func (o WebTypeAppEngingIamBindingMapOutput) ToWebTypeAppEngingIamBindingMapOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingMapOutput

type WebTypeAppEngingIamBindingOutput

type WebTypeAppEngingIamBindingOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamBindingOutput) AppId

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (WebTypeAppEngingIamBindingOutput) Condition

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebTypeAppEngingIamBindingOutput) ElementType

func (WebTypeAppEngingIamBindingOutput) Etag

(Computed) The etag of the IAM policy.

func (WebTypeAppEngingIamBindingOutput) Members

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebTypeAppEngingIamBindingOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebTypeAppEngingIamBindingOutput) Role

The role that should be applied. Only one `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebTypeAppEngingIamBindingOutput) ToWebTypeAppEngingIamBindingOutput

func (o WebTypeAppEngingIamBindingOutput) ToWebTypeAppEngingIamBindingOutput() WebTypeAppEngingIamBindingOutput

func (WebTypeAppEngingIamBindingOutput) ToWebTypeAppEngingIamBindingOutputWithContext

func (o WebTypeAppEngingIamBindingOutput) ToWebTypeAppEngingIamBindingOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingOutput

type WebTypeAppEngingIamBindingState

type WebTypeAppEngingIamBindingState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeAppEngingIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (WebTypeAppEngingIamBindingState) ElementType

type WebTypeAppEngingIamMember

type WebTypeAppEngingIamMember struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeAppEngingIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeAppEngine. Each of these resources serves a different use case:

* `iap.WebTypeAppEngingIamPolicy`: Authoritative. Sets the IAM policy for the webtypeappengine and replaces any existing policy already attached. * `iap.WebTypeAppEngingIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypeappengine are preserved. * `iap.WebTypeAppEngingIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypeappengine are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeAppEngingIamPolicy`: Retrieves the IAM policy for the webtypeappengine

> **Note:** `iap.WebTypeAppEngingIamPolicy` **cannot** be used in conjunction with `iap.WebTypeAppEngingIamBinding` and `iap.WebTypeAppEngingIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeAppEngingIamBinding` resources **can be** used in conjunction with `iap.WebTypeAppEngingIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeAppEngingIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeAppEngingIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeAppEngingIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebTypeAppEngine Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeAppEngine. Each of these resources serves a different use case:

* `iap.WebTypeAppEngingIamPolicy`: Authoritative. Sets the IAM policy for the webtypeappengine and replaces any existing policy already attached. * `iap.WebTypeAppEngingIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypeappengine are preserved. * `iap.WebTypeAppEngingIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypeappengine are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeAppEngingIamPolicy`: Retrieves the IAM policy for the webtypeappengine

> **Note:** `iap.WebTypeAppEngingIamPolicy` **cannot** be used in conjunction with `iap.WebTypeAppEngingIamBinding` and `iap.WebTypeAppEngingIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeAppEngingIamBinding` resources **can be** used in conjunction with `iap.WebTypeAppEngingIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeAppEngingIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeAppEngingIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeAppEngingIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/appengine-{{appId}}

* {{project}}/{{appId}}

* {{appId}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webtypeappengine IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webTypeAppEngingIamMember:WebTypeAppEngingIamMember editor "projects/{{project}}/iap_web/appengine-{{appId}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webTypeAppEngingIamMember:WebTypeAppEngingIamMember editor "projects/{{project}}/iap_web/appengine-{{appId}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webTypeAppEngingIamMember:WebTypeAppEngingIamMember editor projects/{{project}}/iap_web/appengine-{{appId}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebTypeAppEngingIamMember

func GetWebTypeAppEngingIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebTypeAppEngingIamMemberState, opts ...pulumi.ResourceOption) (*WebTypeAppEngingIamMember, error)

GetWebTypeAppEngingIamMember gets an existing WebTypeAppEngingIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebTypeAppEngingIamMember

func NewWebTypeAppEngingIamMember(ctx *pulumi.Context,
	name string, args *WebTypeAppEngingIamMemberArgs, opts ...pulumi.ResourceOption) (*WebTypeAppEngingIamMember, error)

NewWebTypeAppEngingIamMember registers a new resource with the given unique name, arguments, and options.

func (*WebTypeAppEngingIamMember) ElementType

func (*WebTypeAppEngingIamMember) ElementType() reflect.Type

func (*WebTypeAppEngingIamMember) ToWebTypeAppEngingIamMemberOutput

func (i *WebTypeAppEngingIamMember) ToWebTypeAppEngingIamMemberOutput() WebTypeAppEngingIamMemberOutput

func (*WebTypeAppEngingIamMember) ToWebTypeAppEngingIamMemberOutputWithContext

func (i *WebTypeAppEngingIamMember) ToWebTypeAppEngingIamMemberOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberOutput

type WebTypeAppEngingIamMemberArgs

type WebTypeAppEngingIamMemberArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeAppEngingIamMemberConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a WebTypeAppEngingIamMember resource.

func (WebTypeAppEngingIamMemberArgs) ElementType

type WebTypeAppEngingIamMemberArray

type WebTypeAppEngingIamMemberArray []WebTypeAppEngingIamMemberInput

func (WebTypeAppEngingIamMemberArray) ElementType

func (WebTypeAppEngingIamMemberArray) ToWebTypeAppEngingIamMemberArrayOutput

func (i WebTypeAppEngingIamMemberArray) ToWebTypeAppEngingIamMemberArrayOutput() WebTypeAppEngingIamMemberArrayOutput

func (WebTypeAppEngingIamMemberArray) ToWebTypeAppEngingIamMemberArrayOutputWithContext

func (i WebTypeAppEngingIamMemberArray) ToWebTypeAppEngingIamMemberArrayOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberArrayOutput

type WebTypeAppEngingIamMemberArrayInput

type WebTypeAppEngingIamMemberArrayInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamMemberArrayOutput() WebTypeAppEngingIamMemberArrayOutput
	ToWebTypeAppEngingIamMemberArrayOutputWithContext(context.Context) WebTypeAppEngingIamMemberArrayOutput
}

WebTypeAppEngingIamMemberArrayInput is an input type that accepts WebTypeAppEngingIamMemberArray and WebTypeAppEngingIamMemberArrayOutput values. You can construct a concrete instance of `WebTypeAppEngingIamMemberArrayInput` via:

WebTypeAppEngingIamMemberArray{ WebTypeAppEngingIamMemberArgs{...} }

type WebTypeAppEngingIamMemberArrayOutput

type WebTypeAppEngingIamMemberArrayOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamMemberArrayOutput) ElementType

func (WebTypeAppEngingIamMemberArrayOutput) Index

func (WebTypeAppEngingIamMemberArrayOutput) ToWebTypeAppEngingIamMemberArrayOutput

func (o WebTypeAppEngingIamMemberArrayOutput) ToWebTypeAppEngingIamMemberArrayOutput() WebTypeAppEngingIamMemberArrayOutput

func (WebTypeAppEngingIamMemberArrayOutput) ToWebTypeAppEngingIamMemberArrayOutputWithContext

func (o WebTypeAppEngingIamMemberArrayOutput) ToWebTypeAppEngingIamMemberArrayOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberArrayOutput

type WebTypeAppEngingIamMemberCondition

type WebTypeAppEngingIamMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebTypeAppEngingIamMemberConditionArgs

type WebTypeAppEngingIamMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebTypeAppEngingIamMemberConditionArgs) ElementType

func (WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionOutput

func (i WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionOutput() WebTypeAppEngingIamMemberConditionOutput

func (WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionOutputWithContext

func (i WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberConditionOutput

func (WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionPtrOutput

func (i WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionPtrOutput() WebTypeAppEngingIamMemberConditionPtrOutput

func (WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionPtrOutputWithContext

func (i WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionPtrOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberConditionPtrOutput

type WebTypeAppEngingIamMemberConditionInput

type WebTypeAppEngingIamMemberConditionInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamMemberConditionOutput() WebTypeAppEngingIamMemberConditionOutput
	ToWebTypeAppEngingIamMemberConditionOutputWithContext(context.Context) WebTypeAppEngingIamMemberConditionOutput
}

WebTypeAppEngingIamMemberConditionInput is an input type that accepts WebTypeAppEngingIamMemberConditionArgs and WebTypeAppEngingIamMemberConditionOutput values. You can construct a concrete instance of `WebTypeAppEngingIamMemberConditionInput` via:

WebTypeAppEngingIamMemberConditionArgs{...}

type WebTypeAppEngingIamMemberConditionOutput

type WebTypeAppEngingIamMemberConditionOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamMemberConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeAppEngingIamMemberConditionOutput) ElementType

func (WebTypeAppEngingIamMemberConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeAppEngingIamMemberConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionOutput

func (o WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionOutput() WebTypeAppEngingIamMemberConditionOutput

func (WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionOutputWithContext

func (o WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberConditionOutput

func (WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionPtrOutput

func (o WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionPtrOutput() WebTypeAppEngingIamMemberConditionPtrOutput

func (WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionPtrOutputWithContext

func (o WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionPtrOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberConditionPtrOutput

type WebTypeAppEngingIamMemberConditionPtrInput

type WebTypeAppEngingIamMemberConditionPtrInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamMemberConditionPtrOutput() WebTypeAppEngingIamMemberConditionPtrOutput
	ToWebTypeAppEngingIamMemberConditionPtrOutputWithContext(context.Context) WebTypeAppEngingIamMemberConditionPtrOutput
}

WebTypeAppEngingIamMemberConditionPtrInput is an input type that accepts WebTypeAppEngingIamMemberConditionArgs, WebTypeAppEngingIamMemberConditionPtr and WebTypeAppEngingIamMemberConditionPtrOutput values. You can construct a concrete instance of `WebTypeAppEngingIamMemberConditionPtrInput` via:

        WebTypeAppEngingIamMemberConditionArgs{...}

or:

        nil

type WebTypeAppEngingIamMemberConditionPtrOutput

type WebTypeAppEngingIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamMemberConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeAppEngingIamMemberConditionPtrOutput) Elem

func (WebTypeAppEngingIamMemberConditionPtrOutput) ElementType

func (WebTypeAppEngingIamMemberConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeAppEngingIamMemberConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeAppEngingIamMemberConditionPtrOutput) ToWebTypeAppEngingIamMemberConditionPtrOutput

func (o WebTypeAppEngingIamMemberConditionPtrOutput) ToWebTypeAppEngingIamMemberConditionPtrOutput() WebTypeAppEngingIamMemberConditionPtrOutput

func (WebTypeAppEngingIamMemberConditionPtrOutput) ToWebTypeAppEngingIamMemberConditionPtrOutputWithContext

func (o WebTypeAppEngingIamMemberConditionPtrOutput) ToWebTypeAppEngingIamMemberConditionPtrOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberConditionPtrOutput

type WebTypeAppEngingIamMemberInput

type WebTypeAppEngingIamMemberInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamMemberOutput() WebTypeAppEngingIamMemberOutput
	ToWebTypeAppEngingIamMemberOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberOutput
}

type WebTypeAppEngingIamMemberMap

type WebTypeAppEngingIamMemberMap map[string]WebTypeAppEngingIamMemberInput

func (WebTypeAppEngingIamMemberMap) ElementType

func (WebTypeAppEngingIamMemberMap) ToWebTypeAppEngingIamMemberMapOutput

func (i WebTypeAppEngingIamMemberMap) ToWebTypeAppEngingIamMemberMapOutput() WebTypeAppEngingIamMemberMapOutput

func (WebTypeAppEngingIamMemberMap) ToWebTypeAppEngingIamMemberMapOutputWithContext

func (i WebTypeAppEngingIamMemberMap) ToWebTypeAppEngingIamMemberMapOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberMapOutput

type WebTypeAppEngingIamMemberMapInput

type WebTypeAppEngingIamMemberMapInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamMemberMapOutput() WebTypeAppEngingIamMemberMapOutput
	ToWebTypeAppEngingIamMemberMapOutputWithContext(context.Context) WebTypeAppEngingIamMemberMapOutput
}

WebTypeAppEngingIamMemberMapInput is an input type that accepts WebTypeAppEngingIamMemberMap and WebTypeAppEngingIamMemberMapOutput values. You can construct a concrete instance of `WebTypeAppEngingIamMemberMapInput` via:

WebTypeAppEngingIamMemberMap{ "key": WebTypeAppEngingIamMemberArgs{...} }

type WebTypeAppEngingIamMemberMapOutput

type WebTypeAppEngingIamMemberMapOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamMemberMapOutput) ElementType

func (WebTypeAppEngingIamMemberMapOutput) MapIndex

func (WebTypeAppEngingIamMemberMapOutput) ToWebTypeAppEngingIamMemberMapOutput

func (o WebTypeAppEngingIamMemberMapOutput) ToWebTypeAppEngingIamMemberMapOutput() WebTypeAppEngingIamMemberMapOutput

func (WebTypeAppEngingIamMemberMapOutput) ToWebTypeAppEngingIamMemberMapOutputWithContext

func (o WebTypeAppEngingIamMemberMapOutput) ToWebTypeAppEngingIamMemberMapOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberMapOutput

type WebTypeAppEngingIamMemberOutput

type WebTypeAppEngingIamMemberOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamMemberOutput) AppId

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (WebTypeAppEngingIamMemberOutput) Condition

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebTypeAppEngingIamMemberOutput) ElementType

func (WebTypeAppEngingIamMemberOutput) Etag

(Computed) The etag of the IAM policy.

func (WebTypeAppEngingIamMemberOutput) Member

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebTypeAppEngingIamMemberOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebTypeAppEngingIamMemberOutput) Role

The role that should be applied. Only one `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebTypeAppEngingIamMemberOutput) ToWebTypeAppEngingIamMemberOutput

func (o WebTypeAppEngingIamMemberOutput) ToWebTypeAppEngingIamMemberOutput() WebTypeAppEngingIamMemberOutput

func (WebTypeAppEngingIamMemberOutput) ToWebTypeAppEngingIamMemberOutputWithContext

func (o WebTypeAppEngingIamMemberOutput) ToWebTypeAppEngingIamMemberOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberOutput

type WebTypeAppEngingIamMemberState

type WebTypeAppEngingIamMemberState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeAppEngingIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (WebTypeAppEngingIamMemberState) ElementType

type WebTypeAppEngingIamPolicy

type WebTypeAppEngingIamPolicy struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeAppEngine. Each of these resources serves a different use case:

* `iap.WebTypeAppEngingIamPolicy`: Authoritative. Sets the IAM policy for the webtypeappengine and replaces any existing policy already attached. * `iap.WebTypeAppEngingIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypeappengine are preserved. * `iap.WebTypeAppEngingIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypeappengine are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeAppEngingIamPolicy`: Retrieves the IAM policy for the webtypeappengine

> **Note:** `iap.WebTypeAppEngingIamPolicy` **cannot** be used in conjunction with `iap.WebTypeAppEngingIamBinding` and `iap.WebTypeAppEngingIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeAppEngingIamBinding` resources **can be** used in conjunction with `iap.WebTypeAppEngingIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeAppEngingIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeAppEngingIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeAppEngingIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebTypeAppEngine Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeAppEngine. Each of these resources serves a different use case:

* `iap.WebTypeAppEngingIamPolicy`: Authoritative. Sets the IAM policy for the webtypeappengine and replaces any existing policy already attached. * `iap.WebTypeAppEngingIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypeappengine are preserved. * `iap.WebTypeAppEngingIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypeappengine are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeAppEngingIamPolicy`: Retrieves the IAM policy for the webtypeappengine

> **Note:** `iap.WebTypeAppEngingIamPolicy` **cannot** be used in conjunction with `iap.WebTypeAppEngingIamBinding` and `iap.WebTypeAppEngingIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeAppEngingIamBinding` resources **can be** used in conjunction with `iap.WebTypeAppEngingIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeAppEngingIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeAppEngingIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeAppEngingIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/appengine-{{appId}}

* {{project}}/{{appId}}

* {{appId}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webtypeappengine IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webTypeAppEngingIamPolicy:WebTypeAppEngingIamPolicy editor "projects/{{project}}/iap_web/appengine-{{appId}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webTypeAppEngingIamPolicy:WebTypeAppEngingIamPolicy editor "projects/{{project}}/iap_web/appengine-{{appId}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webTypeAppEngingIamPolicy:WebTypeAppEngingIamPolicy editor projects/{{project}}/iap_web/appengine-{{appId}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebTypeAppEngingIamPolicy

func GetWebTypeAppEngingIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebTypeAppEngingIamPolicyState, opts ...pulumi.ResourceOption) (*WebTypeAppEngingIamPolicy, error)

GetWebTypeAppEngingIamPolicy gets an existing WebTypeAppEngingIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebTypeAppEngingIamPolicy

func NewWebTypeAppEngingIamPolicy(ctx *pulumi.Context,
	name string, args *WebTypeAppEngingIamPolicyArgs, opts ...pulumi.ResourceOption) (*WebTypeAppEngingIamPolicy, error)

NewWebTypeAppEngingIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*WebTypeAppEngingIamPolicy) ElementType

func (*WebTypeAppEngingIamPolicy) ElementType() reflect.Type

func (*WebTypeAppEngingIamPolicy) ToWebTypeAppEngingIamPolicyOutput

func (i *WebTypeAppEngingIamPolicy) ToWebTypeAppEngingIamPolicyOutput() WebTypeAppEngingIamPolicyOutput

func (*WebTypeAppEngingIamPolicy) ToWebTypeAppEngingIamPolicyOutputWithContext

func (i *WebTypeAppEngingIamPolicy) ToWebTypeAppEngingIamPolicyOutputWithContext(ctx context.Context) WebTypeAppEngingIamPolicyOutput

type WebTypeAppEngingIamPolicyArgs

type WebTypeAppEngingIamPolicyArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
}

The set of arguments for constructing a WebTypeAppEngingIamPolicy resource.

func (WebTypeAppEngingIamPolicyArgs) ElementType

type WebTypeAppEngingIamPolicyArray

type WebTypeAppEngingIamPolicyArray []WebTypeAppEngingIamPolicyInput

func (WebTypeAppEngingIamPolicyArray) ElementType

func (WebTypeAppEngingIamPolicyArray) ToWebTypeAppEngingIamPolicyArrayOutput

func (i WebTypeAppEngingIamPolicyArray) ToWebTypeAppEngingIamPolicyArrayOutput() WebTypeAppEngingIamPolicyArrayOutput

func (WebTypeAppEngingIamPolicyArray) ToWebTypeAppEngingIamPolicyArrayOutputWithContext

func (i WebTypeAppEngingIamPolicyArray) ToWebTypeAppEngingIamPolicyArrayOutputWithContext(ctx context.Context) WebTypeAppEngingIamPolicyArrayOutput

type WebTypeAppEngingIamPolicyArrayInput

type WebTypeAppEngingIamPolicyArrayInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamPolicyArrayOutput() WebTypeAppEngingIamPolicyArrayOutput
	ToWebTypeAppEngingIamPolicyArrayOutputWithContext(context.Context) WebTypeAppEngingIamPolicyArrayOutput
}

WebTypeAppEngingIamPolicyArrayInput is an input type that accepts WebTypeAppEngingIamPolicyArray and WebTypeAppEngingIamPolicyArrayOutput values. You can construct a concrete instance of `WebTypeAppEngingIamPolicyArrayInput` via:

WebTypeAppEngingIamPolicyArray{ WebTypeAppEngingIamPolicyArgs{...} }

type WebTypeAppEngingIamPolicyArrayOutput

type WebTypeAppEngingIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamPolicyArrayOutput) ElementType

func (WebTypeAppEngingIamPolicyArrayOutput) Index

func (WebTypeAppEngingIamPolicyArrayOutput) ToWebTypeAppEngingIamPolicyArrayOutput

func (o WebTypeAppEngingIamPolicyArrayOutput) ToWebTypeAppEngingIamPolicyArrayOutput() WebTypeAppEngingIamPolicyArrayOutput

func (WebTypeAppEngingIamPolicyArrayOutput) ToWebTypeAppEngingIamPolicyArrayOutputWithContext

func (o WebTypeAppEngingIamPolicyArrayOutput) ToWebTypeAppEngingIamPolicyArrayOutputWithContext(ctx context.Context) WebTypeAppEngingIamPolicyArrayOutput

type WebTypeAppEngingIamPolicyInput

type WebTypeAppEngingIamPolicyInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamPolicyOutput() WebTypeAppEngingIamPolicyOutput
	ToWebTypeAppEngingIamPolicyOutputWithContext(ctx context.Context) WebTypeAppEngingIamPolicyOutput
}

type WebTypeAppEngingIamPolicyMap

type WebTypeAppEngingIamPolicyMap map[string]WebTypeAppEngingIamPolicyInput

func (WebTypeAppEngingIamPolicyMap) ElementType

func (WebTypeAppEngingIamPolicyMap) ToWebTypeAppEngingIamPolicyMapOutput

func (i WebTypeAppEngingIamPolicyMap) ToWebTypeAppEngingIamPolicyMapOutput() WebTypeAppEngingIamPolicyMapOutput

func (WebTypeAppEngingIamPolicyMap) ToWebTypeAppEngingIamPolicyMapOutputWithContext

func (i WebTypeAppEngingIamPolicyMap) ToWebTypeAppEngingIamPolicyMapOutputWithContext(ctx context.Context) WebTypeAppEngingIamPolicyMapOutput

type WebTypeAppEngingIamPolicyMapInput

type WebTypeAppEngingIamPolicyMapInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamPolicyMapOutput() WebTypeAppEngingIamPolicyMapOutput
	ToWebTypeAppEngingIamPolicyMapOutputWithContext(context.Context) WebTypeAppEngingIamPolicyMapOutput
}

WebTypeAppEngingIamPolicyMapInput is an input type that accepts WebTypeAppEngingIamPolicyMap and WebTypeAppEngingIamPolicyMapOutput values. You can construct a concrete instance of `WebTypeAppEngingIamPolicyMapInput` via:

WebTypeAppEngingIamPolicyMap{ "key": WebTypeAppEngingIamPolicyArgs{...} }

type WebTypeAppEngingIamPolicyMapOutput

type WebTypeAppEngingIamPolicyMapOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamPolicyMapOutput) ElementType

func (WebTypeAppEngingIamPolicyMapOutput) MapIndex

func (WebTypeAppEngingIamPolicyMapOutput) ToWebTypeAppEngingIamPolicyMapOutput

func (o WebTypeAppEngingIamPolicyMapOutput) ToWebTypeAppEngingIamPolicyMapOutput() WebTypeAppEngingIamPolicyMapOutput

func (WebTypeAppEngingIamPolicyMapOutput) ToWebTypeAppEngingIamPolicyMapOutputWithContext

func (o WebTypeAppEngingIamPolicyMapOutput) ToWebTypeAppEngingIamPolicyMapOutputWithContext(ctx context.Context) WebTypeAppEngingIamPolicyMapOutput

type WebTypeAppEngingIamPolicyOutput

type WebTypeAppEngingIamPolicyOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamPolicyOutput) AppId

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (WebTypeAppEngingIamPolicyOutput) ElementType

func (WebTypeAppEngingIamPolicyOutput) Etag

(Computed) The etag of the IAM policy.

func (WebTypeAppEngingIamPolicyOutput) PolicyData

The policy data generated by a `organizations.getIAMPolicy` data source.

func (WebTypeAppEngingIamPolicyOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebTypeAppEngingIamPolicyOutput) ToWebTypeAppEngingIamPolicyOutput

func (o WebTypeAppEngingIamPolicyOutput) ToWebTypeAppEngingIamPolicyOutput() WebTypeAppEngingIamPolicyOutput

func (WebTypeAppEngingIamPolicyOutput) ToWebTypeAppEngingIamPolicyOutputWithContext

func (o WebTypeAppEngingIamPolicyOutput) ToWebTypeAppEngingIamPolicyOutputWithContext(ctx context.Context) WebTypeAppEngingIamPolicyOutput

type WebTypeAppEngingIamPolicyState

type WebTypeAppEngingIamPolicyState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
}

func (WebTypeAppEngingIamPolicyState) ElementType

type WebTypeComputeIamBinding

type WebTypeComputeIamBinding struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeComputeIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeCompute. Each of these resources serves a different use case:

* `iap.WebTypeComputeIamPolicy`: Authoritative. Sets the IAM policy for the webtypecompute and replaces any existing policy already attached. * `iap.WebTypeComputeIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypecompute are preserved. * `iap.WebTypeComputeIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypecompute are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeComputeIamPolicy`: Retrieves the IAM policy for the webtypecompute

> **Note:** `iap.WebTypeComputeIamPolicy` **cannot** be used in conjunction with `iap.WebTypeComputeIamBinding` and `iap.WebTypeComputeIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeComputeIamBinding` resources **can be** used in conjunction with `iap.WebTypeComputeIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeComputeIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeComputeIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeComputeIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebTypeCompute Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeCompute. Each of these resources serves a different use case:

* `iap.WebTypeComputeIamPolicy`: Authoritative. Sets the IAM policy for the webtypecompute and replaces any existing policy already attached. * `iap.WebTypeComputeIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypecompute are preserved. * `iap.WebTypeComputeIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypecompute are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeComputeIamPolicy`: Retrieves the IAM policy for the webtypecompute

> **Note:** `iap.WebTypeComputeIamPolicy` **cannot** be used in conjunction with `iap.WebTypeComputeIamBinding` and `iap.WebTypeComputeIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeComputeIamBinding` resources **can be** used in conjunction with `iap.WebTypeComputeIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeComputeIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeComputeIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeComputeIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/compute

* {{project}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webtypecompute IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webTypeComputeIamBinding:WebTypeComputeIamBinding editor "projects/{{project}}/iap_web/compute roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webTypeComputeIamBinding:WebTypeComputeIamBinding editor "projects/{{project}}/iap_web/compute roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webTypeComputeIamBinding:WebTypeComputeIamBinding editor projects/{{project}}/iap_web/compute ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebTypeComputeIamBinding

func GetWebTypeComputeIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebTypeComputeIamBindingState, opts ...pulumi.ResourceOption) (*WebTypeComputeIamBinding, error)

GetWebTypeComputeIamBinding gets an existing WebTypeComputeIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebTypeComputeIamBinding

func NewWebTypeComputeIamBinding(ctx *pulumi.Context,
	name string, args *WebTypeComputeIamBindingArgs, opts ...pulumi.ResourceOption) (*WebTypeComputeIamBinding, error)

NewWebTypeComputeIamBinding registers a new resource with the given unique name, arguments, and options.

func (*WebTypeComputeIamBinding) ElementType

func (*WebTypeComputeIamBinding) ElementType() reflect.Type

func (*WebTypeComputeIamBinding) ToWebTypeComputeIamBindingOutput

func (i *WebTypeComputeIamBinding) ToWebTypeComputeIamBindingOutput() WebTypeComputeIamBindingOutput

func (*WebTypeComputeIamBinding) ToWebTypeComputeIamBindingOutputWithContext

func (i *WebTypeComputeIamBinding) ToWebTypeComputeIamBindingOutputWithContext(ctx context.Context) WebTypeComputeIamBindingOutput

type WebTypeComputeIamBindingArgs

type WebTypeComputeIamBindingArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeComputeIamBindingConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a WebTypeComputeIamBinding resource.

func (WebTypeComputeIamBindingArgs) ElementType

type WebTypeComputeIamBindingArray

type WebTypeComputeIamBindingArray []WebTypeComputeIamBindingInput

func (WebTypeComputeIamBindingArray) ElementType

func (WebTypeComputeIamBindingArray) ToWebTypeComputeIamBindingArrayOutput

func (i WebTypeComputeIamBindingArray) ToWebTypeComputeIamBindingArrayOutput() WebTypeComputeIamBindingArrayOutput

func (WebTypeComputeIamBindingArray) ToWebTypeComputeIamBindingArrayOutputWithContext

func (i WebTypeComputeIamBindingArray) ToWebTypeComputeIamBindingArrayOutputWithContext(ctx context.Context) WebTypeComputeIamBindingArrayOutput

type WebTypeComputeIamBindingArrayInput

type WebTypeComputeIamBindingArrayInput interface {
	pulumi.Input

	ToWebTypeComputeIamBindingArrayOutput() WebTypeComputeIamBindingArrayOutput
	ToWebTypeComputeIamBindingArrayOutputWithContext(context.Context) WebTypeComputeIamBindingArrayOutput
}

WebTypeComputeIamBindingArrayInput is an input type that accepts WebTypeComputeIamBindingArray and WebTypeComputeIamBindingArrayOutput values. You can construct a concrete instance of `WebTypeComputeIamBindingArrayInput` via:

WebTypeComputeIamBindingArray{ WebTypeComputeIamBindingArgs{...} }

type WebTypeComputeIamBindingArrayOutput

type WebTypeComputeIamBindingArrayOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamBindingArrayOutput) ElementType

func (WebTypeComputeIamBindingArrayOutput) Index

func (WebTypeComputeIamBindingArrayOutput) ToWebTypeComputeIamBindingArrayOutput

func (o WebTypeComputeIamBindingArrayOutput) ToWebTypeComputeIamBindingArrayOutput() WebTypeComputeIamBindingArrayOutput

func (WebTypeComputeIamBindingArrayOutput) ToWebTypeComputeIamBindingArrayOutputWithContext

func (o WebTypeComputeIamBindingArrayOutput) ToWebTypeComputeIamBindingArrayOutputWithContext(ctx context.Context) WebTypeComputeIamBindingArrayOutput

type WebTypeComputeIamBindingCondition

type WebTypeComputeIamBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebTypeComputeIamBindingConditionArgs

type WebTypeComputeIamBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebTypeComputeIamBindingConditionArgs) ElementType

func (WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionOutput

func (i WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionOutput() WebTypeComputeIamBindingConditionOutput

func (WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionOutputWithContext

func (i WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionOutputWithContext(ctx context.Context) WebTypeComputeIamBindingConditionOutput

func (WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionPtrOutput

func (i WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionPtrOutput() WebTypeComputeIamBindingConditionPtrOutput

func (WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionPtrOutputWithContext

func (i WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionPtrOutputWithContext(ctx context.Context) WebTypeComputeIamBindingConditionPtrOutput

type WebTypeComputeIamBindingConditionInput

type WebTypeComputeIamBindingConditionInput interface {
	pulumi.Input

	ToWebTypeComputeIamBindingConditionOutput() WebTypeComputeIamBindingConditionOutput
	ToWebTypeComputeIamBindingConditionOutputWithContext(context.Context) WebTypeComputeIamBindingConditionOutput
}

WebTypeComputeIamBindingConditionInput is an input type that accepts WebTypeComputeIamBindingConditionArgs and WebTypeComputeIamBindingConditionOutput values. You can construct a concrete instance of `WebTypeComputeIamBindingConditionInput` via:

WebTypeComputeIamBindingConditionArgs{...}

type WebTypeComputeIamBindingConditionOutput

type WebTypeComputeIamBindingConditionOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamBindingConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeComputeIamBindingConditionOutput) ElementType

func (WebTypeComputeIamBindingConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeComputeIamBindingConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionOutput

func (o WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionOutput() WebTypeComputeIamBindingConditionOutput

func (WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionOutputWithContext

func (o WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionOutputWithContext(ctx context.Context) WebTypeComputeIamBindingConditionOutput

func (WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionPtrOutput

func (o WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionPtrOutput() WebTypeComputeIamBindingConditionPtrOutput

func (WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionPtrOutputWithContext

func (o WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionPtrOutputWithContext(ctx context.Context) WebTypeComputeIamBindingConditionPtrOutput

type WebTypeComputeIamBindingConditionPtrInput

type WebTypeComputeIamBindingConditionPtrInput interface {
	pulumi.Input

	ToWebTypeComputeIamBindingConditionPtrOutput() WebTypeComputeIamBindingConditionPtrOutput
	ToWebTypeComputeIamBindingConditionPtrOutputWithContext(context.Context) WebTypeComputeIamBindingConditionPtrOutput
}

WebTypeComputeIamBindingConditionPtrInput is an input type that accepts WebTypeComputeIamBindingConditionArgs, WebTypeComputeIamBindingConditionPtr and WebTypeComputeIamBindingConditionPtrOutput values. You can construct a concrete instance of `WebTypeComputeIamBindingConditionPtrInput` via:

        WebTypeComputeIamBindingConditionArgs{...}

or:

        nil

type WebTypeComputeIamBindingConditionPtrOutput

type WebTypeComputeIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamBindingConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeComputeIamBindingConditionPtrOutput) Elem

func (WebTypeComputeIamBindingConditionPtrOutput) ElementType

func (WebTypeComputeIamBindingConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeComputeIamBindingConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeComputeIamBindingConditionPtrOutput) ToWebTypeComputeIamBindingConditionPtrOutput

func (o WebTypeComputeIamBindingConditionPtrOutput) ToWebTypeComputeIamBindingConditionPtrOutput() WebTypeComputeIamBindingConditionPtrOutput

func (WebTypeComputeIamBindingConditionPtrOutput) ToWebTypeComputeIamBindingConditionPtrOutputWithContext

func (o WebTypeComputeIamBindingConditionPtrOutput) ToWebTypeComputeIamBindingConditionPtrOutputWithContext(ctx context.Context) WebTypeComputeIamBindingConditionPtrOutput

type WebTypeComputeIamBindingInput

type WebTypeComputeIamBindingInput interface {
	pulumi.Input

	ToWebTypeComputeIamBindingOutput() WebTypeComputeIamBindingOutput
	ToWebTypeComputeIamBindingOutputWithContext(ctx context.Context) WebTypeComputeIamBindingOutput
}

type WebTypeComputeIamBindingMap

type WebTypeComputeIamBindingMap map[string]WebTypeComputeIamBindingInput

func (WebTypeComputeIamBindingMap) ElementType

func (WebTypeComputeIamBindingMap) ToWebTypeComputeIamBindingMapOutput

func (i WebTypeComputeIamBindingMap) ToWebTypeComputeIamBindingMapOutput() WebTypeComputeIamBindingMapOutput

func (WebTypeComputeIamBindingMap) ToWebTypeComputeIamBindingMapOutputWithContext

func (i WebTypeComputeIamBindingMap) ToWebTypeComputeIamBindingMapOutputWithContext(ctx context.Context) WebTypeComputeIamBindingMapOutput

type WebTypeComputeIamBindingMapInput

type WebTypeComputeIamBindingMapInput interface {
	pulumi.Input

	ToWebTypeComputeIamBindingMapOutput() WebTypeComputeIamBindingMapOutput
	ToWebTypeComputeIamBindingMapOutputWithContext(context.Context) WebTypeComputeIamBindingMapOutput
}

WebTypeComputeIamBindingMapInput is an input type that accepts WebTypeComputeIamBindingMap and WebTypeComputeIamBindingMapOutput values. You can construct a concrete instance of `WebTypeComputeIamBindingMapInput` via:

WebTypeComputeIamBindingMap{ "key": WebTypeComputeIamBindingArgs{...} }

type WebTypeComputeIamBindingMapOutput

type WebTypeComputeIamBindingMapOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamBindingMapOutput) ElementType

func (WebTypeComputeIamBindingMapOutput) MapIndex

func (WebTypeComputeIamBindingMapOutput) ToWebTypeComputeIamBindingMapOutput

func (o WebTypeComputeIamBindingMapOutput) ToWebTypeComputeIamBindingMapOutput() WebTypeComputeIamBindingMapOutput

func (WebTypeComputeIamBindingMapOutput) ToWebTypeComputeIamBindingMapOutputWithContext

func (o WebTypeComputeIamBindingMapOutput) ToWebTypeComputeIamBindingMapOutputWithContext(ctx context.Context) WebTypeComputeIamBindingMapOutput

type WebTypeComputeIamBindingOutput

type WebTypeComputeIamBindingOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamBindingOutput) Condition

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebTypeComputeIamBindingOutput) ElementType

func (WebTypeComputeIamBindingOutput) Etag

(Computed) The etag of the IAM policy.

func (WebTypeComputeIamBindingOutput) Members

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebTypeComputeIamBindingOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebTypeComputeIamBindingOutput) Role

The role that should be applied. Only one `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebTypeComputeIamBindingOutput) ToWebTypeComputeIamBindingOutput

func (o WebTypeComputeIamBindingOutput) ToWebTypeComputeIamBindingOutput() WebTypeComputeIamBindingOutput

func (WebTypeComputeIamBindingOutput) ToWebTypeComputeIamBindingOutputWithContext

func (o WebTypeComputeIamBindingOutput) ToWebTypeComputeIamBindingOutputWithContext(ctx context.Context) WebTypeComputeIamBindingOutput

type WebTypeComputeIamBindingState

type WebTypeComputeIamBindingState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeComputeIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (WebTypeComputeIamBindingState) ElementType

type WebTypeComputeIamMember

type WebTypeComputeIamMember struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeComputeIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeCompute. Each of these resources serves a different use case:

* `iap.WebTypeComputeIamPolicy`: Authoritative. Sets the IAM policy for the webtypecompute and replaces any existing policy already attached. * `iap.WebTypeComputeIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypecompute are preserved. * `iap.WebTypeComputeIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypecompute are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeComputeIamPolicy`: Retrieves the IAM policy for the webtypecompute

> **Note:** `iap.WebTypeComputeIamPolicy` **cannot** be used in conjunction with `iap.WebTypeComputeIamBinding` and `iap.WebTypeComputeIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeComputeIamBinding` resources **can be** used in conjunction with `iap.WebTypeComputeIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeComputeIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeComputeIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeComputeIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebTypeCompute Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeCompute. Each of these resources serves a different use case:

* `iap.WebTypeComputeIamPolicy`: Authoritative. Sets the IAM policy for the webtypecompute and replaces any existing policy already attached. * `iap.WebTypeComputeIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypecompute are preserved. * `iap.WebTypeComputeIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypecompute are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeComputeIamPolicy`: Retrieves the IAM policy for the webtypecompute

> **Note:** `iap.WebTypeComputeIamPolicy` **cannot** be used in conjunction with `iap.WebTypeComputeIamBinding` and `iap.WebTypeComputeIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeComputeIamBinding` resources **can be** used in conjunction with `iap.WebTypeComputeIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeComputeIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeComputeIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeComputeIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/compute

* {{project}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webtypecompute IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webTypeComputeIamMember:WebTypeComputeIamMember editor "projects/{{project}}/iap_web/compute roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webTypeComputeIamMember:WebTypeComputeIamMember editor "projects/{{project}}/iap_web/compute roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webTypeComputeIamMember:WebTypeComputeIamMember editor projects/{{project}}/iap_web/compute ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebTypeComputeIamMember

func GetWebTypeComputeIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebTypeComputeIamMemberState, opts ...pulumi.ResourceOption) (*WebTypeComputeIamMember, error)

GetWebTypeComputeIamMember gets an existing WebTypeComputeIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebTypeComputeIamMember

func NewWebTypeComputeIamMember(ctx *pulumi.Context,
	name string, args *WebTypeComputeIamMemberArgs, opts ...pulumi.ResourceOption) (*WebTypeComputeIamMember, error)

NewWebTypeComputeIamMember registers a new resource with the given unique name, arguments, and options.

func (*WebTypeComputeIamMember) ElementType

func (*WebTypeComputeIamMember) ElementType() reflect.Type

func (*WebTypeComputeIamMember) ToWebTypeComputeIamMemberOutput

func (i *WebTypeComputeIamMember) ToWebTypeComputeIamMemberOutput() WebTypeComputeIamMemberOutput

func (*WebTypeComputeIamMember) ToWebTypeComputeIamMemberOutputWithContext

func (i *WebTypeComputeIamMember) ToWebTypeComputeIamMemberOutputWithContext(ctx context.Context) WebTypeComputeIamMemberOutput

type WebTypeComputeIamMemberArgs

type WebTypeComputeIamMemberArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeComputeIamMemberConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a WebTypeComputeIamMember resource.

func (WebTypeComputeIamMemberArgs) ElementType

type WebTypeComputeIamMemberArray

type WebTypeComputeIamMemberArray []WebTypeComputeIamMemberInput

func (WebTypeComputeIamMemberArray) ElementType

func (WebTypeComputeIamMemberArray) ToWebTypeComputeIamMemberArrayOutput

func (i WebTypeComputeIamMemberArray) ToWebTypeComputeIamMemberArrayOutput() WebTypeComputeIamMemberArrayOutput

func (WebTypeComputeIamMemberArray) ToWebTypeComputeIamMemberArrayOutputWithContext

func (i WebTypeComputeIamMemberArray) ToWebTypeComputeIamMemberArrayOutputWithContext(ctx context.Context) WebTypeComputeIamMemberArrayOutput

type WebTypeComputeIamMemberArrayInput

type WebTypeComputeIamMemberArrayInput interface {
	pulumi.Input

	ToWebTypeComputeIamMemberArrayOutput() WebTypeComputeIamMemberArrayOutput
	ToWebTypeComputeIamMemberArrayOutputWithContext(context.Context) WebTypeComputeIamMemberArrayOutput
}

WebTypeComputeIamMemberArrayInput is an input type that accepts WebTypeComputeIamMemberArray and WebTypeComputeIamMemberArrayOutput values. You can construct a concrete instance of `WebTypeComputeIamMemberArrayInput` via:

WebTypeComputeIamMemberArray{ WebTypeComputeIamMemberArgs{...} }

type WebTypeComputeIamMemberArrayOutput

type WebTypeComputeIamMemberArrayOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamMemberArrayOutput) ElementType

func (WebTypeComputeIamMemberArrayOutput) Index

func (WebTypeComputeIamMemberArrayOutput) ToWebTypeComputeIamMemberArrayOutput

func (o WebTypeComputeIamMemberArrayOutput) ToWebTypeComputeIamMemberArrayOutput() WebTypeComputeIamMemberArrayOutput

func (WebTypeComputeIamMemberArrayOutput) ToWebTypeComputeIamMemberArrayOutputWithContext

func (o WebTypeComputeIamMemberArrayOutput) ToWebTypeComputeIamMemberArrayOutputWithContext(ctx context.Context) WebTypeComputeIamMemberArrayOutput

type WebTypeComputeIamMemberCondition

type WebTypeComputeIamMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebTypeComputeIamMemberConditionArgs

type WebTypeComputeIamMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebTypeComputeIamMemberConditionArgs) ElementType

func (WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionOutput

func (i WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionOutput() WebTypeComputeIamMemberConditionOutput

func (WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionOutputWithContext

func (i WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionOutputWithContext(ctx context.Context) WebTypeComputeIamMemberConditionOutput

func (WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionPtrOutput

func (i WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionPtrOutput() WebTypeComputeIamMemberConditionPtrOutput

func (WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionPtrOutputWithContext

func (i WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionPtrOutputWithContext(ctx context.Context) WebTypeComputeIamMemberConditionPtrOutput

type WebTypeComputeIamMemberConditionInput

type WebTypeComputeIamMemberConditionInput interface {
	pulumi.Input

	ToWebTypeComputeIamMemberConditionOutput() WebTypeComputeIamMemberConditionOutput
	ToWebTypeComputeIamMemberConditionOutputWithContext(context.Context) WebTypeComputeIamMemberConditionOutput
}

WebTypeComputeIamMemberConditionInput is an input type that accepts WebTypeComputeIamMemberConditionArgs and WebTypeComputeIamMemberConditionOutput values. You can construct a concrete instance of `WebTypeComputeIamMemberConditionInput` via:

WebTypeComputeIamMemberConditionArgs{...}

type WebTypeComputeIamMemberConditionOutput

type WebTypeComputeIamMemberConditionOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamMemberConditionOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeComputeIamMemberConditionOutput) ElementType

func (WebTypeComputeIamMemberConditionOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeComputeIamMemberConditionOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionOutput

func (o WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionOutput() WebTypeComputeIamMemberConditionOutput

func (WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionOutputWithContext

func (o WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionOutputWithContext(ctx context.Context) WebTypeComputeIamMemberConditionOutput

func (WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionPtrOutput

func (o WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionPtrOutput() WebTypeComputeIamMemberConditionPtrOutput

func (WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionPtrOutputWithContext

func (o WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionPtrOutputWithContext(ctx context.Context) WebTypeComputeIamMemberConditionPtrOutput

type WebTypeComputeIamMemberConditionPtrInput

type WebTypeComputeIamMemberConditionPtrInput interface {
	pulumi.Input

	ToWebTypeComputeIamMemberConditionPtrOutput() WebTypeComputeIamMemberConditionPtrOutput
	ToWebTypeComputeIamMemberConditionPtrOutputWithContext(context.Context) WebTypeComputeIamMemberConditionPtrOutput
}

WebTypeComputeIamMemberConditionPtrInput is an input type that accepts WebTypeComputeIamMemberConditionArgs, WebTypeComputeIamMemberConditionPtr and WebTypeComputeIamMemberConditionPtrOutput values. You can construct a concrete instance of `WebTypeComputeIamMemberConditionPtrInput` via:

        WebTypeComputeIamMemberConditionArgs{...}

or:

        nil

type WebTypeComputeIamMemberConditionPtrOutput

type WebTypeComputeIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamMemberConditionPtrOutput) Description

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeComputeIamMemberConditionPtrOutput) Elem

func (WebTypeComputeIamMemberConditionPtrOutput) ElementType

func (WebTypeComputeIamMemberConditionPtrOutput) Expression

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeComputeIamMemberConditionPtrOutput) Title

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeComputeIamMemberConditionPtrOutput) ToWebTypeComputeIamMemberConditionPtrOutput

func (o WebTypeComputeIamMemberConditionPtrOutput) ToWebTypeComputeIamMemberConditionPtrOutput() WebTypeComputeIamMemberConditionPtrOutput

func (WebTypeComputeIamMemberConditionPtrOutput) ToWebTypeComputeIamMemberConditionPtrOutputWithContext

func (o WebTypeComputeIamMemberConditionPtrOutput) ToWebTypeComputeIamMemberConditionPtrOutputWithContext(ctx context.Context) WebTypeComputeIamMemberConditionPtrOutput

type WebTypeComputeIamMemberInput

type WebTypeComputeIamMemberInput interface {
	pulumi.Input

	ToWebTypeComputeIamMemberOutput() WebTypeComputeIamMemberOutput
	ToWebTypeComputeIamMemberOutputWithContext(ctx context.Context) WebTypeComputeIamMemberOutput
}

type WebTypeComputeIamMemberMap

type WebTypeComputeIamMemberMap map[string]WebTypeComputeIamMemberInput

func (WebTypeComputeIamMemberMap) ElementType

func (WebTypeComputeIamMemberMap) ElementType() reflect.Type

func (WebTypeComputeIamMemberMap) ToWebTypeComputeIamMemberMapOutput

func (i WebTypeComputeIamMemberMap) ToWebTypeComputeIamMemberMapOutput() WebTypeComputeIamMemberMapOutput

func (WebTypeComputeIamMemberMap) ToWebTypeComputeIamMemberMapOutputWithContext

func (i WebTypeComputeIamMemberMap) ToWebTypeComputeIamMemberMapOutputWithContext(ctx context.Context) WebTypeComputeIamMemberMapOutput

type WebTypeComputeIamMemberMapInput

type WebTypeComputeIamMemberMapInput interface {
	pulumi.Input

	ToWebTypeComputeIamMemberMapOutput() WebTypeComputeIamMemberMapOutput
	ToWebTypeComputeIamMemberMapOutputWithContext(context.Context) WebTypeComputeIamMemberMapOutput
}

WebTypeComputeIamMemberMapInput is an input type that accepts WebTypeComputeIamMemberMap and WebTypeComputeIamMemberMapOutput values. You can construct a concrete instance of `WebTypeComputeIamMemberMapInput` via:

WebTypeComputeIamMemberMap{ "key": WebTypeComputeIamMemberArgs{...} }

type WebTypeComputeIamMemberMapOutput

type WebTypeComputeIamMemberMapOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamMemberMapOutput) ElementType

func (WebTypeComputeIamMemberMapOutput) MapIndex

func (WebTypeComputeIamMemberMapOutput) ToWebTypeComputeIamMemberMapOutput

func (o WebTypeComputeIamMemberMapOutput) ToWebTypeComputeIamMemberMapOutput() WebTypeComputeIamMemberMapOutput

func (WebTypeComputeIamMemberMapOutput) ToWebTypeComputeIamMemberMapOutputWithContext

func (o WebTypeComputeIamMemberMapOutput) ToWebTypeComputeIamMemberMapOutputWithContext(ctx context.Context) WebTypeComputeIamMemberMapOutput

type WebTypeComputeIamMemberOutput

type WebTypeComputeIamMemberOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamMemberOutput) Condition

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebTypeComputeIamMemberOutput) ElementType

func (WebTypeComputeIamMemberOutput) Etag

(Computed) The etag of the IAM policy.

func (WebTypeComputeIamMemberOutput) Member

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebTypeComputeIamMemberOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebTypeComputeIamMemberOutput) Role

The role that should be applied. Only one `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebTypeComputeIamMemberOutput) ToWebTypeComputeIamMemberOutput

func (o WebTypeComputeIamMemberOutput) ToWebTypeComputeIamMemberOutput() WebTypeComputeIamMemberOutput

func (WebTypeComputeIamMemberOutput) ToWebTypeComputeIamMemberOutputWithContext

func (o WebTypeComputeIamMemberOutput) ToWebTypeComputeIamMemberOutputWithContext(ctx context.Context) WebTypeComputeIamMemberOutput

type WebTypeComputeIamMemberState

type WebTypeComputeIamMemberState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeComputeIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (WebTypeComputeIamMemberState) ElementType

type WebTypeComputeIamPolicy

type WebTypeComputeIamPolicy struct {
	pulumi.CustomResourceState

	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeCompute. Each of these resources serves a different use case:

* `iap.WebTypeComputeIamPolicy`: Authoritative. Sets the IAM policy for the webtypecompute and replaces any existing policy already attached. * `iap.WebTypeComputeIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypecompute are preserved. * `iap.WebTypeComputeIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypecompute are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeComputeIamPolicy`: Retrieves the IAM policy for the webtypecompute

> **Note:** `iap.WebTypeComputeIamPolicy` **cannot** be used in conjunction with `iap.WebTypeComputeIamBinding` and `iap.WebTypeComputeIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeComputeIamBinding` resources **can be** used in conjunction with `iap.WebTypeComputeIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeComputeIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeComputeIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeComputeIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebTypeCompute Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeCompute. Each of these resources serves a different use case:

* `iap.WebTypeComputeIamPolicy`: Authoritative. Sets the IAM policy for the webtypecompute and replaces any existing policy already attached. * `iap.WebTypeComputeIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypecompute are preserved. * `iap.WebTypeComputeIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypecompute are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeComputeIamPolicy`: Retrieves the IAM policy for the webtypecompute

> **Note:** `iap.WebTypeComputeIamPolicy` **cannot** be used in conjunction with `iap.WebTypeComputeIamBinding` and `iap.WebTypeComputeIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeComputeIamBinding` resources **can be** used in conjunction with `iap.WebTypeComputeIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeComputeIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeComputeIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeComputeIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/compute

* {{project}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webtypecompute IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webTypeComputeIamPolicy:WebTypeComputeIamPolicy editor "projects/{{project}}/iap_web/compute roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webTypeComputeIamPolicy:WebTypeComputeIamPolicy editor "projects/{{project}}/iap_web/compute roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webTypeComputeIamPolicy:WebTypeComputeIamPolicy editor projects/{{project}}/iap_web/compute ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebTypeComputeIamPolicy

func GetWebTypeComputeIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebTypeComputeIamPolicyState, opts ...pulumi.ResourceOption) (*WebTypeComputeIamPolicy, error)

GetWebTypeComputeIamPolicy gets an existing WebTypeComputeIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebTypeComputeIamPolicy

func NewWebTypeComputeIamPolicy(ctx *pulumi.Context,
	name string, args *WebTypeComputeIamPolicyArgs, opts ...pulumi.ResourceOption) (*WebTypeComputeIamPolicy, error)

NewWebTypeComputeIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*WebTypeComputeIamPolicy) ElementType

func (*WebTypeComputeIamPolicy) ElementType() reflect.Type

func (*WebTypeComputeIamPolicy) ToWebTypeComputeIamPolicyOutput

func (i *WebTypeComputeIamPolicy) ToWebTypeComputeIamPolicyOutput() WebTypeComputeIamPolicyOutput

func (*WebTypeComputeIamPolicy) ToWebTypeComputeIamPolicyOutputWithContext

func (i *WebTypeComputeIamPolicy) ToWebTypeComputeIamPolicyOutputWithContext(ctx context.Context) WebTypeComputeIamPolicyOutput

type WebTypeComputeIamPolicyArgs

type WebTypeComputeIamPolicyArgs struct {
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
}

The set of arguments for constructing a WebTypeComputeIamPolicy resource.

func (WebTypeComputeIamPolicyArgs) ElementType

type WebTypeComputeIamPolicyArray

type WebTypeComputeIamPolicyArray []WebTypeComputeIamPolicyInput

func (WebTypeComputeIamPolicyArray) ElementType

func (WebTypeComputeIamPolicyArray) ToWebTypeComputeIamPolicyArrayOutput

func (i WebTypeComputeIamPolicyArray) ToWebTypeComputeIamPolicyArrayOutput() WebTypeComputeIamPolicyArrayOutput

func (WebTypeComputeIamPolicyArray) ToWebTypeComputeIamPolicyArrayOutputWithContext

func (i WebTypeComputeIamPolicyArray) ToWebTypeComputeIamPolicyArrayOutputWithContext(ctx context.Context) WebTypeComputeIamPolicyArrayOutput

type WebTypeComputeIamPolicyArrayInput

type WebTypeComputeIamPolicyArrayInput interface {
	pulumi.Input

	ToWebTypeComputeIamPolicyArrayOutput() WebTypeComputeIamPolicyArrayOutput
	ToWebTypeComputeIamPolicyArrayOutputWithContext(context.Context) WebTypeComputeIamPolicyArrayOutput
}

WebTypeComputeIamPolicyArrayInput is an input type that accepts WebTypeComputeIamPolicyArray and WebTypeComputeIamPolicyArrayOutput values. You can construct a concrete instance of `WebTypeComputeIamPolicyArrayInput` via:

WebTypeComputeIamPolicyArray{ WebTypeComputeIamPolicyArgs{...} }

type WebTypeComputeIamPolicyArrayOutput

type WebTypeComputeIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamPolicyArrayOutput) ElementType

func (WebTypeComputeIamPolicyArrayOutput) Index

func (WebTypeComputeIamPolicyArrayOutput) ToWebTypeComputeIamPolicyArrayOutput

func (o WebTypeComputeIamPolicyArrayOutput) ToWebTypeComputeIamPolicyArrayOutput() WebTypeComputeIamPolicyArrayOutput

func (WebTypeComputeIamPolicyArrayOutput) ToWebTypeComputeIamPolicyArrayOutputWithContext

func (o WebTypeComputeIamPolicyArrayOutput) ToWebTypeComputeIamPolicyArrayOutputWithContext(ctx context.Context) WebTypeComputeIamPolicyArrayOutput

type WebTypeComputeIamPolicyInput

type WebTypeComputeIamPolicyInput interface {
	pulumi.Input

	ToWebTypeComputeIamPolicyOutput() WebTypeComputeIamPolicyOutput
	ToWebTypeComputeIamPolicyOutputWithContext(ctx context.Context) WebTypeComputeIamPolicyOutput
}

type WebTypeComputeIamPolicyMap

type WebTypeComputeIamPolicyMap map[string]WebTypeComputeIamPolicyInput

func (WebTypeComputeIamPolicyMap) ElementType

func (WebTypeComputeIamPolicyMap) ElementType() reflect.Type

func (WebTypeComputeIamPolicyMap) ToWebTypeComputeIamPolicyMapOutput

func (i WebTypeComputeIamPolicyMap) ToWebTypeComputeIamPolicyMapOutput() WebTypeComputeIamPolicyMapOutput

func (WebTypeComputeIamPolicyMap) ToWebTypeComputeIamPolicyMapOutputWithContext

func (i WebTypeComputeIamPolicyMap) ToWebTypeComputeIamPolicyMapOutputWithContext(ctx context.Context) WebTypeComputeIamPolicyMapOutput

type WebTypeComputeIamPolicyMapInput

type WebTypeComputeIamPolicyMapInput interface {
	pulumi.Input

	ToWebTypeComputeIamPolicyMapOutput() WebTypeComputeIamPolicyMapOutput
	ToWebTypeComputeIamPolicyMapOutputWithContext(context.Context) WebTypeComputeIamPolicyMapOutput
}

WebTypeComputeIamPolicyMapInput is an input type that accepts WebTypeComputeIamPolicyMap and WebTypeComputeIamPolicyMapOutput values. You can construct a concrete instance of `WebTypeComputeIamPolicyMapInput` via:

WebTypeComputeIamPolicyMap{ "key": WebTypeComputeIamPolicyArgs{...} }

type WebTypeComputeIamPolicyMapOutput

type WebTypeComputeIamPolicyMapOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamPolicyMapOutput) ElementType

func (WebTypeComputeIamPolicyMapOutput) MapIndex

func (WebTypeComputeIamPolicyMapOutput) ToWebTypeComputeIamPolicyMapOutput

func (o WebTypeComputeIamPolicyMapOutput) ToWebTypeComputeIamPolicyMapOutput() WebTypeComputeIamPolicyMapOutput

func (WebTypeComputeIamPolicyMapOutput) ToWebTypeComputeIamPolicyMapOutputWithContext

func (o WebTypeComputeIamPolicyMapOutput) ToWebTypeComputeIamPolicyMapOutputWithContext(ctx context.Context) WebTypeComputeIamPolicyMapOutput

type WebTypeComputeIamPolicyOutput

type WebTypeComputeIamPolicyOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamPolicyOutput) ElementType

func (WebTypeComputeIamPolicyOutput) Etag

(Computed) The etag of the IAM policy.

func (WebTypeComputeIamPolicyOutput) PolicyData

The policy data generated by a `organizations.getIAMPolicy` data source.

func (WebTypeComputeIamPolicyOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebTypeComputeIamPolicyOutput) ToWebTypeComputeIamPolicyOutput

func (o WebTypeComputeIamPolicyOutput) ToWebTypeComputeIamPolicyOutput() WebTypeComputeIamPolicyOutput

func (WebTypeComputeIamPolicyOutput) ToWebTypeComputeIamPolicyOutputWithContext

func (o WebTypeComputeIamPolicyOutput) ToWebTypeComputeIamPolicyOutputWithContext(ctx context.Context) WebTypeComputeIamPolicyOutput

type WebTypeComputeIamPolicyState

type WebTypeComputeIamPolicyState struct {
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
}

func (WebTypeComputeIamPolicyState) ElementType

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL