iap

package
v8.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 8, 2024 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AppEngineServiceIamBinding 

type AppEngineServiceIamBinding struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineServiceIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringOutput `pulumi:"service"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineService. Each of these resources serves a different use case:

* `iap.AppEngineServiceIamPolicy`: Authoritative. Sets the IAM policy for the appengineservice and replaces any existing policy already attached. * `iap.AppEngineServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineservice are preserved. * `iap.AppEngineServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineServiceIamPolicy`: Retrieves the IAM policy for the appengineservice

> **Note:** `iap.AppEngineServiceIamPolicy` **cannot** be used in conjunction with `iap.AppEngineServiceIamBinding` and `iap.AppEngineServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineServiceIamBinding` resources **can be** used in conjunction with `iap.AppEngineServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineServiceIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy AppEngineService Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineService. Each of these resources serves a different use case:

* `iap.AppEngineServiceIamPolicy`: Authoritative. Sets the IAM policy for the appengineservice and replaces any existing policy already attached. * `iap.AppEngineServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineservice are preserved. * `iap.AppEngineServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineServiceIamPolicy`: Retrieves the IAM policy for the appengineservice

> **Note:** `iap.AppEngineServiceIamPolicy` **cannot** be used in conjunction with `iap.AppEngineServiceIamBinding` and `iap.AppEngineServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineServiceIamBinding` resources **can be** used in conjunction with `iap.AppEngineServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineServiceIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}

* {{project}}/{{appId}}/{{service}}

* {{appId}}/{{service}}

* {{service}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy appengineservice IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/appEngineServiceIamBinding:AppEngineServiceIamBinding editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/appEngineServiceIamBinding:AppEngineServiceIamBinding editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/appEngineServiceIamBinding:AppEngineServiceIamBinding editor projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetAppEngineServiceIamBinding 

func GetAppEngineServiceIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AppEngineServiceIamBindingState, opts ...pulumi.ResourceOption) (*AppEngineServiceIamBinding, error)

GetAppEngineServiceIamBinding gets an existing AppEngineServiceIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAppEngineServiceIamBinding 

func NewAppEngineServiceIamBinding(ctx *pulumi.Context,
	name string, args *AppEngineServiceIamBindingArgs, opts ...pulumi.ResourceOption) (*AppEngineServiceIamBinding, error)

NewAppEngineServiceIamBinding registers a new resource with the given unique name, arguments, and options.

func (*AppEngineServiceIamBinding) ElementType 

func (*AppEngineServiceIamBinding) ElementType() reflect.Type

func (*AppEngineServiceIamBinding) ToAppEngineServiceIamBindingOutput 

func (i *AppEngineServiceIamBinding) ToAppEngineServiceIamBindingOutput() AppEngineServiceIamBindingOutput

func (*AppEngineServiceIamBinding) ToAppEngineServiceIamBindingOutputWithContext 

func (i *AppEngineServiceIamBinding) ToAppEngineServiceIamBindingOutputWithContext(ctx context.Context) AppEngineServiceIamBindingOutput

type AppEngineServiceIamBindingArgs 

type AppEngineServiceIamBindingArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineServiceIamBindingConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput
}

The set of arguments for constructing a AppEngineServiceIamBinding resource.

func (AppEngineServiceIamBindingArgs) ElementType 

func (AppEngineServiceIamBindingArgs) ElementType() reflect.Type

type AppEngineServiceIamBindingArray 

type AppEngineServiceIamBindingArray []AppEngineServiceIamBindingInput

func (AppEngineServiceIamBindingArray) ElementType 

func (AppEngineServiceIamBindingArray) ElementType() reflect.Type

func (AppEngineServiceIamBindingArray) ToAppEngineServiceIamBindingArrayOutput 

func (i AppEngineServiceIamBindingArray) ToAppEngineServiceIamBindingArrayOutput() AppEngineServiceIamBindingArrayOutput

func (AppEngineServiceIamBindingArray) ToAppEngineServiceIamBindingArrayOutputWithContext 

func (i AppEngineServiceIamBindingArray) ToAppEngineServiceIamBindingArrayOutputWithContext(ctx context.Context) AppEngineServiceIamBindingArrayOutput

type AppEngineServiceIamBindingArrayInput 

type AppEngineServiceIamBindingArrayInput interface {
	pulumi.Input

	ToAppEngineServiceIamBindingArrayOutput() AppEngineServiceIamBindingArrayOutput
	ToAppEngineServiceIamBindingArrayOutputWithContext(context.Context) AppEngineServiceIamBindingArrayOutput
}

AppEngineServiceIamBindingArrayInput is an input type that accepts AppEngineServiceIamBindingArray and AppEngineServiceIamBindingArrayOutput values. You can construct a concrete instance of `AppEngineServiceIamBindingArrayInput` via: 

AppEngineServiceIamBindingArray{ AppEngineServiceIamBindingArgs{...} }

type AppEngineServiceIamBindingArrayOutput 

type AppEngineServiceIamBindingArrayOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamBindingArrayOutput) ElementType 

func (AppEngineServiceIamBindingArrayOutput) ElementType() reflect.Type

func (AppEngineServiceIamBindingArrayOutput) Index 

func (o AppEngineServiceIamBindingArrayOutput) Index(i pulumi.IntInput) AppEngineServiceIamBindingOutput

func (AppEngineServiceIamBindingArrayOutput) ToAppEngineServiceIamBindingArrayOutput 

func (o AppEngineServiceIamBindingArrayOutput) ToAppEngineServiceIamBindingArrayOutput() AppEngineServiceIamBindingArrayOutput

func (AppEngineServiceIamBindingArrayOutput) ToAppEngineServiceIamBindingArrayOutputWithContext 

func (o AppEngineServiceIamBindingArrayOutput) ToAppEngineServiceIamBindingArrayOutputWithContext(ctx context.Context) AppEngineServiceIamBindingArrayOutput

type AppEngineServiceIamBindingCondition 

type AppEngineServiceIamBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type AppEngineServiceIamBindingConditionArgs 

type AppEngineServiceIamBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (AppEngineServiceIamBindingConditionArgs) ElementType 

func (AppEngineServiceIamBindingConditionArgs) ElementType() reflect.Type

func (AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionOutput 

func (i AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionOutput() AppEngineServiceIamBindingConditionOutput

func (AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionOutputWithContext 

func (i AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionOutputWithContext(ctx context.Context) AppEngineServiceIamBindingConditionOutput

func (AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionPtrOutput 

func (i AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionPtrOutput() AppEngineServiceIamBindingConditionPtrOutput

func (AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionPtrOutputWithContext 

func (i AppEngineServiceIamBindingConditionArgs) ToAppEngineServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) AppEngineServiceIamBindingConditionPtrOutput

type AppEngineServiceIamBindingConditionInput 

type AppEngineServiceIamBindingConditionInput interface {
	pulumi.Input

	ToAppEngineServiceIamBindingConditionOutput() AppEngineServiceIamBindingConditionOutput
	ToAppEngineServiceIamBindingConditionOutputWithContext(context.Context) AppEngineServiceIamBindingConditionOutput
}

AppEngineServiceIamBindingConditionInput is an input type that accepts AppEngineServiceIamBindingConditionArgs and AppEngineServiceIamBindingConditionOutput values. You can construct a concrete instance of `AppEngineServiceIamBindingConditionInput` via: 

AppEngineServiceIamBindingConditionArgs{...}

type AppEngineServiceIamBindingConditionOutput 

type AppEngineServiceIamBindingConditionOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamBindingConditionOutput) Description 

func (o AppEngineServiceIamBindingConditionOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineServiceIamBindingConditionOutput) ElementType 

func (AppEngineServiceIamBindingConditionOutput) ElementType() reflect.Type

func (AppEngineServiceIamBindingConditionOutput) Expression 

func (o AppEngineServiceIamBindingConditionOutput) Expression() pulumi.StringOutput

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineServiceIamBindingConditionOutput) Title 

func (o AppEngineServiceIamBindingConditionOutput) Title() pulumi.StringOutput

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionOutput 

func (o AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionOutput() AppEngineServiceIamBindingConditionOutput

func (AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionOutputWithContext 

func (o AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionOutputWithContext(ctx context.Context) AppEngineServiceIamBindingConditionOutput

func (AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionPtrOutput 

func (o AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionPtrOutput() AppEngineServiceIamBindingConditionPtrOutput

func (AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionPtrOutputWithContext 

func (o AppEngineServiceIamBindingConditionOutput) ToAppEngineServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) AppEngineServiceIamBindingConditionPtrOutput

type AppEngineServiceIamBindingConditionPtrInput 

type AppEngineServiceIamBindingConditionPtrInput interface {
	pulumi.Input

	ToAppEngineServiceIamBindingConditionPtrOutput() AppEngineServiceIamBindingConditionPtrOutput
	ToAppEngineServiceIamBindingConditionPtrOutputWithContext(context.Context) AppEngineServiceIamBindingConditionPtrOutput
}

AppEngineServiceIamBindingConditionPtrInput is an input type that accepts AppEngineServiceIamBindingConditionArgs, AppEngineServiceIamBindingConditionPtr and AppEngineServiceIamBindingConditionPtrOutput values. You can construct a concrete instance of `AppEngineServiceIamBindingConditionPtrInput` via: 

        AppEngineServiceIamBindingConditionArgs{...}

or:

        nil

func AppEngineServiceIamBindingConditionPtr 

func AppEngineServiceIamBindingConditionPtr(v *AppEngineServiceIamBindingConditionArgs) AppEngineServiceIamBindingConditionPtrInput

type AppEngineServiceIamBindingConditionPtrOutput 

type AppEngineServiceIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamBindingConditionPtrOutput) Description 

func (o AppEngineServiceIamBindingConditionPtrOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineServiceIamBindingConditionPtrOutput) Elem 

func (o AppEngineServiceIamBindingConditionPtrOutput) Elem() AppEngineServiceIamBindingConditionOutput

func (AppEngineServiceIamBindingConditionPtrOutput) ElementType 

func (AppEngineServiceIamBindingConditionPtrOutput) ElementType() reflect.Type

func (AppEngineServiceIamBindingConditionPtrOutput) Expression 

func (o AppEngineServiceIamBindingConditionPtrOutput) Expression() pulumi.StringPtrOutput

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineServiceIamBindingConditionPtrOutput) Title 

func (o AppEngineServiceIamBindingConditionPtrOutput) Title() pulumi.StringPtrOutput

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineServiceIamBindingConditionPtrOutput) ToAppEngineServiceIamBindingConditionPtrOutput 

func (o AppEngineServiceIamBindingConditionPtrOutput) ToAppEngineServiceIamBindingConditionPtrOutput() AppEngineServiceIamBindingConditionPtrOutput

func (AppEngineServiceIamBindingConditionPtrOutput) ToAppEngineServiceIamBindingConditionPtrOutputWithContext 

func (o AppEngineServiceIamBindingConditionPtrOutput) ToAppEngineServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) AppEngineServiceIamBindingConditionPtrOutput

type AppEngineServiceIamBindingInput 

type AppEngineServiceIamBindingInput interface {
	pulumi.Input

	ToAppEngineServiceIamBindingOutput() AppEngineServiceIamBindingOutput
	ToAppEngineServiceIamBindingOutputWithContext(ctx context.Context) AppEngineServiceIamBindingOutput
}

type AppEngineServiceIamBindingMap 

type AppEngineServiceIamBindingMap map[string]AppEngineServiceIamBindingInput

func (AppEngineServiceIamBindingMap) ElementType 

func (AppEngineServiceIamBindingMap) ElementType() reflect.Type

func (AppEngineServiceIamBindingMap) ToAppEngineServiceIamBindingMapOutput 

func (i AppEngineServiceIamBindingMap) ToAppEngineServiceIamBindingMapOutput() AppEngineServiceIamBindingMapOutput

func (AppEngineServiceIamBindingMap) ToAppEngineServiceIamBindingMapOutputWithContext 

func (i AppEngineServiceIamBindingMap) ToAppEngineServiceIamBindingMapOutputWithContext(ctx context.Context) AppEngineServiceIamBindingMapOutput

type AppEngineServiceIamBindingMapInput 

type AppEngineServiceIamBindingMapInput interface {
	pulumi.Input

	ToAppEngineServiceIamBindingMapOutput() AppEngineServiceIamBindingMapOutput
	ToAppEngineServiceIamBindingMapOutputWithContext(context.Context) AppEngineServiceIamBindingMapOutput
}

AppEngineServiceIamBindingMapInput is an input type that accepts AppEngineServiceIamBindingMap and AppEngineServiceIamBindingMapOutput values. You can construct a concrete instance of `AppEngineServiceIamBindingMapInput` via: 

AppEngineServiceIamBindingMap{ "key": AppEngineServiceIamBindingArgs{...} }

type AppEngineServiceIamBindingMapOutput 

type AppEngineServiceIamBindingMapOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamBindingMapOutput) ElementType 

func (AppEngineServiceIamBindingMapOutput) ElementType() reflect.Type

func (AppEngineServiceIamBindingMapOutput) MapIndex 

func (o AppEngineServiceIamBindingMapOutput) MapIndex(k pulumi.StringInput) AppEngineServiceIamBindingOutput

func (AppEngineServiceIamBindingMapOutput) ToAppEngineServiceIamBindingMapOutput 

func (o AppEngineServiceIamBindingMapOutput) ToAppEngineServiceIamBindingMapOutput() AppEngineServiceIamBindingMapOutput

func (AppEngineServiceIamBindingMapOutput) ToAppEngineServiceIamBindingMapOutputWithContext 

func (o AppEngineServiceIamBindingMapOutput) ToAppEngineServiceIamBindingMapOutputWithContext(ctx context.Context) AppEngineServiceIamBindingMapOutput

type AppEngineServiceIamBindingOutput 

type AppEngineServiceIamBindingOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamBindingOutput) AppId 

func (o AppEngineServiceIamBindingOutput) AppId() pulumi.StringOutput

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (AppEngineServiceIamBindingOutput) Condition 

func (o AppEngineServiceIamBindingOutput) Condition() AppEngineServiceIamBindingConditionPtrOutput

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (AppEngineServiceIamBindingOutput) ElementType 

func (AppEngineServiceIamBindingOutput) ElementType() reflect.Type

func (AppEngineServiceIamBindingOutput) Etag 

func (o AppEngineServiceIamBindingOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (AppEngineServiceIamBindingOutput) Members 

func (o AppEngineServiceIamBindingOutput) Members() pulumi.StringArrayOutput

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (AppEngineServiceIamBindingOutput) Project 

func (o AppEngineServiceIamBindingOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (AppEngineServiceIamBindingOutput) Role 

func (o AppEngineServiceIamBindingOutput) Role() pulumi.StringOutput

The role that should be applied. Only one `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (AppEngineServiceIamBindingOutput) Service 

func (o AppEngineServiceIamBindingOutput) Service() pulumi.StringOutput

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

func (AppEngineServiceIamBindingOutput) ToAppEngineServiceIamBindingOutput 

func (o AppEngineServiceIamBindingOutput) ToAppEngineServiceIamBindingOutput() AppEngineServiceIamBindingOutput

func (AppEngineServiceIamBindingOutput) ToAppEngineServiceIamBindingOutputWithContext 

func (o AppEngineServiceIamBindingOutput) ToAppEngineServiceIamBindingOutputWithContext(ctx context.Context) AppEngineServiceIamBindingOutput

type AppEngineServiceIamBindingState 

type AppEngineServiceIamBindingState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineServiceIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringPtrInput
}

func (AppEngineServiceIamBindingState) ElementType 

func (AppEngineServiceIamBindingState) ElementType() reflect.Type

type AppEngineServiceIamMember 

type AppEngineServiceIamMember struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineServiceIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringOutput `pulumi:"service"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineService. Each of these resources serves a different use case:

* `iap.AppEngineServiceIamPolicy`: Authoritative. Sets the IAM policy for the appengineservice and replaces any existing policy already attached. * `iap.AppEngineServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineservice are preserved. * `iap.AppEngineServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineServiceIamPolicy`: Retrieves the IAM policy for the appengineservice

> **Note:** `iap.AppEngineServiceIamPolicy` **cannot** be used in conjunction with `iap.AppEngineServiceIamBinding` and `iap.AppEngineServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineServiceIamBinding` resources **can be** used in conjunction with `iap.AppEngineServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineServiceIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy AppEngineService Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineService. Each of these resources serves a different use case:

* `iap.AppEngineServiceIamPolicy`: Authoritative. Sets the IAM policy for the appengineservice and replaces any existing policy already attached. * `iap.AppEngineServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineservice are preserved. * `iap.AppEngineServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineServiceIamPolicy`: Retrieves the IAM policy for the appengineservice

> **Note:** `iap.AppEngineServiceIamPolicy` **cannot** be used in conjunction with `iap.AppEngineServiceIamBinding` and `iap.AppEngineServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineServiceIamBinding` resources **can be** used in conjunction with `iap.AppEngineServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineServiceIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}

* {{project}}/{{appId}}/{{service}}

* {{appId}}/{{service}}

* {{service}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy appengineservice IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/appEngineServiceIamMember:AppEngineServiceIamMember editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/appEngineServiceIamMember:AppEngineServiceIamMember editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/appEngineServiceIamMember:AppEngineServiceIamMember editor projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetAppEngineServiceIamMember 

func GetAppEngineServiceIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AppEngineServiceIamMemberState, opts ...pulumi.ResourceOption) (*AppEngineServiceIamMember, error)

GetAppEngineServiceIamMember gets an existing AppEngineServiceIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAppEngineServiceIamMember 

func NewAppEngineServiceIamMember(ctx *pulumi.Context,
	name string, args *AppEngineServiceIamMemberArgs, opts ...pulumi.ResourceOption) (*AppEngineServiceIamMember, error)

NewAppEngineServiceIamMember registers a new resource with the given unique name, arguments, and options.

func (*AppEngineServiceIamMember) ElementType 

func (*AppEngineServiceIamMember) ElementType() reflect.Type

func (*AppEngineServiceIamMember) ToAppEngineServiceIamMemberOutput 

func (i *AppEngineServiceIamMember) ToAppEngineServiceIamMemberOutput() AppEngineServiceIamMemberOutput

func (*AppEngineServiceIamMember) ToAppEngineServiceIamMemberOutputWithContext 

func (i *AppEngineServiceIamMember) ToAppEngineServiceIamMemberOutputWithContext(ctx context.Context) AppEngineServiceIamMemberOutput

type AppEngineServiceIamMemberArgs 

type AppEngineServiceIamMemberArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineServiceIamMemberConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput
}

The set of arguments for constructing a AppEngineServiceIamMember resource.

func (AppEngineServiceIamMemberArgs) ElementType 

func (AppEngineServiceIamMemberArgs) ElementType() reflect.Type

type AppEngineServiceIamMemberArray 

type AppEngineServiceIamMemberArray []AppEngineServiceIamMemberInput

func (AppEngineServiceIamMemberArray) ElementType 

func (AppEngineServiceIamMemberArray) ElementType() reflect.Type

func (AppEngineServiceIamMemberArray) ToAppEngineServiceIamMemberArrayOutput 

func (i AppEngineServiceIamMemberArray) ToAppEngineServiceIamMemberArrayOutput() AppEngineServiceIamMemberArrayOutput

func (AppEngineServiceIamMemberArray) ToAppEngineServiceIamMemberArrayOutputWithContext 

func (i AppEngineServiceIamMemberArray) ToAppEngineServiceIamMemberArrayOutputWithContext(ctx context.Context) AppEngineServiceIamMemberArrayOutput

type AppEngineServiceIamMemberArrayInput 

type AppEngineServiceIamMemberArrayInput interface {
	pulumi.Input

	ToAppEngineServiceIamMemberArrayOutput() AppEngineServiceIamMemberArrayOutput
	ToAppEngineServiceIamMemberArrayOutputWithContext(context.Context) AppEngineServiceIamMemberArrayOutput
}

AppEngineServiceIamMemberArrayInput is an input type that accepts AppEngineServiceIamMemberArray and AppEngineServiceIamMemberArrayOutput values. You can construct a concrete instance of `AppEngineServiceIamMemberArrayInput` via: 

AppEngineServiceIamMemberArray{ AppEngineServiceIamMemberArgs{...} }

type AppEngineServiceIamMemberArrayOutput 

type AppEngineServiceIamMemberArrayOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamMemberArrayOutput) ElementType 

func (AppEngineServiceIamMemberArrayOutput) ElementType() reflect.Type

func (AppEngineServiceIamMemberArrayOutput) Index 

func (o AppEngineServiceIamMemberArrayOutput) Index(i pulumi.IntInput) AppEngineServiceIamMemberOutput

func (AppEngineServiceIamMemberArrayOutput) ToAppEngineServiceIamMemberArrayOutput 

func (o AppEngineServiceIamMemberArrayOutput) ToAppEngineServiceIamMemberArrayOutput() AppEngineServiceIamMemberArrayOutput

func (AppEngineServiceIamMemberArrayOutput) ToAppEngineServiceIamMemberArrayOutputWithContext 

func (o AppEngineServiceIamMemberArrayOutput) ToAppEngineServiceIamMemberArrayOutputWithContext(ctx context.Context) AppEngineServiceIamMemberArrayOutput

type AppEngineServiceIamMemberCondition 

type AppEngineServiceIamMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type AppEngineServiceIamMemberConditionArgs 

type AppEngineServiceIamMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (AppEngineServiceIamMemberConditionArgs) ElementType 

func (AppEngineServiceIamMemberConditionArgs) ElementType() reflect.Type

func (AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionOutput 

func (i AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionOutput() AppEngineServiceIamMemberConditionOutput

func (AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionOutputWithContext 

func (i AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionOutputWithContext(ctx context.Context) AppEngineServiceIamMemberConditionOutput

func (AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionPtrOutput 

func (i AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionPtrOutput() AppEngineServiceIamMemberConditionPtrOutput

func (AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionPtrOutputWithContext 

func (i AppEngineServiceIamMemberConditionArgs) ToAppEngineServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) AppEngineServiceIamMemberConditionPtrOutput

type AppEngineServiceIamMemberConditionInput 

type AppEngineServiceIamMemberConditionInput interface {
	pulumi.Input

	ToAppEngineServiceIamMemberConditionOutput() AppEngineServiceIamMemberConditionOutput
	ToAppEngineServiceIamMemberConditionOutputWithContext(context.Context) AppEngineServiceIamMemberConditionOutput
}

AppEngineServiceIamMemberConditionInput is an input type that accepts AppEngineServiceIamMemberConditionArgs and AppEngineServiceIamMemberConditionOutput values. You can construct a concrete instance of `AppEngineServiceIamMemberConditionInput` via: 

AppEngineServiceIamMemberConditionArgs{...}

type AppEngineServiceIamMemberConditionOutput 

type AppEngineServiceIamMemberConditionOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamMemberConditionOutput) Description 

func (o AppEngineServiceIamMemberConditionOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineServiceIamMemberConditionOutput) ElementType 

func (AppEngineServiceIamMemberConditionOutput) ElementType() reflect.Type

func (AppEngineServiceIamMemberConditionOutput) Expression 

func (o AppEngineServiceIamMemberConditionOutput) Expression() pulumi.StringOutput

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineServiceIamMemberConditionOutput) Title 

func (o AppEngineServiceIamMemberConditionOutput) Title() pulumi.StringOutput

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionOutput 

func (o AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionOutput() AppEngineServiceIamMemberConditionOutput

func (AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionOutputWithContext 

func (o AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionOutputWithContext(ctx context.Context) AppEngineServiceIamMemberConditionOutput

func (AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionPtrOutput 

func (o AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionPtrOutput() AppEngineServiceIamMemberConditionPtrOutput

func (AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionPtrOutputWithContext 

func (o AppEngineServiceIamMemberConditionOutput) ToAppEngineServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) AppEngineServiceIamMemberConditionPtrOutput

type AppEngineServiceIamMemberConditionPtrInput 

type AppEngineServiceIamMemberConditionPtrInput interface {
	pulumi.Input

	ToAppEngineServiceIamMemberConditionPtrOutput() AppEngineServiceIamMemberConditionPtrOutput
	ToAppEngineServiceIamMemberConditionPtrOutputWithContext(context.Context) AppEngineServiceIamMemberConditionPtrOutput
}

AppEngineServiceIamMemberConditionPtrInput is an input type that accepts AppEngineServiceIamMemberConditionArgs, AppEngineServiceIamMemberConditionPtr and AppEngineServiceIamMemberConditionPtrOutput values. You can construct a concrete instance of `AppEngineServiceIamMemberConditionPtrInput` via: 

        AppEngineServiceIamMemberConditionArgs{...}

or:

        nil

func AppEngineServiceIamMemberConditionPtr 

func AppEngineServiceIamMemberConditionPtr(v *AppEngineServiceIamMemberConditionArgs) AppEngineServiceIamMemberConditionPtrInput

type AppEngineServiceIamMemberConditionPtrOutput 

type AppEngineServiceIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamMemberConditionPtrOutput) Description 

func (o AppEngineServiceIamMemberConditionPtrOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineServiceIamMemberConditionPtrOutput) Elem 

func (o AppEngineServiceIamMemberConditionPtrOutput) Elem() AppEngineServiceIamMemberConditionOutput

func (AppEngineServiceIamMemberConditionPtrOutput) ElementType 

func (AppEngineServiceIamMemberConditionPtrOutput) ElementType() reflect.Type

func (AppEngineServiceIamMemberConditionPtrOutput) Expression 

func (o AppEngineServiceIamMemberConditionPtrOutput) Expression() pulumi.StringPtrOutput

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineServiceIamMemberConditionPtrOutput) Title 

func (o AppEngineServiceIamMemberConditionPtrOutput) Title() pulumi.StringPtrOutput

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineServiceIamMemberConditionPtrOutput) ToAppEngineServiceIamMemberConditionPtrOutput 

func (o AppEngineServiceIamMemberConditionPtrOutput) ToAppEngineServiceIamMemberConditionPtrOutput() AppEngineServiceIamMemberConditionPtrOutput

func (AppEngineServiceIamMemberConditionPtrOutput) ToAppEngineServiceIamMemberConditionPtrOutputWithContext 

func (o AppEngineServiceIamMemberConditionPtrOutput) ToAppEngineServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) AppEngineServiceIamMemberConditionPtrOutput

type AppEngineServiceIamMemberInput 

type AppEngineServiceIamMemberInput interface {
	pulumi.Input

	ToAppEngineServiceIamMemberOutput() AppEngineServiceIamMemberOutput
	ToAppEngineServiceIamMemberOutputWithContext(ctx context.Context) AppEngineServiceIamMemberOutput
}

type AppEngineServiceIamMemberMap 

type AppEngineServiceIamMemberMap map[string]AppEngineServiceIamMemberInput

func (AppEngineServiceIamMemberMap) ElementType 

func (AppEngineServiceIamMemberMap) ElementType() reflect.Type

func (AppEngineServiceIamMemberMap) ToAppEngineServiceIamMemberMapOutput 

func (i AppEngineServiceIamMemberMap) ToAppEngineServiceIamMemberMapOutput() AppEngineServiceIamMemberMapOutput

func (AppEngineServiceIamMemberMap) ToAppEngineServiceIamMemberMapOutputWithContext 

func (i AppEngineServiceIamMemberMap) ToAppEngineServiceIamMemberMapOutputWithContext(ctx context.Context) AppEngineServiceIamMemberMapOutput

type AppEngineServiceIamMemberMapInput 

type AppEngineServiceIamMemberMapInput interface {
	pulumi.Input

	ToAppEngineServiceIamMemberMapOutput() AppEngineServiceIamMemberMapOutput
	ToAppEngineServiceIamMemberMapOutputWithContext(context.Context) AppEngineServiceIamMemberMapOutput
}

AppEngineServiceIamMemberMapInput is an input type that accepts AppEngineServiceIamMemberMap and AppEngineServiceIamMemberMapOutput values. You can construct a concrete instance of `AppEngineServiceIamMemberMapInput` via: 

AppEngineServiceIamMemberMap{ "key": AppEngineServiceIamMemberArgs{...} }

type AppEngineServiceIamMemberMapOutput 

type AppEngineServiceIamMemberMapOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamMemberMapOutput) ElementType 

func (AppEngineServiceIamMemberMapOutput) ElementType() reflect.Type

func (AppEngineServiceIamMemberMapOutput) MapIndex 

func (o AppEngineServiceIamMemberMapOutput) MapIndex(k pulumi.StringInput) AppEngineServiceIamMemberOutput

func (AppEngineServiceIamMemberMapOutput) ToAppEngineServiceIamMemberMapOutput 

func (o AppEngineServiceIamMemberMapOutput) ToAppEngineServiceIamMemberMapOutput() AppEngineServiceIamMemberMapOutput

func (AppEngineServiceIamMemberMapOutput) ToAppEngineServiceIamMemberMapOutputWithContext 

func (o AppEngineServiceIamMemberMapOutput) ToAppEngineServiceIamMemberMapOutputWithContext(ctx context.Context) AppEngineServiceIamMemberMapOutput

type AppEngineServiceIamMemberOutput 

type AppEngineServiceIamMemberOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamMemberOutput) AppId 

func (o AppEngineServiceIamMemberOutput) AppId() pulumi.StringOutput

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (AppEngineServiceIamMemberOutput) Condition 

func (o AppEngineServiceIamMemberOutput) Condition() AppEngineServiceIamMemberConditionPtrOutput

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (AppEngineServiceIamMemberOutput) ElementType 

func (AppEngineServiceIamMemberOutput) ElementType() reflect.Type

func (AppEngineServiceIamMemberOutput) Etag 

func (o AppEngineServiceIamMemberOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (AppEngineServiceIamMemberOutput) Member 

func (o AppEngineServiceIamMemberOutput) Member() pulumi.StringOutput

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (AppEngineServiceIamMemberOutput) Project 

func (o AppEngineServiceIamMemberOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (AppEngineServiceIamMemberOutput) Role 

func (o AppEngineServiceIamMemberOutput) Role() pulumi.StringOutput

The role that should be applied. Only one `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (AppEngineServiceIamMemberOutput) Service 

func (o AppEngineServiceIamMemberOutput) Service() pulumi.StringOutput

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

func (AppEngineServiceIamMemberOutput) ToAppEngineServiceIamMemberOutput 

func (o AppEngineServiceIamMemberOutput) ToAppEngineServiceIamMemberOutput() AppEngineServiceIamMemberOutput

func (AppEngineServiceIamMemberOutput) ToAppEngineServiceIamMemberOutputWithContext 

func (o AppEngineServiceIamMemberOutput) ToAppEngineServiceIamMemberOutputWithContext(ctx context.Context) AppEngineServiceIamMemberOutput

type AppEngineServiceIamMemberState 

type AppEngineServiceIamMemberState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineServiceIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringPtrInput
}

func (AppEngineServiceIamMemberState) ElementType 

func (AppEngineServiceIamMemberState) ElementType() reflect.Type

type AppEngineServiceIamPolicy 

type AppEngineServiceIamPolicy struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringOutput `pulumi:"service"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineService. Each of these resources serves a different use case:

* `iap.AppEngineServiceIamPolicy`: Authoritative. Sets the IAM policy for the appengineservice and replaces any existing policy already attached. * `iap.AppEngineServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineservice are preserved. * `iap.AppEngineServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineServiceIamPolicy`: Retrieves the IAM policy for the appengineservice

> **Note:** `iap.AppEngineServiceIamPolicy` **cannot** be used in conjunction with `iap.AppEngineServiceIamBinding` and `iap.AppEngineServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineServiceIamBinding` resources **can be** used in conjunction with `iap.AppEngineServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineServiceIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy AppEngineService Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineService. Each of these resources serves a different use case:

* `iap.AppEngineServiceIamPolicy`: Authoritative. Sets the IAM policy for the appengineservice and replaces any existing policy already attached. * `iap.AppEngineServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineservice are preserved. * `iap.AppEngineServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineServiceIamPolicy`: Retrieves the IAM policy for the appengineservice

> **Note:** `iap.AppEngineServiceIamPolicy` **cannot** be used in conjunction with `iap.AppEngineServiceIamBinding` and `iap.AppEngineServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineServiceIamBinding` resources **can be** used in conjunction with `iap.AppEngineServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineServiceIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineServiceIamPolicy(ctx, "policy", &iap.AppEngineServiceIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamBinding(ctx, "binding", &iap.AppEngineServiceIamBindingArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineServiceIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineServiceIamMember(ctx, "member", &iap.AppEngineServiceIamMemberArgs{
			Project: pulumi.Any(version.Project),
			AppId:   pulumi.Any(version.Project),
			Service: pulumi.Any(version.Service),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}

* {{project}}/{{appId}}/{{service}}

* {{appId}}/{{service}}

* {{service}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy appengineservice IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/appEngineServiceIamPolicy:AppEngineServiceIamPolicy editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/appEngineServiceIamPolicy:AppEngineServiceIamPolicy editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/appEngineServiceIamPolicy:AppEngineServiceIamPolicy editor projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetAppEngineServiceIamPolicy 

func GetAppEngineServiceIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AppEngineServiceIamPolicyState, opts ...pulumi.ResourceOption) (*AppEngineServiceIamPolicy, error)

GetAppEngineServiceIamPolicy gets an existing AppEngineServiceIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAppEngineServiceIamPolicy 

func NewAppEngineServiceIamPolicy(ctx *pulumi.Context,
	name string, args *AppEngineServiceIamPolicyArgs, opts ...pulumi.ResourceOption) (*AppEngineServiceIamPolicy, error)

NewAppEngineServiceIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*AppEngineServiceIamPolicy) ElementType 

func (*AppEngineServiceIamPolicy) ElementType() reflect.Type

func (*AppEngineServiceIamPolicy) ToAppEngineServiceIamPolicyOutput 

func (i *AppEngineServiceIamPolicy) ToAppEngineServiceIamPolicyOutput() AppEngineServiceIamPolicyOutput

func (*AppEngineServiceIamPolicy) ToAppEngineServiceIamPolicyOutputWithContext 

func (i *AppEngineServiceIamPolicy) ToAppEngineServiceIamPolicyOutputWithContext(ctx context.Context) AppEngineServiceIamPolicyOutput

type AppEngineServiceIamPolicyArgs 

type AppEngineServiceIamPolicyArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput
}

The set of arguments for constructing a AppEngineServiceIamPolicy resource.

func (AppEngineServiceIamPolicyArgs) ElementType 

func (AppEngineServiceIamPolicyArgs) ElementType() reflect.Type

type AppEngineServiceIamPolicyArray 

type AppEngineServiceIamPolicyArray []AppEngineServiceIamPolicyInput

func (AppEngineServiceIamPolicyArray) ElementType 

func (AppEngineServiceIamPolicyArray) ElementType() reflect.Type

func (AppEngineServiceIamPolicyArray) ToAppEngineServiceIamPolicyArrayOutput 

func (i AppEngineServiceIamPolicyArray) ToAppEngineServiceIamPolicyArrayOutput() AppEngineServiceIamPolicyArrayOutput

func (AppEngineServiceIamPolicyArray) ToAppEngineServiceIamPolicyArrayOutputWithContext 

func (i AppEngineServiceIamPolicyArray) ToAppEngineServiceIamPolicyArrayOutputWithContext(ctx context.Context) AppEngineServiceIamPolicyArrayOutput

type AppEngineServiceIamPolicyArrayInput 

type AppEngineServiceIamPolicyArrayInput interface {
	pulumi.Input

	ToAppEngineServiceIamPolicyArrayOutput() AppEngineServiceIamPolicyArrayOutput
	ToAppEngineServiceIamPolicyArrayOutputWithContext(context.Context) AppEngineServiceIamPolicyArrayOutput
}

AppEngineServiceIamPolicyArrayInput is an input type that accepts AppEngineServiceIamPolicyArray and AppEngineServiceIamPolicyArrayOutput values. You can construct a concrete instance of `AppEngineServiceIamPolicyArrayInput` via: 

AppEngineServiceIamPolicyArray{ AppEngineServiceIamPolicyArgs{...} }

type AppEngineServiceIamPolicyArrayOutput 

type AppEngineServiceIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamPolicyArrayOutput) ElementType 

func (AppEngineServiceIamPolicyArrayOutput) ElementType() reflect.Type

func (AppEngineServiceIamPolicyArrayOutput) Index 

func (o AppEngineServiceIamPolicyArrayOutput) Index(i pulumi.IntInput) AppEngineServiceIamPolicyOutput

func (AppEngineServiceIamPolicyArrayOutput) ToAppEngineServiceIamPolicyArrayOutput 

func (o AppEngineServiceIamPolicyArrayOutput) ToAppEngineServiceIamPolicyArrayOutput() AppEngineServiceIamPolicyArrayOutput

func (AppEngineServiceIamPolicyArrayOutput) ToAppEngineServiceIamPolicyArrayOutputWithContext 

func (o AppEngineServiceIamPolicyArrayOutput) ToAppEngineServiceIamPolicyArrayOutputWithContext(ctx context.Context) AppEngineServiceIamPolicyArrayOutput

type AppEngineServiceIamPolicyInput 

type AppEngineServiceIamPolicyInput interface {
	pulumi.Input

	ToAppEngineServiceIamPolicyOutput() AppEngineServiceIamPolicyOutput
	ToAppEngineServiceIamPolicyOutputWithContext(ctx context.Context) AppEngineServiceIamPolicyOutput
}

type AppEngineServiceIamPolicyMap 

type AppEngineServiceIamPolicyMap map[string]AppEngineServiceIamPolicyInput

func (AppEngineServiceIamPolicyMap) ElementType 

func (AppEngineServiceIamPolicyMap) ElementType() reflect.Type

func (AppEngineServiceIamPolicyMap) ToAppEngineServiceIamPolicyMapOutput 

func (i AppEngineServiceIamPolicyMap) ToAppEngineServiceIamPolicyMapOutput() AppEngineServiceIamPolicyMapOutput

func (AppEngineServiceIamPolicyMap) ToAppEngineServiceIamPolicyMapOutputWithContext 

func (i AppEngineServiceIamPolicyMap) ToAppEngineServiceIamPolicyMapOutputWithContext(ctx context.Context) AppEngineServiceIamPolicyMapOutput

type AppEngineServiceIamPolicyMapInput 

type AppEngineServiceIamPolicyMapInput interface {
	pulumi.Input

	ToAppEngineServiceIamPolicyMapOutput() AppEngineServiceIamPolicyMapOutput
	ToAppEngineServiceIamPolicyMapOutputWithContext(context.Context) AppEngineServiceIamPolicyMapOutput
}

AppEngineServiceIamPolicyMapInput is an input type that accepts AppEngineServiceIamPolicyMap and AppEngineServiceIamPolicyMapOutput values. You can construct a concrete instance of `AppEngineServiceIamPolicyMapInput` via: 

AppEngineServiceIamPolicyMap{ "key": AppEngineServiceIamPolicyArgs{...} }

type AppEngineServiceIamPolicyMapOutput 

type AppEngineServiceIamPolicyMapOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamPolicyMapOutput) ElementType 

func (AppEngineServiceIamPolicyMapOutput) ElementType() reflect.Type

func (AppEngineServiceIamPolicyMapOutput) MapIndex 

func (o AppEngineServiceIamPolicyMapOutput) MapIndex(k pulumi.StringInput) AppEngineServiceIamPolicyOutput

func (AppEngineServiceIamPolicyMapOutput) ToAppEngineServiceIamPolicyMapOutput 

func (o AppEngineServiceIamPolicyMapOutput) ToAppEngineServiceIamPolicyMapOutput() AppEngineServiceIamPolicyMapOutput

func (AppEngineServiceIamPolicyMapOutput) ToAppEngineServiceIamPolicyMapOutputWithContext 

func (o AppEngineServiceIamPolicyMapOutput) ToAppEngineServiceIamPolicyMapOutputWithContext(ctx context.Context) AppEngineServiceIamPolicyMapOutput

type AppEngineServiceIamPolicyOutput 

type AppEngineServiceIamPolicyOutput struct{ *pulumi.OutputState }

func (AppEngineServiceIamPolicyOutput) AppId 

func (o AppEngineServiceIamPolicyOutput) AppId() pulumi.StringOutput

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (AppEngineServiceIamPolicyOutput) ElementType 

func (AppEngineServiceIamPolicyOutput) ElementType() reflect.Type

func (AppEngineServiceIamPolicyOutput) Etag 

func (o AppEngineServiceIamPolicyOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (AppEngineServiceIamPolicyOutput) PolicyData 

func (o AppEngineServiceIamPolicyOutput) PolicyData() pulumi.StringOutput

The policy data generated by a `organizations.getIAMPolicy` data source.

func (AppEngineServiceIamPolicyOutput) Project 

func (o AppEngineServiceIamPolicyOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (AppEngineServiceIamPolicyOutput) Service 

func (o AppEngineServiceIamPolicyOutput) Service() pulumi.StringOutput

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

func (AppEngineServiceIamPolicyOutput) ToAppEngineServiceIamPolicyOutput 

func (o AppEngineServiceIamPolicyOutput) ToAppEngineServiceIamPolicyOutput() AppEngineServiceIamPolicyOutput

func (AppEngineServiceIamPolicyOutput) ToAppEngineServiceIamPolicyOutputWithContext 

func (o AppEngineServiceIamPolicyOutput) ToAppEngineServiceIamPolicyOutputWithContext(ctx context.Context) AppEngineServiceIamPolicyOutput

type AppEngineServiceIamPolicyState 

type AppEngineServiceIamPolicyState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringPtrInput
}

func (AppEngineServiceIamPolicyState) ElementType 

func (AppEngineServiceIamPolicyState) ElementType() reflect.Type

type AppEngineVersionIamBinding 

type AppEngineVersionIamBinding struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineVersionIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringOutput `pulumi:"service"`
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringOutput `pulumi:"versionId"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineVersion. Each of these resources serves a different use case:

* `iap.AppEngineVersionIamPolicy`: Authoritative. Sets the IAM policy for the appengineversion and replaces any existing policy already attached. * `iap.AppEngineVersionIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineversion are preserved. * `iap.AppEngineVersionIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineversion are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineVersionIamPolicy`: Retrieves the IAM policy for the appengineversion

> **Note:** `iap.AppEngineVersionIamPolicy` **cannot** be used in conjunction with `iap.AppEngineVersionIamBinding` and `iap.AppEngineVersionIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineVersionIamBinding` resources **can be** used in conjunction with `iap.AppEngineVersionIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineVersionIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineVersionIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineVersionIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy AppEngineVersion Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineVersion. Each of these resources serves a different use case:

* `iap.AppEngineVersionIamPolicy`: Authoritative. Sets the IAM policy for the appengineversion and replaces any existing policy already attached. * `iap.AppEngineVersionIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineversion are preserved. * `iap.AppEngineVersionIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineversion are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineVersionIamPolicy`: Retrieves the IAM policy for the appengineversion

> **Note:** `iap.AppEngineVersionIamPolicy` **cannot** be used in conjunction with `iap.AppEngineVersionIamBinding` and `iap.AppEngineVersionIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineVersionIamBinding` resources **can be** used in conjunction with `iap.AppEngineVersionIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineVersionIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineVersionIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineVersionIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}}

* {{project}}/{{appId}}/{{service}}/{{versionId}}

* {{appId}}/{{service}}/{{versionId}}

* {{version}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy appengineversion IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/appEngineVersionIamBinding:AppEngineVersionIamBinding editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/appEngineVersionIamBinding:AppEngineVersionIamBinding editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/appEngineVersionIamBinding:AppEngineVersionIamBinding editor projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetAppEngineVersionIamBinding 

func GetAppEngineVersionIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AppEngineVersionIamBindingState, opts ...pulumi.ResourceOption) (*AppEngineVersionIamBinding, error)

GetAppEngineVersionIamBinding gets an existing AppEngineVersionIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAppEngineVersionIamBinding 

func NewAppEngineVersionIamBinding(ctx *pulumi.Context,
	name string, args *AppEngineVersionIamBindingArgs, opts ...pulumi.ResourceOption) (*AppEngineVersionIamBinding, error)

NewAppEngineVersionIamBinding registers a new resource with the given unique name, arguments, and options.

func (*AppEngineVersionIamBinding) ElementType 

func (*AppEngineVersionIamBinding) ElementType() reflect.Type

func (*AppEngineVersionIamBinding) ToAppEngineVersionIamBindingOutput 

func (i *AppEngineVersionIamBinding) ToAppEngineVersionIamBindingOutput() AppEngineVersionIamBindingOutput

func (*AppEngineVersionIamBinding) ToAppEngineVersionIamBindingOutputWithContext 

func (i *AppEngineVersionIamBinding) ToAppEngineVersionIamBindingOutputWithContext(ctx context.Context) AppEngineVersionIamBindingOutput

type AppEngineVersionIamBindingArgs 

type AppEngineVersionIamBindingArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineVersionIamBindingConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringInput
}

The set of arguments for constructing a AppEngineVersionIamBinding resource.

func (AppEngineVersionIamBindingArgs) ElementType 

func (AppEngineVersionIamBindingArgs) ElementType() reflect.Type

type AppEngineVersionIamBindingArray 

type AppEngineVersionIamBindingArray []AppEngineVersionIamBindingInput

func (AppEngineVersionIamBindingArray) ElementType 

func (AppEngineVersionIamBindingArray) ElementType() reflect.Type

func (AppEngineVersionIamBindingArray) ToAppEngineVersionIamBindingArrayOutput 

func (i AppEngineVersionIamBindingArray) ToAppEngineVersionIamBindingArrayOutput() AppEngineVersionIamBindingArrayOutput

func (AppEngineVersionIamBindingArray) ToAppEngineVersionIamBindingArrayOutputWithContext 

func (i AppEngineVersionIamBindingArray) ToAppEngineVersionIamBindingArrayOutputWithContext(ctx context.Context) AppEngineVersionIamBindingArrayOutput

type AppEngineVersionIamBindingArrayInput 

type AppEngineVersionIamBindingArrayInput interface {
	pulumi.Input

	ToAppEngineVersionIamBindingArrayOutput() AppEngineVersionIamBindingArrayOutput
	ToAppEngineVersionIamBindingArrayOutputWithContext(context.Context) AppEngineVersionIamBindingArrayOutput
}

AppEngineVersionIamBindingArrayInput is an input type that accepts AppEngineVersionIamBindingArray and AppEngineVersionIamBindingArrayOutput values. You can construct a concrete instance of `AppEngineVersionIamBindingArrayInput` via: 

AppEngineVersionIamBindingArray{ AppEngineVersionIamBindingArgs{...} }

type AppEngineVersionIamBindingArrayOutput 

type AppEngineVersionIamBindingArrayOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamBindingArrayOutput) ElementType 

func (AppEngineVersionIamBindingArrayOutput) ElementType() reflect.Type

func (AppEngineVersionIamBindingArrayOutput) Index 

func (o AppEngineVersionIamBindingArrayOutput) Index(i pulumi.IntInput) AppEngineVersionIamBindingOutput

func (AppEngineVersionIamBindingArrayOutput) ToAppEngineVersionIamBindingArrayOutput 

func (o AppEngineVersionIamBindingArrayOutput) ToAppEngineVersionIamBindingArrayOutput() AppEngineVersionIamBindingArrayOutput

func (AppEngineVersionIamBindingArrayOutput) ToAppEngineVersionIamBindingArrayOutputWithContext 

func (o AppEngineVersionIamBindingArrayOutput) ToAppEngineVersionIamBindingArrayOutputWithContext(ctx context.Context) AppEngineVersionIamBindingArrayOutput

type AppEngineVersionIamBindingCondition 

type AppEngineVersionIamBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type AppEngineVersionIamBindingConditionArgs 

type AppEngineVersionIamBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (AppEngineVersionIamBindingConditionArgs) ElementType 

func (AppEngineVersionIamBindingConditionArgs) ElementType() reflect.Type

func (AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionOutput 

func (i AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionOutput() AppEngineVersionIamBindingConditionOutput

func (AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionOutputWithContext 

func (i AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionOutputWithContext(ctx context.Context) AppEngineVersionIamBindingConditionOutput

func (AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionPtrOutput 

func (i AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionPtrOutput() AppEngineVersionIamBindingConditionPtrOutput

func (AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionPtrOutputWithContext 

func (i AppEngineVersionIamBindingConditionArgs) ToAppEngineVersionIamBindingConditionPtrOutputWithContext(ctx context.Context) AppEngineVersionIamBindingConditionPtrOutput

type AppEngineVersionIamBindingConditionInput 

type AppEngineVersionIamBindingConditionInput interface {
	pulumi.Input

	ToAppEngineVersionIamBindingConditionOutput() AppEngineVersionIamBindingConditionOutput
	ToAppEngineVersionIamBindingConditionOutputWithContext(context.Context) AppEngineVersionIamBindingConditionOutput
}

AppEngineVersionIamBindingConditionInput is an input type that accepts AppEngineVersionIamBindingConditionArgs and AppEngineVersionIamBindingConditionOutput values. You can construct a concrete instance of `AppEngineVersionIamBindingConditionInput` via: 

AppEngineVersionIamBindingConditionArgs{...}

type AppEngineVersionIamBindingConditionOutput 

type AppEngineVersionIamBindingConditionOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamBindingConditionOutput) Description 

func (o AppEngineVersionIamBindingConditionOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineVersionIamBindingConditionOutput) ElementType 

func (AppEngineVersionIamBindingConditionOutput) ElementType() reflect.Type

func (AppEngineVersionIamBindingConditionOutput) Expression 

func (o AppEngineVersionIamBindingConditionOutput) Expression() pulumi.StringOutput

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineVersionIamBindingConditionOutput) Title 

func (o AppEngineVersionIamBindingConditionOutput) Title() pulumi.StringOutput

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionOutput 

func (o AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionOutput() AppEngineVersionIamBindingConditionOutput

func (AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionOutputWithContext 

func (o AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionOutputWithContext(ctx context.Context) AppEngineVersionIamBindingConditionOutput

func (AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionPtrOutput 

func (o AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionPtrOutput() AppEngineVersionIamBindingConditionPtrOutput

func (AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionPtrOutputWithContext 

func (o AppEngineVersionIamBindingConditionOutput) ToAppEngineVersionIamBindingConditionPtrOutputWithContext(ctx context.Context) AppEngineVersionIamBindingConditionPtrOutput

type AppEngineVersionIamBindingConditionPtrInput 

type AppEngineVersionIamBindingConditionPtrInput interface {
	pulumi.Input

	ToAppEngineVersionIamBindingConditionPtrOutput() AppEngineVersionIamBindingConditionPtrOutput
	ToAppEngineVersionIamBindingConditionPtrOutputWithContext(context.Context) AppEngineVersionIamBindingConditionPtrOutput
}

AppEngineVersionIamBindingConditionPtrInput is an input type that accepts AppEngineVersionIamBindingConditionArgs, AppEngineVersionIamBindingConditionPtr and AppEngineVersionIamBindingConditionPtrOutput values. You can construct a concrete instance of `AppEngineVersionIamBindingConditionPtrInput` via: 

        AppEngineVersionIamBindingConditionArgs{...}

or:

        nil

func AppEngineVersionIamBindingConditionPtr 

func AppEngineVersionIamBindingConditionPtr(v *AppEngineVersionIamBindingConditionArgs) AppEngineVersionIamBindingConditionPtrInput

type AppEngineVersionIamBindingConditionPtrOutput 

type AppEngineVersionIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamBindingConditionPtrOutput) Description 

func (o AppEngineVersionIamBindingConditionPtrOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineVersionIamBindingConditionPtrOutput) Elem 

func (o AppEngineVersionIamBindingConditionPtrOutput) Elem() AppEngineVersionIamBindingConditionOutput

func (AppEngineVersionIamBindingConditionPtrOutput) ElementType 

func (AppEngineVersionIamBindingConditionPtrOutput) ElementType() reflect.Type

func (AppEngineVersionIamBindingConditionPtrOutput) Expression 

func (o AppEngineVersionIamBindingConditionPtrOutput) Expression() pulumi.StringPtrOutput

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineVersionIamBindingConditionPtrOutput) Title 

func (o AppEngineVersionIamBindingConditionPtrOutput) Title() pulumi.StringPtrOutput

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineVersionIamBindingConditionPtrOutput) ToAppEngineVersionIamBindingConditionPtrOutput 

func (o AppEngineVersionIamBindingConditionPtrOutput) ToAppEngineVersionIamBindingConditionPtrOutput() AppEngineVersionIamBindingConditionPtrOutput

func (AppEngineVersionIamBindingConditionPtrOutput) ToAppEngineVersionIamBindingConditionPtrOutputWithContext 

func (o AppEngineVersionIamBindingConditionPtrOutput) ToAppEngineVersionIamBindingConditionPtrOutputWithContext(ctx context.Context) AppEngineVersionIamBindingConditionPtrOutput

type AppEngineVersionIamBindingInput 

type AppEngineVersionIamBindingInput interface {
	pulumi.Input

	ToAppEngineVersionIamBindingOutput() AppEngineVersionIamBindingOutput
	ToAppEngineVersionIamBindingOutputWithContext(ctx context.Context) AppEngineVersionIamBindingOutput
}

type AppEngineVersionIamBindingMap 

type AppEngineVersionIamBindingMap map[string]AppEngineVersionIamBindingInput

func (AppEngineVersionIamBindingMap) ElementType 

func (AppEngineVersionIamBindingMap) ElementType() reflect.Type

func (AppEngineVersionIamBindingMap) ToAppEngineVersionIamBindingMapOutput 

func (i AppEngineVersionIamBindingMap) ToAppEngineVersionIamBindingMapOutput() AppEngineVersionIamBindingMapOutput

func (AppEngineVersionIamBindingMap) ToAppEngineVersionIamBindingMapOutputWithContext 

func (i AppEngineVersionIamBindingMap) ToAppEngineVersionIamBindingMapOutputWithContext(ctx context.Context) AppEngineVersionIamBindingMapOutput

type AppEngineVersionIamBindingMapInput 

type AppEngineVersionIamBindingMapInput interface {
	pulumi.Input

	ToAppEngineVersionIamBindingMapOutput() AppEngineVersionIamBindingMapOutput
	ToAppEngineVersionIamBindingMapOutputWithContext(context.Context) AppEngineVersionIamBindingMapOutput
}

AppEngineVersionIamBindingMapInput is an input type that accepts AppEngineVersionIamBindingMap and AppEngineVersionIamBindingMapOutput values. You can construct a concrete instance of `AppEngineVersionIamBindingMapInput` via: 

AppEngineVersionIamBindingMap{ "key": AppEngineVersionIamBindingArgs{...} }

type AppEngineVersionIamBindingMapOutput 

type AppEngineVersionIamBindingMapOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamBindingMapOutput) ElementType 

func (AppEngineVersionIamBindingMapOutput) ElementType() reflect.Type

func (AppEngineVersionIamBindingMapOutput) MapIndex 

func (o AppEngineVersionIamBindingMapOutput) MapIndex(k pulumi.StringInput) AppEngineVersionIamBindingOutput

func (AppEngineVersionIamBindingMapOutput) ToAppEngineVersionIamBindingMapOutput 

func (o AppEngineVersionIamBindingMapOutput) ToAppEngineVersionIamBindingMapOutput() AppEngineVersionIamBindingMapOutput

func (AppEngineVersionIamBindingMapOutput) ToAppEngineVersionIamBindingMapOutputWithContext 

func (o AppEngineVersionIamBindingMapOutput) ToAppEngineVersionIamBindingMapOutputWithContext(ctx context.Context) AppEngineVersionIamBindingMapOutput

type AppEngineVersionIamBindingOutput 

type AppEngineVersionIamBindingOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamBindingOutput) AppId 

func (o AppEngineVersionIamBindingOutput) AppId() pulumi.StringOutput

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (AppEngineVersionIamBindingOutput) Condition 

func (o AppEngineVersionIamBindingOutput) Condition() AppEngineVersionIamBindingConditionPtrOutput

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (AppEngineVersionIamBindingOutput) ElementType 

func (AppEngineVersionIamBindingOutput) ElementType() reflect.Type

func (AppEngineVersionIamBindingOutput) Etag 

func (o AppEngineVersionIamBindingOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (AppEngineVersionIamBindingOutput) Members 

func (o AppEngineVersionIamBindingOutput) Members() pulumi.StringArrayOutput

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (AppEngineVersionIamBindingOutput) Project 

func (o AppEngineVersionIamBindingOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (AppEngineVersionIamBindingOutput) Role 

func (o AppEngineVersionIamBindingOutput) Role() pulumi.StringOutput

The role that should be applied. Only one `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (AppEngineVersionIamBindingOutput) Service 

func (o AppEngineVersionIamBindingOutput) Service() pulumi.StringOutput

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

func (AppEngineVersionIamBindingOutput) ToAppEngineVersionIamBindingOutput 

func (o AppEngineVersionIamBindingOutput) ToAppEngineVersionIamBindingOutput() AppEngineVersionIamBindingOutput

func (AppEngineVersionIamBindingOutput) ToAppEngineVersionIamBindingOutputWithContext 

func (o AppEngineVersionIamBindingOutput) ToAppEngineVersionIamBindingOutputWithContext(ctx context.Context) AppEngineVersionIamBindingOutput

func (AppEngineVersionIamBindingOutput) VersionId 

func (o AppEngineVersionIamBindingOutput) VersionId() pulumi.StringOutput

Version id of the App Engine application Used to find the parent resource to bind the IAM policy to

type AppEngineVersionIamBindingState 

type AppEngineVersionIamBindingState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineVersionIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringPtrInput
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringPtrInput
}

func (AppEngineVersionIamBindingState) ElementType 

func (AppEngineVersionIamBindingState) ElementType() reflect.Type

type AppEngineVersionIamMember 

type AppEngineVersionIamMember struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineVersionIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringOutput `pulumi:"service"`
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringOutput `pulumi:"versionId"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineVersion. Each of these resources serves a different use case:

* `iap.AppEngineVersionIamPolicy`: Authoritative. Sets the IAM policy for the appengineversion and replaces any existing policy already attached. * `iap.AppEngineVersionIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineversion are preserved. * `iap.AppEngineVersionIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineversion are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineVersionIamPolicy`: Retrieves the IAM policy for the appengineversion

> **Note:** `iap.AppEngineVersionIamPolicy` **cannot** be used in conjunction with `iap.AppEngineVersionIamBinding` and `iap.AppEngineVersionIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineVersionIamBinding` resources **can be** used in conjunction with `iap.AppEngineVersionIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineVersionIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineVersionIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineVersionIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy AppEngineVersion Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineVersion. Each of these resources serves a different use case:

* `iap.AppEngineVersionIamPolicy`: Authoritative. Sets the IAM policy for the appengineversion and replaces any existing policy already attached. * `iap.AppEngineVersionIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineversion are preserved. * `iap.AppEngineVersionIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineversion are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineVersionIamPolicy`: Retrieves the IAM policy for the appengineversion

> **Note:** `iap.AppEngineVersionIamPolicy` **cannot** be used in conjunction with `iap.AppEngineVersionIamBinding` and `iap.AppEngineVersionIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineVersionIamBinding` resources **can be** used in conjunction with `iap.AppEngineVersionIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineVersionIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineVersionIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineVersionIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}}

* {{project}}/{{appId}}/{{service}}/{{versionId}}

* {{appId}}/{{service}}/{{versionId}}

* {{version}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy appengineversion IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/appEngineVersionIamMember:AppEngineVersionIamMember editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/appEngineVersionIamMember:AppEngineVersionIamMember editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/appEngineVersionIamMember:AppEngineVersionIamMember editor projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetAppEngineVersionIamMember 

func GetAppEngineVersionIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AppEngineVersionIamMemberState, opts ...pulumi.ResourceOption) (*AppEngineVersionIamMember, error)

GetAppEngineVersionIamMember gets an existing AppEngineVersionIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAppEngineVersionIamMember 

func NewAppEngineVersionIamMember(ctx *pulumi.Context,
	name string, args *AppEngineVersionIamMemberArgs, opts ...pulumi.ResourceOption) (*AppEngineVersionIamMember, error)

NewAppEngineVersionIamMember registers a new resource with the given unique name, arguments, and options.

func (*AppEngineVersionIamMember) ElementType 

func (*AppEngineVersionIamMember) ElementType() reflect.Type

func (*AppEngineVersionIamMember) ToAppEngineVersionIamMemberOutput 

func (i *AppEngineVersionIamMember) ToAppEngineVersionIamMemberOutput() AppEngineVersionIamMemberOutput

func (*AppEngineVersionIamMember) ToAppEngineVersionIamMemberOutputWithContext 

func (i *AppEngineVersionIamMember) ToAppEngineVersionIamMemberOutputWithContext(ctx context.Context) AppEngineVersionIamMemberOutput

type AppEngineVersionIamMemberArgs 

type AppEngineVersionIamMemberArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineVersionIamMemberConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringInput
}

The set of arguments for constructing a AppEngineVersionIamMember resource.

func (AppEngineVersionIamMemberArgs) ElementType 

func (AppEngineVersionIamMemberArgs) ElementType() reflect.Type

type AppEngineVersionIamMemberArray 

type AppEngineVersionIamMemberArray []AppEngineVersionIamMemberInput

func (AppEngineVersionIamMemberArray) ElementType 

func (AppEngineVersionIamMemberArray) ElementType() reflect.Type

func (AppEngineVersionIamMemberArray) ToAppEngineVersionIamMemberArrayOutput 

func (i AppEngineVersionIamMemberArray) ToAppEngineVersionIamMemberArrayOutput() AppEngineVersionIamMemberArrayOutput

func (AppEngineVersionIamMemberArray) ToAppEngineVersionIamMemberArrayOutputWithContext 

func (i AppEngineVersionIamMemberArray) ToAppEngineVersionIamMemberArrayOutputWithContext(ctx context.Context) AppEngineVersionIamMemberArrayOutput

type AppEngineVersionIamMemberArrayInput 

type AppEngineVersionIamMemberArrayInput interface {
	pulumi.Input

	ToAppEngineVersionIamMemberArrayOutput() AppEngineVersionIamMemberArrayOutput
	ToAppEngineVersionIamMemberArrayOutputWithContext(context.Context) AppEngineVersionIamMemberArrayOutput
}

AppEngineVersionIamMemberArrayInput is an input type that accepts AppEngineVersionIamMemberArray and AppEngineVersionIamMemberArrayOutput values. You can construct a concrete instance of `AppEngineVersionIamMemberArrayInput` via: 

AppEngineVersionIamMemberArray{ AppEngineVersionIamMemberArgs{...} }

type AppEngineVersionIamMemberArrayOutput 

type AppEngineVersionIamMemberArrayOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamMemberArrayOutput) ElementType 

func (AppEngineVersionIamMemberArrayOutput) ElementType() reflect.Type

func (AppEngineVersionIamMemberArrayOutput) Index 

func (o AppEngineVersionIamMemberArrayOutput) Index(i pulumi.IntInput) AppEngineVersionIamMemberOutput

func (AppEngineVersionIamMemberArrayOutput) ToAppEngineVersionIamMemberArrayOutput 

func (o AppEngineVersionIamMemberArrayOutput) ToAppEngineVersionIamMemberArrayOutput() AppEngineVersionIamMemberArrayOutput

func (AppEngineVersionIamMemberArrayOutput) ToAppEngineVersionIamMemberArrayOutputWithContext 

func (o AppEngineVersionIamMemberArrayOutput) ToAppEngineVersionIamMemberArrayOutputWithContext(ctx context.Context) AppEngineVersionIamMemberArrayOutput

type AppEngineVersionIamMemberCondition 

type AppEngineVersionIamMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type AppEngineVersionIamMemberConditionArgs 

type AppEngineVersionIamMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (AppEngineVersionIamMemberConditionArgs) ElementType 

func (AppEngineVersionIamMemberConditionArgs) ElementType() reflect.Type

func (AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionOutput 

func (i AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionOutput() AppEngineVersionIamMemberConditionOutput

func (AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionOutputWithContext 

func (i AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionOutputWithContext(ctx context.Context) AppEngineVersionIamMemberConditionOutput

func (AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionPtrOutput 

func (i AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionPtrOutput() AppEngineVersionIamMemberConditionPtrOutput

func (AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionPtrOutputWithContext 

func (i AppEngineVersionIamMemberConditionArgs) ToAppEngineVersionIamMemberConditionPtrOutputWithContext(ctx context.Context) AppEngineVersionIamMemberConditionPtrOutput

type AppEngineVersionIamMemberConditionInput 

type AppEngineVersionIamMemberConditionInput interface {
	pulumi.Input

	ToAppEngineVersionIamMemberConditionOutput() AppEngineVersionIamMemberConditionOutput
	ToAppEngineVersionIamMemberConditionOutputWithContext(context.Context) AppEngineVersionIamMemberConditionOutput
}

AppEngineVersionIamMemberConditionInput is an input type that accepts AppEngineVersionIamMemberConditionArgs and AppEngineVersionIamMemberConditionOutput values. You can construct a concrete instance of `AppEngineVersionIamMemberConditionInput` via: 

AppEngineVersionIamMemberConditionArgs{...}

type AppEngineVersionIamMemberConditionOutput 

type AppEngineVersionIamMemberConditionOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamMemberConditionOutput) Description 

func (o AppEngineVersionIamMemberConditionOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineVersionIamMemberConditionOutput) ElementType 

func (AppEngineVersionIamMemberConditionOutput) ElementType() reflect.Type

func (AppEngineVersionIamMemberConditionOutput) Expression 

func (o AppEngineVersionIamMemberConditionOutput) Expression() pulumi.StringOutput

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineVersionIamMemberConditionOutput) Title 

func (o AppEngineVersionIamMemberConditionOutput) Title() pulumi.StringOutput

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionOutput 

func (o AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionOutput() AppEngineVersionIamMemberConditionOutput

func (AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionOutputWithContext 

func (o AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionOutputWithContext(ctx context.Context) AppEngineVersionIamMemberConditionOutput

func (AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionPtrOutput 

func (o AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionPtrOutput() AppEngineVersionIamMemberConditionPtrOutput

func (AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionPtrOutputWithContext 

func (o AppEngineVersionIamMemberConditionOutput) ToAppEngineVersionIamMemberConditionPtrOutputWithContext(ctx context.Context) AppEngineVersionIamMemberConditionPtrOutput

type AppEngineVersionIamMemberConditionPtrInput 

type AppEngineVersionIamMemberConditionPtrInput interface {
	pulumi.Input

	ToAppEngineVersionIamMemberConditionPtrOutput() AppEngineVersionIamMemberConditionPtrOutput
	ToAppEngineVersionIamMemberConditionPtrOutputWithContext(context.Context) AppEngineVersionIamMemberConditionPtrOutput
}

AppEngineVersionIamMemberConditionPtrInput is an input type that accepts AppEngineVersionIamMemberConditionArgs, AppEngineVersionIamMemberConditionPtr and AppEngineVersionIamMemberConditionPtrOutput values. You can construct a concrete instance of `AppEngineVersionIamMemberConditionPtrInput` via: 

        AppEngineVersionIamMemberConditionArgs{...}

or:

        nil

func AppEngineVersionIamMemberConditionPtr 

func AppEngineVersionIamMemberConditionPtr(v *AppEngineVersionIamMemberConditionArgs) AppEngineVersionIamMemberConditionPtrInput

type AppEngineVersionIamMemberConditionPtrOutput 

type AppEngineVersionIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamMemberConditionPtrOutput) Description 

func (o AppEngineVersionIamMemberConditionPtrOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** The provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (AppEngineVersionIamMemberConditionPtrOutput) Elem 

func (o AppEngineVersionIamMemberConditionPtrOutput) Elem() AppEngineVersionIamMemberConditionOutput

func (AppEngineVersionIamMemberConditionPtrOutput) ElementType 

func (AppEngineVersionIamMemberConditionPtrOutput) ElementType() reflect.Type

func (AppEngineVersionIamMemberConditionPtrOutput) Expression 

func (o AppEngineVersionIamMemberConditionPtrOutput) Expression() pulumi.StringPtrOutput

Textual representation of an expression in Common Expression Language syntax.

func (AppEngineVersionIamMemberConditionPtrOutput) Title 

func (o AppEngineVersionIamMemberConditionPtrOutput) Title() pulumi.StringPtrOutput

A title for the expression, i.e. a short string describing its purpose.

func (AppEngineVersionIamMemberConditionPtrOutput) ToAppEngineVersionIamMemberConditionPtrOutput 

func (o AppEngineVersionIamMemberConditionPtrOutput) ToAppEngineVersionIamMemberConditionPtrOutput() AppEngineVersionIamMemberConditionPtrOutput

func (AppEngineVersionIamMemberConditionPtrOutput) ToAppEngineVersionIamMemberConditionPtrOutputWithContext 

func (o AppEngineVersionIamMemberConditionPtrOutput) ToAppEngineVersionIamMemberConditionPtrOutputWithContext(ctx context.Context) AppEngineVersionIamMemberConditionPtrOutput

type AppEngineVersionIamMemberInput 

type AppEngineVersionIamMemberInput interface {
	pulumi.Input

	ToAppEngineVersionIamMemberOutput() AppEngineVersionIamMemberOutput
	ToAppEngineVersionIamMemberOutputWithContext(ctx context.Context) AppEngineVersionIamMemberOutput
}

type AppEngineVersionIamMemberMap 

type AppEngineVersionIamMemberMap map[string]AppEngineVersionIamMemberInput

func (AppEngineVersionIamMemberMap) ElementType 

func (AppEngineVersionIamMemberMap) ElementType() reflect.Type

func (AppEngineVersionIamMemberMap) ToAppEngineVersionIamMemberMapOutput 

func (i AppEngineVersionIamMemberMap) ToAppEngineVersionIamMemberMapOutput() AppEngineVersionIamMemberMapOutput

func (AppEngineVersionIamMemberMap) ToAppEngineVersionIamMemberMapOutputWithContext 

func (i AppEngineVersionIamMemberMap) ToAppEngineVersionIamMemberMapOutputWithContext(ctx context.Context) AppEngineVersionIamMemberMapOutput

type AppEngineVersionIamMemberMapInput 

type AppEngineVersionIamMemberMapInput interface {
	pulumi.Input

	ToAppEngineVersionIamMemberMapOutput() AppEngineVersionIamMemberMapOutput
	ToAppEngineVersionIamMemberMapOutputWithContext(context.Context) AppEngineVersionIamMemberMapOutput
}

AppEngineVersionIamMemberMapInput is an input type that accepts AppEngineVersionIamMemberMap and AppEngineVersionIamMemberMapOutput values. You can construct a concrete instance of `AppEngineVersionIamMemberMapInput` via: 

AppEngineVersionIamMemberMap{ "key": AppEngineVersionIamMemberArgs{...} }

type AppEngineVersionIamMemberMapOutput 

type AppEngineVersionIamMemberMapOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamMemberMapOutput) ElementType 

func (AppEngineVersionIamMemberMapOutput) ElementType() reflect.Type

func (AppEngineVersionIamMemberMapOutput) MapIndex 

func (o AppEngineVersionIamMemberMapOutput) MapIndex(k pulumi.StringInput) AppEngineVersionIamMemberOutput

func (AppEngineVersionIamMemberMapOutput) ToAppEngineVersionIamMemberMapOutput 

func (o AppEngineVersionIamMemberMapOutput) ToAppEngineVersionIamMemberMapOutput() AppEngineVersionIamMemberMapOutput

func (AppEngineVersionIamMemberMapOutput) ToAppEngineVersionIamMemberMapOutputWithContext 

func (o AppEngineVersionIamMemberMapOutput) ToAppEngineVersionIamMemberMapOutputWithContext(ctx context.Context) AppEngineVersionIamMemberMapOutput

type AppEngineVersionIamMemberOutput 

type AppEngineVersionIamMemberOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamMemberOutput) AppId 

func (o AppEngineVersionIamMemberOutput) AppId() pulumi.StringOutput

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (AppEngineVersionIamMemberOutput) Condition 

func (o AppEngineVersionIamMemberOutput) Condition() AppEngineVersionIamMemberConditionPtrOutput

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (AppEngineVersionIamMemberOutput) ElementType 

func (AppEngineVersionIamMemberOutput) ElementType() reflect.Type

func (AppEngineVersionIamMemberOutput) Etag 

func (o AppEngineVersionIamMemberOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (AppEngineVersionIamMemberOutput) Member 

func (o AppEngineVersionIamMemberOutput) Member() pulumi.StringOutput

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (AppEngineVersionIamMemberOutput) Project 

func (o AppEngineVersionIamMemberOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (AppEngineVersionIamMemberOutput) Role 

func (o AppEngineVersionIamMemberOutput) Role() pulumi.StringOutput

The role that should be applied. Only one `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (AppEngineVersionIamMemberOutput) Service 

func (o AppEngineVersionIamMemberOutput) Service() pulumi.StringOutput

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

func (AppEngineVersionIamMemberOutput) ToAppEngineVersionIamMemberOutput 

func (o AppEngineVersionIamMemberOutput) ToAppEngineVersionIamMemberOutput() AppEngineVersionIamMemberOutput

func (AppEngineVersionIamMemberOutput) ToAppEngineVersionIamMemberOutputWithContext 

func (o AppEngineVersionIamMemberOutput) ToAppEngineVersionIamMemberOutputWithContext(ctx context.Context) AppEngineVersionIamMemberOutput

func (AppEngineVersionIamMemberOutput) VersionId 

func (o AppEngineVersionIamMemberOutput) VersionId() pulumi.StringOutput

Version id of the App Engine application Used to find the parent resource to bind the IAM policy to

type AppEngineVersionIamMemberState 

type AppEngineVersionIamMemberState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition AppEngineVersionIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.AppEngineVersionIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringPtrInput
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringPtrInput
}

func (AppEngineVersionIamMemberState) ElementType 

func (AppEngineVersionIamMemberState) ElementType() reflect.Type

type AppEngineVersionIamPolicy 

type AppEngineVersionIamPolicy struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringOutput `pulumi:"service"`
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringOutput `pulumi:"versionId"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineVersion. Each of these resources serves a different use case:

* `iap.AppEngineVersionIamPolicy`: Authoritative. Sets the IAM policy for the appengineversion and replaces any existing policy already attached. * `iap.AppEngineVersionIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineversion are preserved. * `iap.AppEngineVersionIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineversion are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineVersionIamPolicy`: Retrieves the IAM policy for the appengineversion

> **Note:** `iap.AppEngineVersionIamPolicy` **cannot** be used in conjunction with `iap.AppEngineVersionIamBinding` and `iap.AppEngineVersionIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineVersionIamBinding` resources **can be** used in conjunction with `iap.AppEngineVersionIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineVersionIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineVersionIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineVersionIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy AppEngineVersion Three different resources help you manage your IAM policy for Identity-Aware Proxy AppEngineVersion. Each of these resources serves a different use case:

* `iap.AppEngineVersionIamPolicy`: Authoritative. Sets the IAM policy for the appengineversion and replaces any existing policy already attached. * `iap.AppEngineVersionIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the appengineversion are preserved. * `iap.AppEngineVersionIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the appengineversion are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.AppEngineVersionIamPolicy`: Retrieves the IAM policy for the appengineversion

> **Note:** `iap.AppEngineVersionIamPolicy` **cannot** be used in conjunction with `iap.AppEngineVersionIamBinding` and `iap.AppEngineVersionIamMember` or they will fight over what your policy should be.

> **Note:** `iap.AppEngineVersionIamBinding` resources **can be** used in conjunction with `iap.AppEngineVersionIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.AppEngineVersionIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewAppEngineVersionIamPolicy(ctx, "policy", &iap.AppEngineVersionIamPolicyArgs{
			Project:    pulumi.Any(version.Project),
			AppId:      pulumi.Any(version.Project),
			Service:    pulumi.Any(version.Service),
			VersionId:  pulumi.Any(version.VersionId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineVersionIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.AppEngineVersionIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.AppEngineVersionIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}}

* {{project}}/{{appId}}/{{service}}/{{versionId}}

* {{appId}}/{{service}}/{{versionId}}

* {{version}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy appengineversion IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/appEngineVersionIamPolicy:AppEngineVersionIamPolicy editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/appEngineVersionIamPolicy:AppEngineVersionIamPolicy editor "projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/appEngineVersionIamPolicy:AppEngineVersionIamPolicy editor projects/{{project}}/iap_web/appengine-{{appId}}/services/{{service}}/versions/{{versionId}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetAppEngineVersionIamPolicy 

func GetAppEngineVersionIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AppEngineVersionIamPolicyState, opts ...pulumi.ResourceOption) (*AppEngineVersionIamPolicy, error)

GetAppEngineVersionIamPolicy gets an existing AppEngineVersionIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAppEngineVersionIamPolicy 

func NewAppEngineVersionIamPolicy(ctx *pulumi.Context,
	name string, args *AppEngineVersionIamPolicyArgs, opts ...pulumi.ResourceOption) (*AppEngineVersionIamPolicy, error)

NewAppEngineVersionIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*AppEngineVersionIamPolicy) ElementType 

func (*AppEngineVersionIamPolicy) ElementType() reflect.Type

func (*AppEngineVersionIamPolicy) ToAppEngineVersionIamPolicyOutput 

func (i *AppEngineVersionIamPolicy) ToAppEngineVersionIamPolicyOutput() AppEngineVersionIamPolicyOutput

func (*AppEngineVersionIamPolicy) ToAppEngineVersionIamPolicyOutputWithContext 

func (i *AppEngineVersionIamPolicy) ToAppEngineVersionIamPolicyOutputWithContext(ctx context.Context) AppEngineVersionIamPolicyOutput

type AppEngineVersionIamPolicyArgs 

type AppEngineVersionIamPolicyArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringInput
}

The set of arguments for constructing a AppEngineVersionIamPolicy resource.

func (AppEngineVersionIamPolicyArgs) ElementType 

func (AppEngineVersionIamPolicyArgs) ElementType() reflect.Type

type AppEngineVersionIamPolicyArray 

type AppEngineVersionIamPolicyArray []AppEngineVersionIamPolicyInput

func (AppEngineVersionIamPolicyArray) ElementType 

func (AppEngineVersionIamPolicyArray) ElementType() reflect.Type

func (AppEngineVersionIamPolicyArray) ToAppEngineVersionIamPolicyArrayOutput 

func (i AppEngineVersionIamPolicyArray) ToAppEngineVersionIamPolicyArrayOutput() AppEngineVersionIamPolicyArrayOutput

func (AppEngineVersionIamPolicyArray) ToAppEngineVersionIamPolicyArrayOutputWithContext 

func (i AppEngineVersionIamPolicyArray) ToAppEngineVersionIamPolicyArrayOutputWithContext(ctx context.Context) AppEngineVersionIamPolicyArrayOutput

type AppEngineVersionIamPolicyArrayInput 

type AppEngineVersionIamPolicyArrayInput interface {
	pulumi.Input

	ToAppEngineVersionIamPolicyArrayOutput() AppEngineVersionIamPolicyArrayOutput
	ToAppEngineVersionIamPolicyArrayOutputWithContext(context.Context) AppEngineVersionIamPolicyArrayOutput
}

AppEngineVersionIamPolicyArrayInput is an input type that accepts AppEngineVersionIamPolicyArray and AppEngineVersionIamPolicyArrayOutput values. You can construct a concrete instance of `AppEngineVersionIamPolicyArrayInput` via: 

AppEngineVersionIamPolicyArray{ AppEngineVersionIamPolicyArgs{...} }

type AppEngineVersionIamPolicyArrayOutput 

type AppEngineVersionIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamPolicyArrayOutput) ElementType 

func (AppEngineVersionIamPolicyArrayOutput) ElementType() reflect.Type

func (AppEngineVersionIamPolicyArrayOutput) Index 

func (o AppEngineVersionIamPolicyArrayOutput) Index(i pulumi.IntInput) AppEngineVersionIamPolicyOutput

func (AppEngineVersionIamPolicyArrayOutput) ToAppEngineVersionIamPolicyArrayOutput 

func (o AppEngineVersionIamPolicyArrayOutput) ToAppEngineVersionIamPolicyArrayOutput() AppEngineVersionIamPolicyArrayOutput

func (AppEngineVersionIamPolicyArrayOutput) ToAppEngineVersionIamPolicyArrayOutputWithContext 

func (o AppEngineVersionIamPolicyArrayOutput) ToAppEngineVersionIamPolicyArrayOutputWithContext(ctx context.Context) AppEngineVersionIamPolicyArrayOutput

type AppEngineVersionIamPolicyInput 

type AppEngineVersionIamPolicyInput interface {
	pulumi.Input

	ToAppEngineVersionIamPolicyOutput() AppEngineVersionIamPolicyOutput
	ToAppEngineVersionIamPolicyOutputWithContext(ctx context.Context) AppEngineVersionIamPolicyOutput
}

type AppEngineVersionIamPolicyMap 

type AppEngineVersionIamPolicyMap map[string]AppEngineVersionIamPolicyInput

func (AppEngineVersionIamPolicyMap) ElementType 

func (AppEngineVersionIamPolicyMap) ElementType() reflect.Type

func (AppEngineVersionIamPolicyMap) ToAppEngineVersionIamPolicyMapOutput 

func (i AppEngineVersionIamPolicyMap) ToAppEngineVersionIamPolicyMapOutput() AppEngineVersionIamPolicyMapOutput

func (AppEngineVersionIamPolicyMap) ToAppEngineVersionIamPolicyMapOutputWithContext 

func (i AppEngineVersionIamPolicyMap) ToAppEngineVersionIamPolicyMapOutputWithContext(ctx context.Context) AppEngineVersionIamPolicyMapOutput

type AppEngineVersionIamPolicyMapInput 

type AppEngineVersionIamPolicyMapInput interface {
	pulumi.Input

	ToAppEngineVersionIamPolicyMapOutput() AppEngineVersionIamPolicyMapOutput
	ToAppEngineVersionIamPolicyMapOutputWithContext(context.Context) AppEngineVersionIamPolicyMapOutput
}

AppEngineVersionIamPolicyMapInput is an input type that accepts AppEngineVersionIamPolicyMap and AppEngineVersionIamPolicyMapOutput values. You can construct a concrete instance of `AppEngineVersionIamPolicyMapInput` via: 

AppEngineVersionIamPolicyMap{ "key": AppEngineVersionIamPolicyArgs{...} }

type AppEngineVersionIamPolicyMapOutput 

type AppEngineVersionIamPolicyMapOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamPolicyMapOutput) ElementType 

func (AppEngineVersionIamPolicyMapOutput) ElementType() reflect.Type

func (AppEngineVersionIamPolicyMapOutput) MapIndex 

func (o AppEngineVersionIamPolicyMapOutput) MapIndex(k pulumi.StringInput) AppEngineVersionIamPolicyOutput

func (AppEngineVersionIamPolicyMapOutput) ToAppEngineVersionIamPolicyMapOutput 

func (o AppEngineVersionIamPolicyMapOutput) ToAppEngineVersionIamPolicyMapOutput() AppEngineVersionIamPolicyMapOutput

func (AppEngineVersionIamPolicyMapOutput) ToAppEngineVersionIamPolicyMapOutputWithContext 

func (o AppEngineVersionIamPolicyMapOutput) ToAppEngineVersionIamPolicyMapOutputWithContext(ctx context.Context) AppEngineVersionIamPolicyMapOutput

type AppEngineVersionIamPolicyOutput 

type AppEngineVersionIamPolicyOutput struct{ *pulumi.OutputState }

func (AppEngineVersionIamPolicyOutput) AppId 

func (o AppEngineVersionIamPolicyOutput) AppId() pulumi.StringOutput

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (AppEngineVersionIamPolicyOutput) ElementType 

func (AppEngineVersionIamPolicyOutput) ElementType() reflect.Type

func (AppEngineVersionIamPolicyOutput) Etag 

func (o AppEngineVersionIamPolicyOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (AppEngineVersionIamPolicyOutput) PolicyData 

func (o AppEngineVersionIamPolicyOutput) PolicyData() pulumi.StringOutput

The policy data generated by a `organizations.getIAMPolicy` data source.

func (AppEngineVersionIamPolicyOutput) Project 

func (o AppEngineVersionIamPolicyOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (AppEngineVersionIamPolicyOutput) Service 

func (o AppEngineVersionIamPolicyOutput) Service() pulumi.StringOutput

Service id of the App Engine application Used to find the parent resource to bind the IAM policy to

func (AppEngineVersionIamPolicyOutput) ToAppEngineVersionIamPolicyOutput 

func (o AppEngineVersionIamPolicyOutput) ToAppEngineVersionIamPolicyOutput() AppEngineVersionIamPolicyOutput

func (AppEngineVersionIamPolicyOutput) ToAppEngineVersionIamPolicyOutputWithContext 

func (o AppEngineVersionIamPolicyOutput) ToAppEngineVersionIamPolicyOutputWithContext(ctx context.Context) AppEngineVersionIamPolicyOutput

func (AppEngineVersionIamPolicyOutput) VersionId 

func (o AppEngineVersionIamPolicyOutput) VersionId() pulumi.StringOutput

Version id of the App Engine application Used to find the parent resource to bind the IAM policy to

type AppEngineVersionIamPolicyState 

type AppEngineVersionIamPolicyState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringPtrInput
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringPtrInput
}

func (AppEngineVersionIamPolicyState) ElementType 

func (AppEngineVersionIamPolicyState) ElementType() reflect.Type

type Brand 

type Brand struct {
	pulumi.CustomResourceState

	// Application name displayed on OAuth consent screen.
	//
	// ***
	ApplicationTitle pulumi.StringOutput `pulumi:"applicationTitle"`
	// Output only. Identifier of the brand, in the format `projects/{project_number}/brands/{brand_id}`
	// NOTE: The name can also be expressed as `projects/{project_id}/brands/{brand_id}`, e.g. when importing.
	// NOTE: The brand identification corresponds to the project number as only one
	// brand can be created per project.
	Name pulumi.StringOutput `pulumi:"name"`
	// Whether the brand is only intended for usage inside the GSuite organization only.
	OrgInternalOnly pulumi.BoolOutput `pulumi:"orgInternalOnly"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// Support email displayed on the OAuth consent screen. Can be either a
	// user or group email. When a user email is specified, the caller must
	// be the user with the associated email address. When a group email is
	// specified, the caller can be either a user or a service account which
	// is an owner of the specified group in Cloud Identity.
	SupportEmail pulumi.StringOutput `pulumi:"supportEmail"`
}

## Example Usage

### Iap Brand

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/projects"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		project, err := organizations.NewProject(ctx, "project", &organizations.ProjectArgs{
			ProjectId:      pulumi.String("my-project"),
			Name:           pulumi.String("my-project"),
			OrgId:          pulumi.String("123456789"),
			DeletionPolicy: pulumi.String("DELETE"),
		})
		if err != nil {
			return err
		}
		projectService, err := projects.NewService(ctx, "project_service", &projects.ServiceArgs{
			Project: project.ProjectId,
			Service: pulumi.String("iap.googleapis.com"),
		})
		if err != nil {
			return err
		}
		_, err = iap.NewBrand(ctx, "project_brand", &iap.BrandArgs{
			SupportEmail:     pulumi.String("support@example.com"),
			ApplicationTitle: pulumi.String("Cloud IAP protected Application"),
			Project:          projectService.Project,
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Brand can be imported using any of these accepted formats:

* `projects/{{project_id}}/brands/{{brand_id}}`

* `projects/{{project_number}}/brands/{{brand_id}}`

* `{{project_number}}/{{brand_id}}`

When using the `pulumi import` command, Brand can be imported using one of the formats above. For example:

```sh $ pulumi import gcp:iap/brand:Brand default projects/{{project_id}}/brands/{{brand_id}} ```

```sh $ pulumi import gcp:iap/brand:Brand default projects/{{project_number}}/brands/{{brand_id}} ```

```sh $ pulumi import gcp:iap/brand:Brand default {{project_number}}/{{brand_id}} ```

func GetBrand 

func GetBrand(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *BrandState, opts ...pulumi.ResourceOption) (*Brand, error)

GetBrand gets an existing Brand resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewBrand 

func NewBrand(ctx *pulumi.Context,
	name string, args *BrandArgs, opts ...pulumi.ResourceOption) (*Brand, error)

NewBrand registers a new resource with the given unique name, arguments, and options.

func (*Brand) ElementType 

func (*Brand) ElementType() reflect.Type

func (*Brand) ToBrandOutput 

func (i *Brand) ToBrandOutput() BrandOutput

func (*Brand) ToBrandOutputWithContext 

func (i *Brand) ToBrandOutputWithContext(ctx context.Context) BrandOutput

type BrandArgs 

type BrandArgs struct {
	// Application name displayed on OAuth consent screen.
	//
	// ***
	ApplicationTitle pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	Project pulumi.StringPtrInput
	// Support email displayed on the OAuth consent screen. Can be either a
	// user or group email. When a user email is specified, the caller must
	// be the user with the associated email address. When a group email is
	// specified, the caller can be either a user or a service account which
	// is an owner of the specified group in Cloud Identity.
	SupportEmail pulumi.StringInput
}

The set of arguments for constructing a Brand resource.

func (BrandArgs) ElementType 

func (BrandArgs) ElementType() reflect.Type

type BrandArray 

type BrandArray []BrandInput

func (BrandArray) ElementType 

func (BrandArray) ElementType() reflect.Type

func (BrandArray) ToBrandArrayOutput 

func (i BrandArray) ToBrandArrayOutput() BrandArrayOutput

func (BrandArray) ToBrandArrayOutputWithContext 

func (i BrandArray) ToBrandArrayOutputWithContext(ctx context.Context) BrandArrayOutput

type BrandArrayInput 

type BrandArrayInput interface {
	pulumi.Input

	ToBrandArrayOutput() BrandArrayOutput
	ToBrandArrayOutputWithContext(context.Context) BrandArrayOutput
}

BrandArrayInput is an input type that accepts BrandArray and BrandArrayOutput values. You can construct a concrete instance of `BrandArrayInput` via: 

BrandArray{ BrandArgs{...} }

type BrandArrayOutput 

type BrandArrayOutput struct{ *pulumi.OutputState }

func (BrandArrayOutput) ElementType 

func (BrandArrayOutput) ElementType() reflect.Type

func (BrandArrayOutput) Index 

func (o BrandArrayOutput) Index(i pulumi.IntInput) BrandOutput

func (BrandArrayOutput) ToBrandArrayOutput 

func (o BrandArrayOutput) ToBrandArrayOutput() BrandArrayOutput

func (BrandArrayOutput) ToBrandArrayOutputWithContext 

func (o BrandArrayOutput) ToBrandArrayOutputWithContext(ctx context.Context) BrandArrayOutput

type BrandInput 

type BrandInput interface {
	pulumi.Input

	ToBrandOutput() BrandOutput
	ToBrandOutputWithContext(ctx context.Context) BrandOutput
}

type BrandMap 

type BrandMap map[string]BrandInput

func (BrandMap) ElementType 

func (BrandMap) ElementType() reflect.Type

func (BrandMap) ToBrandMapOutput 

func (i BrandMap) ToBrandMapOutput() BrandMapOutput

func (BrandMap) ToBrandMapOutputWithContext 

func (i BrandMap) ToBrandMapOutputWithContext(ctx context.Context) BrandMapOutput

type BrandMapInput 

type BrandMapInput interface {
	pulumi.Input

	ToBrandMapOutput() BrandMapOutput
	ToBrandMapOutputWithContext(context.Context) BrandMapOutput
}

BrandMapInput is an input type that accepts BrandMap and BrandMapOutput values. You can construct a concrete instance of `BrandMapInput` via: 

BrandMap{ "key": BrandArgs{...} }

type BrandMapOutput 

type BrandMapOutput struct{ *pulumi.OutputState }

func (BrandMapOutput) ElementType 

func (BrandMapOutput) ElementType() reflect.Type

func (BrandMapOutput) MapIndex 

func (o BrandMapOutput) MapIndex(k pulumi.StringInput) BrandOutput

func (BrandMapOutput) ToBrandMapOutput 

func (o BrandMapOutput) ToBrandMapOutput() BrandMapOutput

func (BrandMapOutput) ToBrandMapOutputWithContext 

func (o BrandMapOutput) ToBrandMapOutputWithContext(ctx context.Context) BrandMapOutput

type BrandOutput 

type BrandOutput struct{ *pulumi.OutputState }

func (BrandOutput) ApplicationTitle 

func (o BrandOutput) ApplicationTitle() pulumi.StringOutput

Application name displayed on OAuth consent screen.

***

func (BrandOutput) ElementType 

func (BrandOutput) ElementType() reflect.Type

func (BrandOutput) Name 

func (o BrandOutput) Name() pulumi.StringOutput

Output only. Identifier of the brand, in the format `projects/{project_number}/brands/{brand_id}` NOTE: The name can also be expressed as `projects/{project_id}/brands/{brand_id}`, e.g. when importing. NOTE: The brand identification corresponds to the project number as only one brand can be created per project.

func (BrandOutput) OrgInternalOnly 

func (o BrandOutput) OrgInternalOnly() pulumi.BoolOutput

Whether the brand is only intended for usage inside the GSuite organization only.

func (BrandOutput) Project 

func (o BrandOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

func (BrandOutput) SupportEmail 

func (o BrandOutput) SupportEmail() pulumi.StringOutput

Support email displayed on the OAuth consent screen. Can be either a user or group email. When a user email is specified, the caller must be the user with the associated email address. When a group email is specified, the caller can be either a user or a service account which is an owner of the specified group in Cloud Identity.

func (BrandOutput) ToBrandOutput 

func (o BrandOutput) ToBrandOutput() BrandOutput

func (BrandOutput) ToBrandOutputWithContext 

func (o BrandOutput) ToBrandOutputWithContext(ctx context.Context) BrandOutput

type BrandState 

type BrandState struct {
	// Application name displayed on OAuth consent screen.
	//
	// ***
	ApplicationTitle pulumi.StringPtrInput
	// Output only. Identifier of the brand, in the format `projects/{project_number}/brands/{brand_id}`
	// NOTE: The name can also be expressed as `projects/{project_id}/brands/{brand_id}`, e.g. when importing.
	// NOTE: The brand identification corresponds to the project number as only one
	// brand can be created per project.
	Name pulumi.StringPtrInput
	// Whether the brand is only intended for usage inside the GSuite organization only.
	OrgInternalOnly pulumi.BoolPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	Project pulumi.StringPtrInput
	// Support email displayed on the OAuth consent screen. Can be either a
	// user or group email. When a user email is specified, the caller must
	// be the user with the associated email address. When a group email is
	// specified, the caller can be either a user or a service account which
	// is an owner of the specified group in Cloud Identity.
	SupportEmail pulumi.StringPtrInput
}

func (BrandState) ElementType 

func (BrandState) ElementType() reflect.Type

type Client 

type Client struct {
	pulumi.CustomResourceState

	// Identifier of the brand to which this client
	// is attached to. The format is
	// `projects/{project_number}/brands/{brand_id}`.
	//
	// ***
	Brand pulumi.StringOutput `pulumi:"brand"`
	// Output only. Unique identifier of the OAuth client.
	ClientId pulumi.StringOutput `pulumi:"clientId"`
	// Human-friendly name given to the OAuth client.
	DisplayName pulumi.StringOutput `pulumi:"displayName"`
	// Output only. Client secret of the OAuth client.
	// **Note**: This property is sensitive and will not be displayed in the plan.
	Secret pulumi.StringOutput `pulumi:"secret"`
}

Contains the data that describes an Identity Aware Proxy owned client.

> **Note:** Only internal org clients can be created via declarative tools. External clients must be manually created via the GCP console. This restriction is due to the existing APIs and not lack of support in this tool.

To get more information about Client, see:

* [API documentation](https://cloud.google.com/iap/docs/reference/rest/v1/projects.brands.identityAwareProxyClients) * How-to Guides

## Example Usage

### Iap Client

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/projects"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		project, err := organizations.NewProject(ctx, "project", &organizations.ProjectArgs{
			ProjectId:      pulumi.String("my-project"),
			Name:           pulumi.String("my-project"),
			OrgId:          pulumi.String("123456789"),
			DeletionPolicy: pulumi.String("DELETE"),
		})
		if err != nil {
			return err
		}
		projectService, err := projects.NewService(ctx, "project_service", &projects.ServiceArgs{
			Project: project.ProjectId,
			Service: pulumi.String("iap.googleapis.com"),
		})
		if err != nil {
			return err
		}
		projectBrand, err := iap.NewBrand(ctx, "project_brand", &iap.BrandArgs{
			SupportEmail:     pulumi.String("support@example.com"),
			ApplicationTitle: pulumi.String("Cloud IAP protected Application"),
			Project:          projectService.Project,
		})
		if err != nil {
			return err
		}
		_, err = iap.NewClient(ctx, "project_client", &iap.ClientArgs{
			DisplayName: pulumi.String("Test Client"),
			Brand:       projectBrand.Name,
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Client can be imported using any of these accepted formats:

* `{{brand}}/identityAwareProxyClients/{{client_id}}`

* `{{brand}}/{{client_id}}`

When using the `pulumi import` command, Client can be imported using one of the formats above. For example:

```sh $ pulumi import gcp:iap/client:Client default {{brand}}/identityAwareProxyClients/{{client_id}} ```

```sh $ pulumi import gcp:iap/client:Client default {{brand}}/{{client_id}} ```

func GetClient 

func GetClient(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *ClientState, opts ...pulumi.ResourceOption) (*Client, error)

GetClient gets an existing Client resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewClient 

func NewClient(ctx *pulumi.Context,
	name string, args *ClientArgs, opts ...pulumi.ResourceOption) (*Client, error)

NewClient registers a new resource with the given unique name, arguments, and options.

func (*Client) ElementType 

func (*Client) ElementType() reflect.Type

func (*Client) ToClientOutput 

func (i *Client) ToClientOutput() ClientOutput

func (*Client) ToClientOutputWithContext 

func (i *Client) ToClientOutputWithContext(ctx context.Context) ClientOutput

type ClientArgs 

type ClientArgs struct {
	// Identifier of the brand to which this client
	// is attached to. The format is
	// `projects/{project_number}/brands/{brand_id}`.
	//
	// ***
	Brand pulumi.StringInput
	// Human-friendly name given to the OAuth client.
	DisplayName pulumi.StringInput
}

The set of arguments for constructing a Client resource.

func (ClientArgs) ElementType 

func (ClientArgs) ElementType() reflect.Type

type ClientArray 

type ClientArray []ClientInput

func (ClientArray) ElementType 

func (ClientArray) ElementType() reflect.Type

func (ClientArray) ToClientArrayOutput 

func (i ClientArray) ToClientArrayOutput() ClientArrayOutput

func (ClientArray) ToClientArrayOutputWithContext 

func (i ClientArray) ToClientArrayOutputWithContext(ctx context.Context) ClientArrayOutput

type ClientArrayInput 

type ClientArrayInput interface {
	pulumi.Input

	ToClientArrayOutput() ClientArrayOutput
	ToClientArrayOutputWithContext(context.Context) ClientArrayOutput
}

ClientArrayInput is an input type that accepts ClientArray and ClientArrayOutput values. You can construct a concrete instance of `ClientArrayInput` via: 

ClientArray{ ClientArgs{...} }

type ClientArrayOutput 

type ClientArrayOutput struct{ *pulumi.OutputState }

func (ClientArrayOutput) ElementType 

func (ClientArrayOutput) ElementType() reflect.Type

func (ClientArrayOutput) Index 

func (o ClientArrayOutput) Index(i pulumi.IntInput) ClientOutput

func (ClientArrayOutput) ToClientArrayOutput 

func (o ClientArrayOutput) ToClientArrayOutput() ClientArrayOutput

func (ClientArrayOutput) ToClientArrayOutputWithContext 

func (o ClientArrayOutput) ToClientArrayOutputWithContext(ctx context.Context) ClientArrayOutput

type ClientInput 

type ClientInput interface {
	pulumi.Input

	ToClientOutput() ClientOutput
	ToClientOutputWithContext(ctx context.Context) ClientOutput
}

type ClientMap 

type ClientMap map[string]ClientInput

func (ClientMap) ElementType 

func (ClientMap) ElementType() reflect.Type

func (ClientMap) ToClientMapOutput 

func (i ClientMap) ToClientMapOutput() ClientMapOutput

func (ClientMap) ToClientMapOutputWithContext 

func (i ClientMap) ToClientMapOutputWithContext(ctx context.Context) ClientMapOutput

type ClientMapInput 

type ClientMapInput interface {
	pulumi.Input

	ToClientMapOutput() ClientMapOutput
	ToClientMapOutputWithContext(context.Context) ClientMapOutput
}

ClientMapInput is an input type that accepts ClientMap and ClientMapOutput values. You can construct a concrete instance of `ClientMapInput` via: 

ClientMap{ "key": ClientArgs{...} }

type ClientMapOutput 

type ClientMapOutput struct{ *pulumi.OutputState }

func (ClientMapOutput) ElementType 

func (ClientMapOutput) ElementType() reflect.Type

func (ClientMapOutput) MapIndex 

func (o ClientMapOutput) MapIndex(k pulumi.StringInput) ClientOutput

func (ClientMapOutput) ToClientMapOutput 

func (o ClientMapOutput) ToClientMapOutput() ClientMapOutput

func (ClientMapOutput) ToClientMapOutputWithContext 

func (o ClientMapOutput) ToClientMapOutputWithContext(ctx context.Context) ClientMapOutput

type ClientOutput 

type ClientOutput struct{ *pulumi.OutputState }

func (ClientOutput) Brand 

func (o ClientOutput) Brand() pulumi.StringOutput

Identifier of the brand to which this client is attached to. The format is `projects/{project_number}/brands/{brand_id}`.

***

func (ClientOutput) ClientId 

func (o ClientOutput) ClientId() pulumi.StringOutput

Output only. Unique identifier of the OAuth client.

func (ClientOutput) DisplayName 

func (o ClientOutput) DisplayName() pulumi.StringOutput

Human-friendly name given to the OAuth client.

func (ClientOutput) ElementType 

func (ClientOutput) ElementType() reflect.Type

func (ClientOutput) Secret 

func (o ClientOutput) Secret() pulumi.StringOutput

Output only. Client secret of the OAuth client. **Note**: This property is sensitive and will not be displayed in the plan.

func (ClientOutput) ToClientOutput 

func (o ClientOutput) ToClientOutput() ClientOutput

func (ClientOutput) ToClientOutputWithContext 

func (o ClientOutput) ToClientOutputWithContext(ctx context.Context) ClientOutput

type ClientState 

type ClientState struct {
	// Identifier of the brand to which this client
	// is attached to. The format is
	// `projects/{project_number}/brands/{brand_id}`.
	//
	// ***
	Brand pulumi.StringPtrInput
	// Output only. Unique identifier of the OAuth client.
	ClientId pulumi.StringPtrInput
	// Human-friendly name given to the OAuth client.
	DisplayName pulumi.StringPtrInput
	// Output only. Client secret of the OAuth client.
	// **Note**: This property is sensitive and will not be displayed in the plan.
	Secret pulumi.StringPtrInput
}

func (ClientState) ElementType 

func (ClientState) ElementType() reflect.Type

type GetTunnelInstanceIamPolicyArgs 

type GetTunnelInstanceIamPolicyArgs struct {
	// Used to find the parent resource to bind the IAM policy to
	Instance string `pulumi:"instance"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
	Zone    *string `pulumi:"zone"`
}

A collection of arguments for invoking getTunnelInstanceIamPolicy.

type GetTunnelInstanceIamPolicyOutputArgs 

type GetTunnelInstanceIamPolicyOutputArgs struct {
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringInput `pulumi:"instance"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
	Zone    pulumi.StringPtrInput `pulumi:"zone"`
}

A collection of arguments for invoking getTunnelInstanceIamPolicy.

func (GetTunnelInstanceIamPolicyOutputArgs) ElementType 

func (GetTunnelInstanceIamPolicyOutputArgs) ElementType() reflect.Type

type GetTunnelInstanceIamPolicyResult 

type GetTunnelInstanceIamPolicyResult struct {
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id       string `pulumi:"id"`
	Instance string `pulumi:"instance"`
	// (Required only by `iap.TunnelInstanceIAMPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
	Zone       string `pulumi:"zone"`
}

A collection of values returned by getTunnelInstanceIamPolicy.

func GetTunnelInstanceIamPolicy 

func GetTunnelInstanceIamPolicy(ctx *pulumi.Context, args *GetTunnelInstanceIamPolicyArgs, opts ...pulumi.InvokeOption) (*GetTunnelInstanceIamPolicyResult, error)

Retrieves the current IAM policy data for tunnelinstance

## example

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.GetTunnelInstanceIamPolicy(ctx, &iap.GetTunnelInstanceIamPolicyArgs{
			Project:  pulumi.StringRef(tunnelvm.Project),
			Zone:     pulumi.StringRef(tunnelvm.Zone),
			Instance: tunnelvm.Name,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type GetTunnelInstanceIamPolicyResultOutput 

type GetTunnelInstanceIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getTunnelInstanceIamPolicy.

func GetTunnelInstanceIamPolicyOutput 

func GetTunnelInstanceIamPolicyOutput(ctx *pulumi.Context, args GetTunnelInstanceIamPolicyOutputArgs, opts ...pulumi.InvokeOption) GetTunnelInstanceIamPolicyResultOutput

func (GetTunnelInstanceIamPolicyResultOutput) ElementType 

func (GetTunnelInstanceIamPolicyResultOutput) ElementType() reflect.Type

func (GetTunnelInstanceIamPolicyResultOutput) Etag 

func (o GetTunnelInstanceIamPolicyResultOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (GetTunnelInstanceIamPolicyResultOutput) Id 

func (o GetTunnelInstanceIamPolicyResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (GetTunnelInstanceIamPolicyResultOutput) Instance 

func (o GetTunnelInstanceIamPolicyResultOutput) Instance() pulumi.StringOutput

func (GetTunnelInstanceIamPolicyResultOutput) PolicyData 

func (o GetTunnelInstanceIamPolicyResultOutput) PolicyData() pulumi.StringOutput

(Required only by `iap.TunnelInstanceIAMPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (GetTunnelInstanceIamPolicyResultOutput) Project 

func (o GetTunnelInstanceIamPolicyResultOutput) Project() pulumi.StringOutput

func (GetTunnelInstanceIamPolicyResultOutput) ToGetTunnelInstanceIamPolicyResultOutput 

func (o GetTunnelInstanceIamPolicyResultOutput) ToGetTunnelInstanceIamPolicyResultOutput() GetTunnelInstanceIamPolicyResultOutput

func (GetTunnelInstanceIamPolicyResultOutput) ToGetTunnelInstanceIamPolicyResultOutputWithContext 

func (o GetTunnelInstanceIamPolicyResultOutput) ToGetTunnelInstanceIamPolicyResultOutputWithContext(ctx context.Context) GetTunnelInstanceIamPolicyResultOutput

func (GetTunnelInstanceIamPolicyResultOutput) Zone 

func (o GetTunnelInstanceIamPolicyResultOutput) Zone() pulumi.StringOutput

type GetWebTypeAppEngineIamPolicyArgs 

type GetWebTypeAppEngineIamPolicyArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId string `pulumi:"appId"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
}

A collection of arguments for invoking getWebTypeAppEngineIamPolicy.

type GetWebTypeAppEngineIamPolicyOutputArgs 

type GetWebTypeAppEngineIamPolicyOutputArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput `pulumi:"appId"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
}

A collection of arguments for invoking getWebTypeAppEngineIamPolicy.

func (GetWebTypeAppEngineIamPolicyOutputArgs) ElementType 

func (GetWebTypeAppEngineIamPolicyOutputArgs) ElementType() reflect.Type

type GetWebTypeAppEngineIamPolicyResult 

type GetWebTypeAppEngineIamPolicyResult struct {
	AppId string `pulumi:"appId"`
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.WebTypeAppEngingIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
}

A collection of values returned by getWebTypeAppEngineIamPolicy.

func GetWebTypeAppEngineIamPolicy 

func GetWebTypeAppEngineIamPolicy(ctx *pulumi.Context, args *GetWebTypeAppEngineIamPolicyArgs, opts ...pulumi.InvokeOption) (*GetWebTypeAppEngineIamPolicyResult, error)

Retrieves the current IAM policy data for webtypeappengine

## example

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.GetWebTypeAppEngineIamPolicy(ctx, &iap.GetWebTypeAppEngineIamPolicyArgs{
			Project: pulumi.StringRef(app.Project),
			AppId:   app.AppId,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type GetWebTypeAppEngineIamPolicyResultOutput 

type GetWebTypeAppEngineIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getWebTypeAppEngineIamPolicy.

func GetWebTypeAppEngineIamPolicyOutput 

func GetWebTypeAppEngineIamPolicyOutput(ctx *pulumi.Context, args GetWebTypeAppEngineIamPolicyOutputArgs, opts ...pulumi.InvokeOption) GetWebTypeAppEngineIamPolicyResultOutput

func (GetWebTypeAppEngineIamPolicyResultOutput) AppId 

func (o GetWebTypeAppEngineIamPolicyResultOutput) AppId() pulumi.StringOutput

func (GetWebTypeAppEngineIamPolicyResultOutput) ElementType 

func (GetWebTypeAppEngineIamPolicyResultOutput) ElementType() reflect.Type

func (GetWebTypeAppEngineIamPolicyResultOutput) Etag 

func (o GetWebTypeAppEngineIamPolicyResultOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (GetWebTypeAppEngineIamPolicyResultOutput) Id 

func (o GetWebTypeAppEngineIamPolicyResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (GetWebTypeAppEngineIamPolicyResultOutput) PolicyData 

func (o GetWebTypeAppEngineIamPolicyResultOutput) PolicyData() pulumi.StringOutput

(Required only by `iap.WebTypeAppEngingIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (GetWebTypeAppEngineIamPolicyResultOutput) Project 

func (o GetWebTypeAppEngineIamPolicyResultOutput) Project() pulumi.StringOutput

func (GetWebTypeAppEngineIamPolicyResultOutput) ToGetWebTypeAppEngineIamPolicyResultOutput 

func (o GetWebTypeAppEngineIamPolicyResultOutput) ToGetWebTypeAppEngineIamPolicyResultOutput() GetWebTypeAppEngineIamPolicyResultOutput

func (GetWebTypeAppEngineIamPolicyResultOutput) ToGetWebTypeAppEngineIamPolicyResultOutputWithContext 

func (o GetWebTypeAppEngineIamPolicyResultOutput) ToGetWebTypeAppEngineIamPolicyResultOutputWithContext(ctx context.Context) GetWebTypeAppEngineIamPolicyResultOutput

type LookupAppEngineServiceIamPolicyArgs 

type LookupAppEngineServiceIamPolicyArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId string `pulumi:"appId"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service string `pulumi:"service"`
}

A collection of arguments for invoking getAppEngineServiceIamPolicy.

type LookupAppEngineServiceIamPolicyOutputArgs 

type LookupAppEngineServiceIamPolicyOutputArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput `pulumi:"appId"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput `pulumi:"service"`
}

A collection of arguments for invoking getAppEngineServiceIamPolicy.

func (LookupAppEngineServiceIamPolicyOutputArgs) ElementType 

func (LookupAppEngineServiceIamPolicyOutputArgs) ElementType() reflect.Type

type LookupAppEngineServiceIamPolicyResult 

type LookupAppEngineServiceIamPolicyResult struct {
	AppId string `pulumi:"appId"`
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.AppEngineServiceIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
	Service    string `pulumi:"service"`
}

A collection of values returned by getAppEngineServiceIamPolicy.

func LookupAppEngineServiceIamPolicy 

func LookupAppEngineServiceIamPolicy(ctx *pulumi.Context, args *LookupAppEngineServiceIamPolicyArgs, opts ...pulumi.InvokeOption) (*LookupAppEngineServiceIamPolicyResult, error)

Retrieves the current IAM policy data for appengineservice

## example

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.LookupAppEngineServiceIamPolicy(ctx, &iap.LookupAppEngineServiceIamPolicyArgs{
			Project: pulumi.StringRef(version.Project),
			AppId:   version.Project,
			Service: version.Service,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupAppEngineServiceIamPolicyResultOutput 

type LookupAppEngineServiceIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getAppEngineServiceIamPolicy.

func LookupAppEngineServiceIamPolicyOutput 

func LookupAppEngineServiceIamPolicyOutput(ctx *pulumi.Context, args LookupAppEngineServiceIamPolicyOutputArgs, opts ...pulumi.InvokeOption) LookupAppEngineServiceIamPolicyResultOutput

func (LookupAppEngineServiceIamPolicyResultOutput) AppId 

func (o LookupAppEngineServiceIamPolicyResultOutput) AppId() pulumi.StringOutput

func (LookupAppEngineServiceIamPolicyResultOutput) ElementType 

func (LookupAppEngineServiceIamPolicyResultOutput) ElementType() reflect.Type

func (LookupAppEngineServiceIamPolicyResultOutput) Etag 

func (o LookupAppEngineServiceIamPolicyResultOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (LookupAppEngineServiceIamPolicyResultOutput) Id 

func (o LookupAppEngineServiceIamPolicyResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (LookupAppEngineServiceIamPolicyResultOutput) PolicyData 

func (o LookupAppEngineServiceIamPolicyResultOutput) PolicyData() pulumi.StringOutput

(Required only by `iap.AppEngineServiceIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupAppEngineServiceIamPolicyResultOutput) Project 

func (o LookupAppEngineServiceIamPolicyResultOutput) Project() pulumi.StringOutput

func (LookupAppEngineServiceIamPolicyResultOutput) Service 

func (o LookupAppEngineServiceIamPolicyResultOutput) Service() pulumi.StringOutput

func (LookupAppEngineServiceIamPolicyResultOutput) ToLookupAppEngineServiceIamPolicyResultOutput 

func (o LookupAppEngineServiceIamPolicyResultOutput) ToLookupAppEngineServiceIamPolicyResultOutput() LookupAppEngineServiceIamPolicyResultOutput

func (LookupAppEngineServiceIamPolicyResultOutput) ToLookupAppEngineServiceIamPolicyResultOutputWithContext 

func (o LookupAppEngineServiceIamPolicyResultOutput) ToLookupAppEngineServiceIamPolicyResultOutputWithContext(ctx context.Context) LookupAppEngineServiceIamPolicyResultOutput

type LookupAppEngineVersionIamPolicyArgs 

type LookupAppEngineVersionIamPolicyArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId string `pulumi:"appId"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service string `pulumi:"service"`
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId string `pulumi:"versionId"`
}

A collection of arguments for invoking getAppEngineVersionIamPolicy.

type LookupAppEngineVersionIamPolicyOutputArgs 

type LookupAppEngineVersionIamPolicyOutputArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput `pulumi:"appId"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
	// Service id of the App Engine application Used to find the parent resource to bind the IAM policy to
	Service pulumi.StringInput `pulumi:"service"`
	// Version id of the App Engine application Used to find the parent resource to bind the IAM policy to
	VersionId pulumi.StringInput `pulumi:"versionId"`
}

A collection of arguments for invoking getAppEngineVersionIamPolicy.

func (LookupAppEngineVersionIamPolicyOutputArgs) ElementType 

func (LookupAppEngineVersionIamPolicyOutputArgs) ElementType() reflect.Type

type LookupAppEngineVersionIamPolicyResult 

type LookupAppEngineVersionIamPolicyResult struct {
	AppId string `pulumi:"appId"`
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.AppEngineVersionIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
	Service    string `pulumi:"service"`
	VersionId  string `pulumi:"versionId"`
}

A collection of values returned by getAppEngineVersionIamPolicy.

func LookupAppEngineVersionIamPolicy 

func LookupAppEngineVersionIamPolicy(ctx *pulumi.Context, args *LookupAppEngineVersionIamPolicyArgs, opts ...pulumi.InvokeOption) (*LookupAppEngineVersionIamPolicyResult, error)

Retrieves the current IAM policy data for appengineversion

## example

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.LookupAppEngineVersionIamPolicy(ctx, &iap.LookupAppEngineVersionIamPolicyArgs{
			Project:   pulumi.StringRef(version.Project),
			AppId:     version.Project,
			Service:   version.Service,
			VersionId: version.VersionId,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupAppEngineVersionIamPolicyResultOutput 

type LookupAppEngineVersionIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getAppEngineVersionIamPolicy.

func LookupAppEngineVersionIamPolicyOutput 

func LookupAppEngineVersionIamPolicyOutput(ctx *pulumi.Context, args LookupAppEngineVersionIamPolicyOutputArgs, opts ...pulumi.InvokeOption) LookupAppEngineVersionIamPolicyResultOutput

func (LookupAppEngineVersionIamPolicyResultOutput) AppId 

func (o LookupAppEngineVersionIamPolicyResultOutput) AppId() pulumi.StringOutput

func (LookupAppEngineVersionIamPolicyResultOutput) ElementType 

func (LookupAppEngineVersionIamPolicyResultOutput) ElementType() reflect.Type

func (LookupAppEngineVersionIamPolicyResultOutput) Etag 

func (o LookupAppEngineVersionIamPolicyResultOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (LookupAppEngineVersionIamPolicyResultOutput) Id 

func (o LookupAppEngineVersionIamPolicyResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (LookupAppEngineVersionIamPolicyResultOutput) PolicyData 

func (o LookupAppEngineVersionIamPolicyResultOutput) PolicyData() pulumi.StringOutput

(Required only by `iap.AppEngineVersionIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupAppEngineVersionIamPolicyResultOutput) Project 

func (o LookupAppEngineVersionIamPolicyResultOutput) Project() pulumi.StringOutput

func (LookupAppEngineVersionIamPolicyResultOutput) Service 

func (o LookupAppEngineVersionIamPolicyResultOutput) Service() pulumi.StringOutput

func (LookupAppEngineVersionIamPolicyResultOutput) ToLookupAppEngineVersionIamPolicyResultOutput 

func (o LookupAppEngineVersionIamPolicyResultOutput) ToLookupAppEngineVersionIamPolicyResultOutput() LookupAppEngineVersionIamPolicyResultOutput

func (LookupAppEngineVersionIamPolicyResultOutput) ToLookupAppEngineVersionIamPolicyResultOutputWithContext 

func (o LookupAppEngineVersionIamPolicyResultOutput) ToLookupAppEngineVersionIamPolicyResultOutputWithContext(ctx context.Context) LookupAppEngineVersionIamPolicyResultOutput

func (LookupAppEngineVersionIamPolicyResultOutput) VersionId 

func (o LookupAppEngineVersionIamPolicyResultOutput) VersionId() pulumi.StringOutput

type LookupClientArgs 

type LookupClientArgs struct {
	// The name of the brand.
	Brand string `pulumi:"brand"`
	// The clientId of the brand.
	ClientId string `pulumi:"clientId"`
}

A collection of arguments for invoking getClient.

type LookupClientOutputArgs 

type LookupClientOutputArgs struct {
	// The name of the brand.
	Brand pulumi.StringInput `pulumi:"brand"`
	// The clientId of the brand.
	ClientId pulumi.StringInput `pulumi:"clientId"`
}

A collection of arguments for invoking getClient.

func (LookupClientOutputArgs) ElementType 

func (LookupClientOutputArgs) ElementType() reflect.Type

type LookupClientResult 

type LookupClientResult struct {
	Brand       string `pulumi:"brand"`
	ClientId    string `pulumi:"clientId"`
	DisplayName string `pulumi:"displayName"`
	// The provider-assigned unique ID for this managed resource.
	Id     string `pulumi:"id"`
	Secret string `pulumi:"secret"`
}

A collection of values returned by getClient.

func LookupClient 

func LookupClient(ctx *pulumi.Context, args *LookupClientArgs, opts ...pulumi.InvokeOption) (*LookupClientResult, error)

Get info about a Google Cloud IAP Client.

## Example Usage

```go package main

import ( 

"fmt"

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		project, err := organizations.LookupProject(ctx, &organizations.LookupProjectArgs{
			ProjectId: pulumi.StringRef("foobar"),
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.LookupClient(ctx, &iap.LookupClientArgs{
			Brand:    fmt.Sprintf("projects/%v/brands/[BRAND_NUMBER]", project.Number),
			ClientId: apps.Googleusercontent.Com,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupClientResultOutput 

type LookupClientResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getClient.

func LookupClientOutput 

func LookupClientOutput(ctx *pulumi.Context, args LookupClientOutputArgs, opts ...pulumi.InvokeOption) LookupClientResultOutput

func (LookupClientResultOutput) Brand 

func (o LookupClientResultOutput) Brand() pulumi.StringOutput

func (LookupClientResultOutput) ClientId 

func (o LookupClientResultOutput) ClientId() pulumi.StringOutput

func (LookupClientResultOutput) DisplayName 

func (o LookupClientResultOutput) DisplayName() pulumi.StringOutput

func (LookupClientResultOutput) ElementType 

func (LookupClientResultOutput) ElementType() reflect.Type

func (LookupClientResultOutput) Id 

func (o LookupClientResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (LookupClientResultOutput) Secret 

func (o LookupClientResultOutput) Secret() pulumi.StringOutput

func (LookupClientResultOutput) ToLookupClientResultOutput 

func (o LookupClientResultOutput) ToLookupClientResultOutput() LookupClientResultOutput

func (LookupClientResultOutput) ToLookupClientResultOutputWithContext 

func (o LookupClientResultOutput) ToLookupClientResultOutputWithContext(ctx context.Context) LookupClientResultOutput

type LookupTunnelDestGroupIamPolicyArgs 

type LookupTunnelDestGroupIamPolicyArgs struct {
	DestGroup string `pulumi:"destGroup"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
	// The region of the tunnel group. Must be the same as the network resources in the group.
	// Used to find the parent resource to bind the IAM policy to. If not specified,
	// the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no
	// region is specified, it is taken from the provider configuration.
	Region *string `pulumi:"region"`
}

A collection of arguments for invoking getTunnelDestGroupIamPolicy.

type LookupTunnelDestGroupIamPolicyOutputArgs 

type LookupTunnelDestGroupIamPolicyOutputArgs struct {
	DestGroup pulumi.StringInput `pulumi:"destGroup"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
	// The region of the tunnel group. Must be the same as the network resources in the group.
	// Used to find the parent resource to bind the IAM policy to. If not specified,
	// the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no
	// region is specified, it is taken from the provider configuration.
	Region pulumi.StringPtrInput `pulumi:"region"`
}

A collection of arguments for invoking getTunnelDestGroupIamPolicy.

func (LookupTunnelDestGroupIamPolicyOutputArgs) ElementType 

func (LookupTunnelDestGroupIamPolicyOutputArgs) ElementType() reflect.Type

type LookupTunnelDestGroupIamPolicyResult 

type LookupTunnelDestGroupIamPolicyResult struct {
	DestGroup string `pulumi:"destGroup"`
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.TunnelDestGroupIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
	Region     string `pulumi:"region"`
}

A collection of values returned by getTunnelDestGroupIamPolicy.

func LookupTunnelDestGroupIamPolicy 

func LookupTunnelDestGroupIamPolicy(ctx *pulumi.Context, args *LookupTunnelDestGroupIamPolicyArgs, opts ...pulumi.InvokeOption) (*LookupTunnelDestGroupIamPolicyResult, error)

Retrieves the current IAM policy data for tunneldestgroup

## example

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.LookupTunnelDestGroupIamPolicy(ctx, &iap.LookupTunnelDestGroupIamPolicyArgs{
			Project:   pulumi.StringRef(destGroup.Project),
			Region:    pulumi.StringRef(destGroup.Region),
			DestGroup: destGroup.GroupName,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupTunnelDestGroupIamPolicyResultOutput 

type LookupTunnelDestGroupIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getTunnelDestGroupIamPolicy.

func LookupTunnelDestGroupIamPolicyOutput 

func LookupTunnelDestGroupIamPolicyOutput(ctx *pulumi.Context, args LookupTunnelDestGroupIamPolicyOutputArgs, opts ...pulumi.InvokeOption) LookupTunnelDestGroupIamPolicyResultOutput

func (LookupTunnelDestGroupIamPolicyResultOutput) DestGroup 

func (o LookupTunnelDestGroupIamPolicyResultOutput) DestGroup() pulumi.StringOutput

func (LookupTunnelDestGroupIamPolicyResultOutput) ElementType 

func (LookupTunnelDestGroupIamPolicyResultOutput) ElementType() reflect.Type

func (LookupTunnelDestGroupIamPolicyResultOutput) Etag 

func (o LookupTunnelDestGroupIamPolicyResultOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (LookupTunnelDestGroupIamPolicyResultOutput) Id 

func (o LookupTunnelDestGroupIamPolicyResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (LookupTunnelDestGroupIamPolicyResultOutput) PolicyData 

func (o LookupTunnelDestGroupIamPolicyResultOutput) PolicyData() pulumi.StringOutput

(Required only by `iap.TunnelDestGroupIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupTunnelDestGroupIamPolicyResultOutput) Project 

func (o LookupTunnelDestGroupIamPolicyResultOutput) Project() pulumi.StringOutput

func (LookupTunnelDestGroupIamPolicyResultOutput) Region 

func (o LookupTunnelDestGroupIamPolicyResultOutput) Region() pulumi.StringOutput

func (LookupTunnelDestGroupIamPolicyResultOutput) ToLookupTunnelDestGroupIamPolicyResultOutput 

func (o LookupTunnelDestGroupIamPolicyResultOutput) ToLookupTunnelDestGroupIamPolicyResultOutput() LookupTunnelDestGroupIamPolicyResultOutput

func (LookupTunnelDestGroupIamPolicyResultOutput) ToLookupTunnelDestGroupIamPolicyResultOutputWithContext 

func (o LookupTunnelDestGroupIamPolicyResultOutput) ToLookupTunnelDestGroupIamPolicyResultOutputWithContext(ctx context.Context) LookupTunnelDestGroupIamPolicyResultOutput

type LookupTunnelIamPolicyArgs 

type LookupTunnelIamPolicyArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
}

A collection of arguments for invoking getTunnelIamPolicy.

type LookupTunnelIamPolicyOutputArgs 

type LookupTunnelIamPolicyOutputArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
}

A collection of arguments for invoking getTunnelIamPolicy.

func (LookupTunnelIamPolicyOutputArgs) ElementType 

func (LookupTunnelIamPolicyOutputArgs) ElementType() reflect.Type

type LookupTunnelIamPolicyResult 

type LookupTunnelIamPolicyResult struct {
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.TunnelIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
}

A collection of values returned by getTunnelIamPolicy.

func LookupTunnelIamPolicy 

func LookupTunnelIamPolicy(ctx *pulumi.Context, args *LookupTunnelIamPolicyArgs, opts ...pulumi.InvokeOption) (*LookupTunnelIamPolicyResult, error)

Retrieves the current IAM policy data for tunnel

## example

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.LookupTunnelIamPolicy(ctx, &iap.LookupTunnelIamPolicyArgs{
			Project: pulumi.StringRef(projectService.Project),
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupTunnelIamPolicyResultOutput 

type LookupTunnelIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getTunnelIamPolicy.

func LookupTunnelIamPolicyOutput 

func LookupTunnelIamPolicyOutput(ctx *pulumi.Context, args LookupTunnelIamPolicyOutputArgs, opts ...pulumi.InvokeOption) LookupTunnelIamPolicyResultOutput

func (LookupTunnelIamPolicyResultOutput) ElementType 

func (LookupTunnelIamPolicyResultOutput) ElementType() reflect.Type

func (LookupTunnelIamPolicyResultOutput) Etag 

func (o LookupTunnelIamPolicyResultOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (LookupTunnelIamPolicyResultOutput) Id 

func (o LookupTunnelIamPolicyResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (LookupTunnelIamPolicyResultOutput) PolicyData 

func (o LookupTunnelIamPolicyResultOutput) PolicyData() pulumi.StringOutput

(Required only by `iap.TunnelIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupTunnelIamPolicyResultOutput) Project 

func (o LookupTunnelIamPolicyResultOutput) Project() pulumi.StringOutput

func (LookupTunnelIamPolicyResultOutput) ToLookupTunnelIamPolicyResultOutput 

func (o LookupTunnelIamPolicyResultOutput) ToLookupTunnelIamPolicyResultOutput() LookupTunnelIamPolicyResultOutput

func (LookupTunnelIamPolicyResultOutput) ToLookupTunnelIamPolicyResultOutputWithContext 

func (o LookupTunnelIamPolicyResultOutput) ToLookupTunnelIamPolicyResultOutputWithContext(ctx context.Context) LookupTunnelIamPolicyResultOutput

type LookupWebBackendServiceIamPolicyArgs 

type LookupWebBackendServiceIamPolicyArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService string `pulumi:"webBackendService"`
}

A collection of arguments for invoking getWebBackendServiceIamPolicy.

type LookupWebBackendServiceIamPolicyOutputArgs 

type LookupWebBackendServiceIamPolicyOutputArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringInput `pulumi:"webBackendService"`
}

A collection of arguments for invoking getWebBackendServiceIamPolicy.

func (LookupWebBackendServiceIamPolicyOutputArgs) ElementType 

func (LookupWebBackendServiceIamPolicyOutputArgs) ElementType() reflect.Type

type LookupWebBackendServiceIamPolicyResult 

type LookupWebBackendServiceIamPolicyResult struct {
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.WebBackendServiceIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData        string `pulumi:"policyData"`
	Project           string `pulumi:"project"`
	WebBackendService string `pulumi:"webBackendService"`
}

A collection of values returned by getWebBackendServiceIamPolicy.

func LookupWebBackendServiceIamPolicy 

func LookupWebBackendServiceIamPolicy(ctx *pulumi.Context, args *LookupWebBackendServiceIamPolicyArgs, opts ...pulumi.InvokeOption) (*LookupWebBackendServiceIamPolicyResult, error)

Retrieves the current IAM policy data for webbackendservice

## example

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.LookupWebBackendServiceIamPolicy(ctx, &iap.LookupWebBackendServiceIamPolicyArgs{
			Project:           pulumi.StringRef(_default.Project),
			WebBackendService: _default.Name,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupWebBackendServiceIamPolicyResultOutput 

type LookupWebBackendServiceIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getWebBackendServiceIamPolicy.

func LookupWebBackendServiceIamPolicyOutput 

func LookupWebBackendServiceIamPolicyOutput(ctx *pulumi.Context, args LookupWebBackendServiceIamPolicyOutputArgs, opts ...pulumi.InvokeOption) LookupWebBackendServiceIamPolicyResultOutput

func (LookupWebBackendServiceIamPolicyResultOutput) ElementType 

func (LookupWebBackendServiceIamPolicyResultOutput) ElementType() reflect.Type

func (LookupWebBackendServiceIamPolicyResultOutput) Etag 

func (o LookupWebBackendServiceIamPolicyResultOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (LookupWebBackendServiceIamPolicyResultOutput) Id 

func (o LookupWebBackendServiceIamPolicyResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (LookupWebBackendServiceIamPolicyResultOutput) PolicyData 

func (o LookupWebBackendServiceIamPolicyResultOutput) PolicyData() pulumi.StringOutput

(Required only by `iap.WebBackendServiceIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupWebBackendServiceIamPolicyResultOutput) Project 

func (o LookupWebBackendServiceIamPolicyResultOutput) Project() pulumi.StringOutput

func (LookupWebBackendServiceIamPolicyResultOutput) ToLookupWebBackendServiceIamPolicyResultOutput 

func (o LookupWebBackendServiceIamPolicyResultOutput) ToLookupWebBackendServiceIamPolicyResultOutput() LookupWebBackendServiceIamPolicyResultOutput

func (LookupWebBackendServiceIamPolicyResultOutput) ToLookupWebBackendServiceIamPolicyResultOutputWithContext 

func (o LookupWebBackendServiceIamPolicyResultOutput) ToLookupWebBackendServiceIamPolicyResultOutputWithContext(ctx context.Context) LookupWebBackendServiceIamPolicyResultOutput

func (LookupWebBackendServiceIamPolicyResultOutput) WebBackendService 

func (o LookupWebBackendServiceIamPolicyResultOutput) WebBackendService() pulumi.StringOutput

type LookupWebIamPolicyArgs 

type LookupWebIamPolicyArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
}

A collection of arguments for invoking getWebIamPolicy.

type LookupWebIamPolicyOutputArgs 

type LookupWebIamPolicyOutputArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
}

A collection of arguments for invoking getWebIamPolicy.

func (LookupWebIamPolicyOutputArgs) ElementType 

func (LookupWebIamPolicyOutputArgs) ElementType() reflect.Type

type LookupWebIamPolicyResult 

type LookupWebIamPolicyResult struct {
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.WebIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
}

A collection of values returned by getWebIamPolicy.

func LookupWebIamPolicy 

func LookupWebIamPolicy(ctx *pulumi.Context, args *LookupWebIamPolicyArgs, opts ...pulumi.InvokeOption) (*LookupWebIamPolicyResult, error)

Retrieves the current IAM policy data for web

## example

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.LookupWebIamPolicy(ctx, &iap.LookupWebIamPolicyArgs{
			Project: pulumi.StringRef(projectService.Project),
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupWebIamPolicyResultOutput 

type LookupWebIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getWebIamPolicy.

func LookupWebIamPolicyOutput 

func LookupWebIamPolicyOutput(ctx *pulumi.Context, args LookupWebIamPolicyOutputArgs, opts ...pulumi.InvokeOption) LookupWebIamPolicyResultOutput

func (LookupWebIamPolicyResultOutput) ElementType 

func (LookupWebIamPolicyResultOutput) ElementType() reflect.Type

func (LookupWebIamPolicyResultOutput) Etag 

func (o LookupWebIamPolicyResultOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (LookupWebIamPolicyResultOutput) Id 

func (o LookupWebIamPolicyResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (LookupWebIamPolicyResultOutput) PolicyData 

func (o LookupWebIamPolicyResultOutput) PolicyData() pulumi.StringOutput

(Required only by `iap.WebIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupWebIamPolicyResultOutput) Project 

func (o LookupWebIamPolicyResultOutput) Project() pulumi.StringOutput

func (LookupWebIamPolicyResultOutput) ToLookupWebIamPolicyResultOutput 

func (o LookupWebIamPolicyResultOutput) ToLookupWebIamPolicyResultOutput() LookupWebIamPolicyResultOutput

func (LookupWebIamPolicyResultOutput) ToLookupWebIamPolicyResultOutputWithContext 

func (o LookupWebIamPolicyResultOutput) ToLookupWebIamPolicyResultOutputWithContext(ctx context.Context) LookupWebIamPolicyResultOutput

type LookupWebRegionBackendServiceIamPolicyArgs 

type LookupWebRegionBackendServiceIamPolicyArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
	Region  *string `pulumi:"region"`
	// Used to find the parent resource to bind the IAM policy to
	WebRegionBackendService string `pulumi:"webRegionBackendService"`
}

A collection of arguments for invoking getWebRegionBackendServiceIamPolicy.

type LookupWebRegionBackendServiceIamPolicyOutputArgs 

type LookupWebRegionBackendServiceIamPolicyOutputArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
	Region  pulumi.StringPtrInput `pulumi:"region"`
	// Used to find the parent resource to bind the IAM policy to
	WebRegionBackendService pulumi.StringInput `pulumi:"webRegionBackendService"`
}

A collection of arguments for invoking getWebRegionBackendServiceIamPolicy.

func (LookupWebRegionBackendServiceIamPolicyOutputArgs) ElementType 

func (LookupWebRegionBackendServiceIamPolicyOutputArgs) ElementType() reflect.Type

type LookupWebRegionBackendServiceIamPolicyResult 

type LookupWebRegionBackendServiceIamPolicyResult struct {
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.WebRegionBackendServiceIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData              string `pulumi:"policyData"`
	Project                 string `pulumi:"project"`
	Region                  string `pulumi:"region"`
	WebRegionBackendService string `pulumi:"webRegionBackendService"`
}

A collection of values returned by getWebRegionBackendServiceIamPolicy.

func LookupWebRegionBackendServiceIamPolicy 

func LookupWebRegionBackendServiceIamPolicy(ctx *pulumi.Context, args *LookupWebRegionBackendServiceIamPolicyArgs, opts ...pulumi.InvokeOption) (*LookupWebRegionBackendServiceIamPolicyResult, error)

Retrieves the current IAM policy data for webregionbackendservice

## example

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.LookupWebRegionBackendServiceIamPolicy(ctx, &iap.LookupWebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.StringRef(_default.Project),
			Region:                  pulumi.StringRef(_default.Region),
			WebRegionBackendService: _default.Name,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupWebRegionBackendServiceIamPolicyResultOutput 

type LookupWebRegionBackendServiceIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getWebRegionBackendServiceIamPolicy.

func LookupWebRegionBackendServiceIamPolicyOutput 

func LookupWebRegionBackendServiceIamPolicyOutput(ctx *pulumi.Context, args LookupWebRegionBackendServiceIamPolicyOutputArgs, opts ...pulumi.InvokeOption) LookupWebRegionBackendServiceIamPolicyResultOutput

func (LookupWebRegionBackendServiceIamPolicyResultOutput) ElementType 

func (LookupWebRegionBackendServiceIamPolicyResultOutput) ElementType() reflect.Type

func (LookupWebRegionBackendServiceIamPolicyResultOutput) Etag 

func (o LookupWebRegionBackendServiceIamPolicyResultOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (LookupWebRegionBackendServiceIamPolicyResultOutput) Id 

func (o LookupWebRegionBackendServiceIamPolicyResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (LookupWebRegionBackendServiceIamPolicyResultOutput) PolicyData 

func (o LookupWebRegionBackendServiceIamPolicyResultOutput) PolicyData() pulumi.StringOutput

(Required only by `iap.WebRegionBackendServiceIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupWebRegionBackendServiceIamPolicyResultOutput) Project 

func (o LookupWebRegionBackendServiceIamPolicyResultOutput) Project() pulumi.StringOutput

func (LookupWebRegionBackendServiceIamPolicyResultOutput) Region 

func (o LookupWebRegionBackendServiceIamPolicyResultOutput) Region() pulumi.StringOutput

func (LookupWebRegionBackendServiceIamPolicyResultOutput) ToLookupWebRegionBackendServiceIamPolicyResultOutput 

func (o LookupWebRegionBackendServiceIamPolicyResultOutput) ToLookupWebRegionBackendServiceIamPolicyResultOutput() LookupWebRegionBackendServiceIamPolicyResultOutput

func (LookupWebRegionBackendServiceIamPolicyResultOutput) ToLookupWebRegionBackendServiceIamPolicyResultOutputWithContext 

func (o LookupWebRegionBackendServiceIamPolicyResultOutput) ToLookupWebRegionBackendServiceIamPolicyResultOutputWithContext(ctx context.Context) LookupWebRegionBackendServiceIamPolicyResultOutput

func (LookupWebRegionBackendServiceIamPolicyResultOutput) WebRegionBackendService 

func (o LookupWebRegionBackendServiceIamPolicyResultOutput) WebRegionBackendService() pulumi.StringOutput

type LookupWebTypeComputeIamPolicyArgs 

type LookupWebTypeComputeIamPolicyArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
}

A collection of arguments for invoking getWebTypeComputeIamPolicy.

type LookupWebTypeComputeIamPolicyOutputArgs 

type LookupWebTypeComputeIamPolicyOutputArgs struct {
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
}

A collection of arguments for invoking getWebTypeComputeIamPolicy.

func (LookupWebTypeComputeIamPolicyOutputArgs) ElementType 

func (LookupWebTypeComputeIamPolicyOutputArgs) ElementType() reflect.Type

type LookupWebTypeComputeIamPolicyResult 

type LookupWebTypeComputeIamPolicyResult struct {
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `iap.WebTypeComputeIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
}

A collection of values returned by getWebTypeComputeIamPolicy.

func LookupWebTypeComputeIamPolicy 

func LookupWebTypeComputeIamPolicy(ctx *pulumi.Context, args *LookupWebTypeComputeIamPolicyArgs, opts ...pulumi.InvokeOption) (*LookupWebTypeComputeIamPolicyResult, error)

Retrieves the current IAM policy data for webtypecompute

## example

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.LookupWebTypeComputeIamPolicy(ctx, &iap.LookupWebTypeComputeIamPolicyArgs{
			Project: pulumi.StringRef(projectService.Project),
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupWebTypeComputeIamPolicyResultOutput 

type LookupWebTypeComputeIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getWebTypeComputeIamPolicy.

func LookupWebTypeComputeIamPolicyOutput 

func LookupWebTypeComputeIamPolicyOutput(ctx *pulumi.Context, args LookupWebTypeComputeIamPolicyOutputArgs, opts ...pulumi.InvokeOption) LookupWebTypeComputeIamPolicyResultOutput

func (LookupWebTypeComputeIamPolicyResultOutput) ElementType 

func (LookupWebTypeComputeIamPolicyResultOutput) ElementType() reflect.Type

func (LookupWebTypeComputeIamPolicyResultOutput) Etag 

func (o LookupWebTypeComputeIamPolicyResultOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (LookupWebTypeComputeIamPolicyResultOutput) Id 

func (o LookupWebTypeComputeIamPolicyResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (LookupWebTypeComputeIamPolicyResultOutput) PolicyData 

func (o LookupWebTypeComputeIamPolicyResultOutput) PolicyData() pulumi.StringOutput

(Required only by `iap.WebTypeComputeIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupWebTypeComputeIamPolicyResultOutput) Project 

func (o LookupWebTypeComputeIamPolicyResultOutput) Project() pulumi.StringOutput

func (LookupWebTypeComputeIamPolicyResultOutput) ToLookupWebTypeComputeIamPolicyResultOutput 

func (o LookupWebTypeComputeIamPolicyResultOutput) ToLookupWebTypeComputeIamPolicyResultOutput() LookupWebTypeComputeIamPolicyResultOutput

func (LookupWebTypeComputeIamPolicyResultOutput) ToLookupWebTypeComputeIamPolicyResultOutputWithContext 

func (o LookupWebTypeComputeIamPolicyResultOutput) ToLookupWebTypeComputeIamPolicyResultOutputWithContext(ctx context.Context) LookupWebTypeComputeIamPolicyResultOutput

type TunnelDestGroup 

type TunnelDestGroup struct {
	pulumi.CustomResourceState

	// List of CIDRs that this group applies to.
	Cidrs pulumi.StringArrayOutput `pulumi:"cidrs"`
	// List of FQDNs that this group applies to.
	Fqdns pulumi.StringArrayOutput `pulumi:"fqdns"`
	// Unique tunnel destination group name.
	//
	// ***
	GroupName pulumi.StringOutput `pulumi:"groupName"`
	// Full resource name.
	Name pulumi.StringOutput `pulumi:"name"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The region of the tunnel group. Must be the same as the network resources in the group.
	Region pulumi.StringOutput `pulumi:"region"`
}

Tunnel destination groups represent resources that have the same tunnel access restrictions.

To get more information about TunnelDestGroup, see:

* [API documentation](https://cloud.google.com/iap/docs/reference/rest/v1/projects.iap_tunnel.locations.destGroups) * How-to Guides

## Example Usage

### Iap Destgroup

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroup(ctx, "dest_group", &iap.TunnelDestGroupArgs{
			Region:    pulumi.String("us-central1"),
			GroupName: pulumi.String("testgroup_87786"),
			Cidrs: pulumi.StringArray{
				pulumi.String("10.1.0.0/16"),
				pulumi.String("192.168.10.0/24"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

TunnelDestGroup can be imported using any of these accepted formats:

* `projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{group_name}}`

* `{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{group_name}}`

* `{{project}}/{{region}}/{{group_name}}`

* `{{region}}/destGroups/{{group_name}}`

* `{{region}}/{{group_name}}`

* `{{group_name}}`

When using the `pulumi import` command, TunnelDestGroup can be imported using one of the formats above. For example:

```sh $ pulumi import gcp:iap/tunnelDestGroup:TunnelDestGroup default projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{group_name}} ```

```sh $ pulumi import gcp:iap/tunnelDestGroup:TunnelDestGroup default {{project}}/iap_tunnel/locations/{{region}}/destGroups/{{group_name}} ```

```sh $ pulumi import gcp:iap/tunnelDestGroup:TunnelDestGroup default {{project}}/{{region}}/{{group_name}} ```

```sh $ pulumi import gcp:iap/tunnelDestGroup:TunnelDestGroup default {{region}}/destGroups/{{group_name}} ```

```sh $ pulumi import gcp:iap/tunnelDestGroup:TunnelDestGroup default {{region}}/{{group_name}} ```

```sh $ pulumi import gcp:iap/tunnelDestGroup:TunnelDestGroup default {{group_name}} ```

func GetTunnelDestGroup 

func GetTunnelDestGroup(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelDestGroupState, opts ...pulumi.ResourceOption) (*TunnelDestGroup, error)

GetTunnelDestGroup gets an existing TunnelDestGroup resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelDestGroup 

func NewTunnelDestGroup(ctx *pulumi.Context,
	name string, args *TunnelDestGroupArgs, opts ...pulumi.ResourceOption) (*TunnelDestGroup, error)

NewTunnelDestGroup registers a new resource with the given unique name, arguments, and options.

func (*TunnelDestGroup) ElementType 

func (*TunnelDestGroup) ElementType() reflect.Type

func (*TunnelDestGroup) ToTunnelDestGroupOutput 

func (i *TunnelDestGroup) ToTunnelDestGroupOutput() TunnelDestGroupOutput

func (*TunnelDestGroup) ToTunnelDestGroupOutputWithContext 

func (i *TunnelDestGroup) ToTunnelDestGroupOutputWithContext(ctx context.Context) TunnelDestGroupOutput

type TunnelDestGroupArgs 

type TunnelDestGroupArgs struct {
	// List of CIDRs that this group applies to.
	Cidrs pulumi.StringArrayInput
	// List of FQDNs that this group applies to.
	Fqdns pulumi.StringArrayInput
	// Unique tunnel destination group name.
	//
	// ***
	GroupName pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	Project pulumi.StringPtrInput
	// The region of the tunnel group. Must be the same as the network resources in the group.
	Region pulumi.StringPtrInput
}

The set of arguments for constructing a TunnelDestGroup resource.

func (TunnelDestGroupArgs) ElementType 

func (TunnelDestGroupArgs) ElementType() reflect.Type

type TunnelDestGroupArray 

type TunnelDestGroupArray []TunnelDestGroupInput

func (TunnelDestGroupArray) ElementType 

func (TunnelDestGroupArray) ElementType() reflect.Type

func (TunnelDestGroupArray) ToTunnelDestGroupArrayOutput 

func (i TunnelDestGroupArray) ToTunnelDestGroupArrayOutput() TunnelDestGroupArrayOutput

func (TunnelDestGroupArray) ToTunnelDestGroupArrayOutputWithContext 

func (i TunnelDestGroupArray) ToTunnelDestGroupArrayOutputWithContext(ctx context.Context) TunnelDestGroupArrayOutput

type TunnelDestGroupArrayInput 

type TunnelDestGroupArrayInput interface {
	pulumi.Input

	ToTunnelDestGroupArrayOutput() TunnelDestGroupArrayOutput
	ToTunnelDestGroupArrayOutputWithContext(context.Context) TunnelDestGroupArrayOutput
}

TunnelDestGroupArrayInput is an input type that accepts TunnelDestGroupArray and TunnelDestGroupArrayOutput values. You can construct a concrete instance of `TunnelDestGroupArrayInput` via: 

TunnelDestGroupArray{ TunnelDestGroupArgs{...} }

type TunnelDestGroupArrayOutput 

type TunnelDestGroupArrayOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupArrayOutput) ElementType 

func (TunnelDestGroupArrayOutput) ElementType() reflect.Type

func (TunnelDestGroupArrayOutput) Index 

func (o TunnelDestGroupArrayOutput) Index(i pulumi.IntInput) TunnelDestGroupOutput

func (TunnelDestGroupArrayOutput) ToTunnelDestGroupArrayOutput 

func (o TunnelDestGroupArrayOutput) ToTunnelDestGroupArrayOutput() TunnelDestGroupArrayOutput

func (TunnelDestGroupArrayOutput) ToTunnelDestGroupArrayOutputWithContext 

func (o TunnelDestGroupArrayOutput) ToTunnelDestGroupArrayOutputWithContext(ctx context.Context) TunnelDestGroupArrayOutput

type TunnelDestGroupIamBinding 

type TunnelDestGroupIamBinding struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelDestGroupIamBindingConditionPtrOutput `pulumi:"condition"`
	DestGroup pulumi.StringOutput                         `pulumi:"destGroup"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The region of the tunnel group. Must be the same as the network resources in the group.
	// Used to find the parent resource to bind the IAM policy to. If not specified,
	// the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no
	// region is specified, it is taken from the provider configuration.
	Region pulumi.StringOutput `pulumi:"region"`
	// The role that should be applied. Only one
	// `iap.TunnelDestGroupIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelDestGroup. Each of these resources serves a different use case:

* `iap.TunnelDestGroupIamPolicy`: Authoritative. Sets the IAM policy for the tunneldestgroup and replaces any existing policy already attached. * `iap.TunnelDestGroupIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunneldestgroup are preserved. * `iap.TunnelDestGroupIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunneldestgroup are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelDestGroupIamPolicy`: Retrieves the IAM policy for the tunneldestgroup

> **Note:** `iap.TunnelDestGroupIamPolicy` **cannot** be used in conjunction with `iap.TunnelDestGroupIamBinding` and `iap.TunnelDestGroupIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelDestGroupIamBinding` resources **can be** used in conjunction with `iap.TunnelDestGroupIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelDestGroupIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelDestGroupIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelDestGroupIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy TunnelDestGroup Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelDestGroup. Each of these resources serves a different use case:

* `iap.TunnelDestGroupIamPolicy`: Authoritative. Sets the IAM policy for the tunneldestgroup and replaces any existing policy already attached. * `iap.TunnelDestGroupIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunneldestgroup are preserved. * `iap.TunnelDestGroupIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunneldestgroup are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelDestGroupIamPolicy`: Retrieves the IAM policy for the tunneldestgroup

> **Note:** `iap.TunnelDestGroupIamPolicy` **cannot** be used in conjunction with `iap.TunnelDestGroupIamBinding` and `iap.TunnelDestGroupIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelDestGroupIamBinding` resources **can be** used in conjunction with `iap.TunnelDestGroupIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelDestGroupIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelDestGroupIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelDestGroupIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}}

* {{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}}

* {{project}}/{{region}}/{{dest_group}}

* {{region}}/{{dest_group}}

* {{dest_group}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy tunneldestgroup IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/tunnelDestGroupIamBinding:TunnelDestGroupIamBinding editor "projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}} roles/iap.tunnelResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/tunnelDestGroupIamBinding:TunnelDestGroupIamBinding editor "projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}} roles/iap.tunnelResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/tunnelDestGroupIamBinding:TunnelDestGroupIamBinding editor projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelDestGroupIamBinding 

func GetTunnelDestGroupIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelDestGroupIamBindingState, opts ...pulumi.ResourceOption) (*TunnelDestGroupIamBinding, error)

GetTunnelDestGroupIamBinding gets an existing TunnelDestGroupIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelDestGroupIamBinding 

func NewTunnelDestGroupIamBinding(ctx *pulumi.Context,
	name string, args *TunnelDestGroupIamBindingArgs, opts ...pulumi.ResourceOption) (*TunnelDestGroupIamBinding, error)

NewTunnelDestGroupIamBinding registers a new resource with the given unique name, arguments, and options.

func (*TunnelDestGroupIamBinding) ElementType 

func (*TunnelDestGroupIamBinding) ElementType() reflect.Type

func (*TunnelDestGroupIamBinding) ToTunnelDestGroupIamBindingOutput 

func (i *TunnelDestGroupIamBinding) ToTunnelDestGroupIamBindingOutput() TunnelDestGroupIamBindingOutput

func (*TunnelDestGroupIamBinding) ToTunnelDestGroupIamBindingOutputWithContext 

func (i *TunnelDestGroupIamBinding) ToTunnelDestGroupIamBindingOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingOutput

type TunnelDestGroupIamBindingArgs 

type TunnelDestGroupIamBindingArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelDestGroupIamBindingConditionPtrInput
	DestGroup pulumi.StringInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The region of the tunnel group. Must be the same as the network resources in the group.
	// Used to find the parent resource to bind the IAM policy to. If not specified,
	// the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no
	// region is specified, it is taken from the provider configuration.
	Region pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelDestGroupIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a TunnelDestGroupIamBinding resource.

func (TunnelDestGroupIamBindingArgs) ElementType 

func (TunnelDestGroupIamBindingArgs) ElementType() reflect.Type

type TunnelDestGroupIamBindingArray 

type TunnelDestGroupIamBindingArray []TunnelDestGroupIamBindingInput

func (TunnelDestGroupIamBindingArray) ElementType 

func (TunnelDestGroupIamBindingArray) ElementType() reflect.Type

func (TunnelDestGroupIamBindingArray) ToTunnelDestGroupIamBindingArrayOutput 

func (i TunnelDestGroupIamBindingArray) ToTunnelDestGroupIamBindingArrayOutput() TunnelDestGroupIamBindingArrayOutput

func (TunnelDestGroupIamBindingArray) ToTunnelDestGroupIamBindingArrayOutputWithContext 

func (i TunnelDestGroupIamBindingArray) ToTunnelDestGroupIamBindingArrayOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingArrayOutput

type TunnelDestGroupIamBindingArrayInput 

type TunnelDestGroupIamBindingArrayInput interface {
	pulumi.Input

	ToTunnelDestGroupIamBindingArrayOutput() TunnelDestGroupIamBindingArrayOutput
	ToTunnelDestGroupIamBindingArrayOutputWithContext(context.Context) TunnelDestGroupIamBindingArrayOutput
}

TunnelDestGroupIamBindingArrayInput is an input type that accepts TunnelDestGroupIamBindingArray and TunnelDestGroupIamBindingArrayOutput values. You can construct a concrete instance of `TunnelDestGroupIamBindingArrayInput` via: 

TunnelDestGroupIamBindingArray{ TunnelDestGroupIamBindingArgs{...} }

type TunnelDestGroupIamBindingArrayOutput 

type TunnelDestGroupIamBindingArrayOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamBindingArrayOutput) ElementType 

func (TunnelDestGroupIamBindingArrayOutput) ElementType() reflect.Type

func (TunnelDestGroupIamBindingArrayOutput) Index 

func (o TunnelDestGroupIamBindingArrayOutput) Index(i pulumi.IntInput) TunnelDestGroupIamBindingOutput

func (TunnelDestGroupIamBindingArrayOutput) ToTunnelDestGroupIamBindingArrayOutput 

func (o TunnelDestGroupIamBindingArrayOutput) ToTunnelDestGroupIamBindingArrayOutput() TunnelDestGroupIamBindingArrayOutput

func (TunnelDestGroupIamBindingArrayOutput) ToTunnelDestGroupIamBindingArrayOutputWithContext 

func (o TunnelDestGroupIamBindingArrayOutput) ToTunnelDestGroupIamBindingArrayOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingArrayOutput

type TunnelDestGroupIamBindingCondition 

type TunnelDestGroupIamBindingCondition struct {
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type TunnelDestGroupIamBindingConditionArgs 

type TunnelDestGroupIamBindingConditionArgs struct {
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (TunnelDestGroupIamBindingConditionArgs) ElementType 

func (TunnelDestGroupIamBindingConditionArgs) ElementType() reflect.Type

func (TunnelDestGroupIamBindingConditionArgs) ToTunnelDestGroupIamBindingConditionOutput 

func (i TunnelDestGroupIamBindingConditionArgs) ToTunnelDestGroupIamBindingConditionOutput() TunnelDestGroupIamBindingConditionOutput

func (TunnelDestGroupIamBindingConditionArgs) ToTunnelDestGroupIamBindingConditionOutputWithContext 

func (i TunnelDestGroupIamBindingConditionArgs) ToTunnelDestGroupIamBindingConditionOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingConditionOutput

func (TunnelDestGroupIamBindingConditionArgs) ToTunnelDestGroupIamBindingConditionPtrOutput 

func (i TunnelDestGroupIamBindingConditionArgs) ToTunnelDestGroupIamBindingConditionPtrOutput() TunnelDestGroupIamBindingConditionPtrOutput

func (TunnelDestGroupIamBindingConditionArgs) ToTunnelDestGroupIamBindingConditionPtrOutputWithContext 

func (i TunnelDestGroupIamBindingConditionArgs) ToTunnelDestGroupIamBindingConditionPtrOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingConditionPtrOutput

type TunnelDestGroupIamBindingConditionInput 

type TunnelDestGroupIamBindingConditionInput interface {
	pulumi.Input

	ToTunnelDestGroupIamBindingConditionOutput() TunnelDestGroupIamBindingConditionOutput
	ToTunnelDestGroupIamBindingConditionOutputWithContext(context.Context) TunnelDestGroupIamBindingConditionOutput
}

TunnelDestGroupIamBindingConditionInput is an input type that accepts TunnelDestGroupIamBindingConditionArgs and TunnelDestGroupIamBindingConditionOutput values. You can construct a concrete instance of `TunnelDestGroupIamBindingConditionInput` via: 

TunnelDestGroupIamBindingConditionArgs{...}

type TunnelDestGroupIamBindingConditionOutput 

type TunnelDestGroupIamBindingConditionOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamBindingConditionOutput) Description 

func (o TunnelDestGroupIamBindingConditionOutput) Description() pulumi.StringPtrOutput

func (TunnelDestGroupIamBindingConditionOutput) ElementType 

func (TunnelDestGroupIamBindingConditionOutput) ElementType() reflect.Type

func (TunnelDestGroupIamBindingConditionOutput) Expression 

func (o TunnelDestGroupIamBindingConditionOutput) Expression() pulumi.StringOutput

Textual representation of an expression in Common Expression Language syntax.

func (TunnelDestGroupIamBindingConditionOutput) Title 

func (o TunnelDestGroupIamBindingConditionOutput) Title() pulumi.StringOutput

A title for the expression, i.e. a short string describing its purpose.

func (TunnelDestGroupIamBindingConditionOutput) ToTunnelDestGroupIamBindingConditionOutput 

func (o TunnelDestGroupIamBindingConditionOutput) ToTunnelDestGroupIamBindingConditionOutput() TunnelDestGroupIamBindingConditionOutput

func (TunnelDestGroupIamBindingConditionOutput) ToTunnelDestGroupIamBindingConditionOutputWithContext 

func (o TunnelDestGroupIamBindingConditionOutput) ToTunnelDestGroupIamBindingConditionOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingConditionOutput

func (TunnelDestGroupIamBindingConditionOutput) ToTunnelDestGroupIamBindingConditionPtrOutput 

func (o TunnelDestGroupIamBindingConditionOutput) ToTunnelDestGroupIamBindingConditionPtrOutput() TunnelDestGroupIamBindingConditionPtrOutput

func (TunnelDestGroupIamBindingConditionOutput) ToTunnelDestGroupIamBindingConditionPtrOutputWithContext 

func (o TunnelDestGroupIamBindingConditionOutput) ToTunnelDestGroupIamBindingConditionPtrOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingConditionPtrOutput

type TunnelDestGroupIamBindingConditionPtrInput 

type TunnelDestGroupIamBindingConditionPtrInput interface {
	pulumi.Input

	ToTunnelDestGroupIamBindingConditionPtrOutput() TunnelDestGroupIamBindingConditionPtrOutput
	ToTunnelDestGroupIamBindingConditionPtrOutputWithContext(context.Context) TunnelDestGroupIamBindingConditionPtrOutput
}

TunnelDestGroupIamBindingConditionPtrInput is an input type that accepts TunnelDestGroupIamBindingConditionArgs, TunnelDestGroupIamBindingConditionPtr and TunnelDestGroupIamBindingConditionPtrOutput values. You can construct a concrete instance of `TunnelDestGroupIamBindingConditionPtrInput` via: 

        TunnelDestGroupIamBindingConditionArgs{...}

or:

        nil

func TunnelDestGroupIamBindingConditionPtr 

func TunnelDestGroupIamBindingConditionPtr(v *TunnelDestGroupIamBindingConditionArgs) TunnelDestGroupIamBindingConditionPtrInput

type TunnelDestGroupIamBindingConditionPtrOutput 

type TunnelDestGroupIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamBindingConditionPtrOutput) Description 

func (o TunnelDestGroupIamBindingConditionPtrOutput) Description() pulumi.StringPtrOutput

func (TunnelDestGroupIamBindingConditionPtrOutput) Elem 

func (o TunnelDestGroupIamBindingConditionPtrOutput) Elem() TunnelDestGroupIamBindingConditionOutput

func (TunnelDestGroupIamBindingConditionPtrOutput) ElementType 

func (TunnelDestGroupIamBindingConditionPtrOutput) ElementType() reflect.Type

func (TunnelDestGroupIamBindingConditionPtrOutput) Expression 

func (o TunnelDestGroupIamBindingConditionPtrOutput) Expression() pulumi.StringPtrOutput

Textual representation of an expression in Common Expression Language syntax.

func (TunnelDestGroupIamBindingConditionPtrOutput) Title 

func (o TunnelDestGroupIamBindingConditionPtrOutput) Title() pulumi.StringPtrOutput

A title for the expression, i.e. a short string describing its purpose.

func (TunnelDestGroupIamBindingConditionPtrOutput) ToTunnelDestGroupIamBindingConditionPtrOutput 

func (o TunnelDestGroupIamBindingConditionPtrOutput) ToTunnelDestGroupIamBindingConditionPtrOutput() TunnelDestGroupIamBindingConditionPtrOutput

func (TunnelDestGroupIamBindingConditionPtrOutput) ToTunnelDestGroupIamBindingConditionPtrOutputWithContext 

func (o TunnelDestGroupIamBindingConditionPtrOutput) ToTunnelDestGroupIamBindingConditionPtrOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingConditionPtrOutput

type TunnelDestGroupIamBindingInput 

type TunnelDestGroupIamBindingInput interface {
	pulumi.Input

	ToTunnelDestGroupIamBindingOutput() TunnelDestGroupIamBindingOutput
	ToTunnelDestGroupIamBindingOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingOutput
}

type TunnelDestGroupIamBindingMap 

type TunnelDestGroupIamBindingMap map[string]TunnelDestGroupIamBindingInput

func (TunnelDestGroupIamBindingMap) ElementType 

func (TunnelDestGroupIamBindingMap) ElementType() reflect.Type

func (TunnelDestGroupIamBindingMap) ToTunnelDestGroupIamBindingMapOutput 

func (i TunnelDestGroupIamBindingMap) ToTunnelDestGroupIamBindingMapOutput() TunnelDestGroupIamBindingMapOutput

func (TunnelDestGroupIamBindingMap) ToTunnelDestGroupIamBindingMapOutputWithContext 

func (i TunnelDestGroupIamBindingMap) ToTunnelDestGroupIamBindingMapOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingMapOutput

type TunnelDestGroupIamBindingMapInput 

type TunnelDestGroupIamBindingMapInput interface {
	pulumi.Input

	ToTunnelDestGroupIamBindingMapOutput() TunnelDestGroupIamBindingMapOutput
	ToTunnelDestGroupIamBindingMapOutputWithContext(context.Context) TunnelDestGroupIamBindingMapOutput
}

TunnelDestGroupIamBindingMapInput is an input type that accepts TunnelDestGroupIamBindingMap and TunnelDestGroupIamBindingMapOutput values. You can construct a concrete instance of `TunnelDestGroupIamBindingMapInput` via: 

TunnelDestGroupIamBindingMap{ "key": TunnelDestGroupIamBindingArgs{...} }

type TunnelDestGroupIamBindingMapOutput 

type TunnelDestGroupIamBindingMapOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamBindingMapOutput) ElementType 

func (TunnelDestGroupIamBindingMapOutput) ElementType() reflect.Type

func (TunnelDestGroupIamBindingMapOutput) MapIndex 

func (o TunnelDestGroupIamBindingMapOutput) MapIndex(k pulumi.StringInput) TunnelDestGroupIamBindingOutput

func (TunnelDestGroupIamBindingMapOutput) ToTunnelDestGroupIamBindingMapOutput 

func (o TunnelDestGroupIamBindingMapOutput) ToTunnelDestGroupIamBindingMapOutput() TunnelDestGroupIamBindingMapOutput

func (TunnelDestGroupIamBindingMapOutput) ToTunnelDestGroupIamBindingMapOutputWithContext 

func (o TunnelDestGroupIamBindingMapOutput) ToTunnelDestGroupIamBindingMapOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingMapOutput

type TunnelDestGroupIamBindingOutput 

type TunnelDestGroupIamBindingOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamBindingOutput) Condition 

func (o TunnelDestGroupIamBindingOutput) Condition() TunnelDestGroupIamBindingConditionPtrOutput

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (TunnelDestGroupIamBindingOutput) DestGroup 

func (o TunnelDestGroupIamBindingOutput) DestGroup() pulumi.StringOutput

func (TunnelDestGroupIamBindingOutput) ElementType 

func (TunnelDestGroupIamBindingOutput) ElementType() reflect.Type

func (TunnelDestGroupIamBindingOutput) Etag 

func (o TunnelDestGroupIamBindingOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (TunnelDestGroupIamBindingOutput) Members 

func (o TunnelDestGroupIamBindingOutput) Members() pulumi.StringArrayOutput

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (TunnelDestGroupIamBindingOutput) Project 

func (o TunnelDestGroupIamBindingOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (TunnelDestGroupIamBindingOutput) Region 

func (o TunnelDestGroupIamBindingOutput) Region() pulumi.StringOutput

The region of the tunnel group. Must be the same as the network resources in the group. Used to find the parent resource to bind the IAM policy to. If not specified, the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no region is specified, it is taken from the provider configuration.

func (TunnelDestGroupIamBindingOutput) Role 

func (o TunnelDestGroupIamBindingOutput) Role() pulumi.StringOutput

The role that should be applied. Only one `iap.TunnelDestGroupIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (TunnelDestGroupIamBindingOutput) ToTunnelDestGroupIamBindingOutput 

func (o TunnelDestGroupIamBindingOutput) ToTunnelDestGroupIamBindingOutput() TunnelDestGroupIamBindingOutput

func (TunnelDestGroupIamBindingOutput) ToTunnelDestGroupIamBindingOutputWithContext 

func (o TunnelDestGroupIamBindingOutput) ToTunnelDestGroupIamBindingOutputWithContext(ctx context.Context) TunnelDestGroupIamBindingOutput

type TunnelDestGroupIamBindingState 

type TunnelDestGroupIamBindingState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelDestGroupIamBindingConditionPtrInput
	DestGroup pulumi.StringPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The region of the tunnel group. Must be the same as the network resources in the group.
	// Used to find the parent resource to bind the IAM policy to. If not specified,
	// the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no
	// region is specified, it is taken from the provider configuration.
	Region pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelDestGroupIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (TunnelDestGroupIamBindingState) ElementType 

func (TunnelDestGroupIamBindingState) ElementType() reflect.Type

type TunnelDestGroupIamMember 

type TunnelDestGroupIamMember struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelDestGroupIamMemberConditionPtrOutput `pulumi:"condition"`
	DestGroup pulumi.StringOutput                        `pulumi:"destGroup"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The region of the tunnel group. Must be the same as the network resources in the group.
	// Used to find the parent resource to bind the IAM policy to. If not specified,
	// the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no
	// region is specified, it is taken from the provider configuration.
	Region pulumi.StringOutput `pulumi:"region"`
	// The role that should be applied. Only one
	// `iap.TunnelDestGroupIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelDestGroup. Each of these resources serves a different use case:

* `iap.TunnelDestGroupIamPolicy`: Authoritative. Sets the IAM policy for the tunneldestgroup and replaces any existing policy already attached. * `iap.TunnelDestGroupIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunneldestgroup are preserved. * `iap.TunnelDestGroupIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunneldestgroup are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelDestGroupIamPolicy`: Retrieves the IAM policy for the tunneldestgroup

> **Note:** `iap.TunnelDestGroupIamPolicy` **cannot** be used in conjunction with `iap.TunnelDestGroupIamBinding` and `iap.TunnelDestGroupIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelDestGroupIamBinding` resources **can be** used in conjunction with `iap.TunnelDestGroupIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelDestGroupIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelDestGroupIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelDestGroupIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy TunnelDestGroup Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelDestGroup. Each of these resources serves a different use case:

* `iap.TunnelDestGroupIamPolicy`: Authoritative. Sets the IAM policy for the tunneldestgroup and replaces any existing policy already attached. * `iap.TunnelDestGroupIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunneldestgroup are preserved. * `iap.TunnelDestGroupIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunneldestgroup are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelDestGroupIamPolicy`: Retrieves the IAM policy for the tunneldestgroup

> **Note:** `iap.TunnelDestGroupIamPolicy` **cannot** be used in conjunction with `iap.TunnelDestGroupIamBinding` and `iap.TunnelDestGroupIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelDestGroupIamBinding` resources **can be** used in conjunction with `iap.TunnelDestGroupIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelDestGroupIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelDestGroupIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelDestGroupIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}}

* {{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}}

* {{project}}/{{region}}/{{dest_group}}

* {{region}}/{{dest_group}}

* {{dest_group}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy tunneldestgroup IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/tunnelDestGroupIamMember:TunnelDestGroupIamMember editor "projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}} roles/iap.tunnelResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/tunnelDestGroupIamMember:TunnelDestGroupIamMember editor "projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}} roles/iap.tunnelResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/tunnelDestGroupIamMember:TunnelDestGroupIamMember editor projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelDestGroupIamMember 

func GetTunnelDestGroupIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelDestGroupIamMemberState, opts ...pulumi.ResourceOption) (*TunnelDestGroupIamMember, error)

GetTunnelDestGroupIamMember gets an existing TunnelDestGroupIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelDestGroupIamMember 

func NewTunnelDestGroupIamMember(ctx *pulumi.Context,
	name string, args *TunnelDestGroupIamMemberArgs, opts ...pulumi.ResourceOption) (*TunnelDestGroupIamMember, error)

NewTunnelDestGroupIamMember registers a new resource with the given unique name, arguments, and options.

func (*TunnelDestGroupIamMember) ElementType 

func (*TunnelDestGroupIamMember) ElementType() reflect.Type

func (*TunnelDestGroupIamMember) ToTunnelDestGroupIamMemberOutput 

func (i *TunnelDestGroupIamMember) ToTunnelDestGroupIamMemberOutput() TunnelDestGroupIamMemberOutput

func (*TunnelDestGroupIamMember) ToTunnelDestGroupIamMemberOutputWithContext 

func (i *TunnelDestGroupIamMember) ToTunnelDestGroupIamMemberOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberOutput

type TunnelDestGroupIamMemberArgs 

type TunnelDestGroupIamMemberArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelDestGroupIamMemberConditionPtrInput
	DestGroup pulumi.StringInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The region of the tunnel group. Must be the same as the network resources in the group.
	// Used to find the parent resource to bind the IAM policy to. If not specified,
	// the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no
	// region is specified, it is taken from the provider configuration.
	Region pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelDestGroupIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a TunnelDestGroupIamMember resource.

func (TunnelDestGroupIamMemberArgs) ElementType 

func (TunnelDestGroupIamMemberArgs) ElementType() reflect.Type

type TunnelDestGroupIamMemberArray 

type TunnelDestGroupIamMemberArray []TunnelDestGroupIamMemberInput

func (TunnelDestGroupIamMemberArray) ElementType 

func (TunnelDestGroupIamMemberArray) ElementType() reflect.Type

func (TunnelDestGroupIamMemberArray) ToTunnelDestGroupIamMemberArrayOutput 

func (i TunnelDestGroupIamMemberArray) ToTunnelDestGroupIamMemberArrayOutput() TunnelDestGroupIamMemberArrayOutput

func (TunnelDestGroupIamMemberArray) ToTunnelDestGroupIamMemberArrayOutputWithContext 

func (i TunnelDestGroupIamMemberArray) ToTunnelDestGroupIamMemberArrayOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberArrayOutput

type TunnelDestGroupIamMemberArrayInput 

type TunnelDestGroupIamMemberArrayInput interface {
	pulumi.Input

	ToTunnelDestGroupIamMemberArrayOutput() TunnelDestGroupIamMemberArrayOutput
	ToTunnelDestGroupIamMemberArrayOutputWithContext(context.Context) TunnelDestGroupIamMemberArrayOutput
}

TunnelDestGroupIamMemberArrayInput is an input type that accepts TunnelDestGroupIamMemberArray and TunnelDestGroupIamMemberArrayOutput values. You can construct a concrete instance of `TunnelDestGroupIamMemberArrayInput` via: 

TunnelDestGroupIamMemberArray{ TunnelDestGroupIamMemberArgs{...} }

type TunnelDestGroupIamMemberArrayOutput 

type TunnelDestGroupIamMemberArrayOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamMemberArrayOutput) ElementType 

func (TunnelDestGroupIamMemberArrayOutput) ElementType() reflect.Type

func (TunnelDestGroupIamMemberArrayOutput) Index 

func (o TunnelDestGroupIamMemberArrayOutput) Index(i pulumi.IntInput) TunnelDestGroupIamMemberOutput

func (TunnelDestGroupIamMemberArrayOutput) ToTunnelDestGroupIamMemberArrayOutput 

func (o TunnelDestGroupIamMemberArrayOutput) ToTunnelDestGroupIamMemberArrayOutput() TunnelDestGroupIamMemberArrayOutput

func (TunnelDestGroupIamMemberArrayOutput) ToTunnelDestGroupIamMemberArrayOutputWithContext 

func (o TunnelDestGroupIamMemberArrayOutput) ToTunnelDestGroupIamMemberArrayOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberArrayOutput

type TunnelDestGroupIamMemberCondition 

type TunnelDestGroupIamMemberCondition struct {
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type TunnelDestGroupIamMemberConditionArgs 

type TunnelDestGroupIamMemberConditionArgs struct {
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (TunnelDestGroupIamMemberConditionArgs) ElementType 

func (TunnelDestGroupIamMemberConditionArgs) ElementType() reflect.Type

func (TunnelDestGroupIamMemberConditionArgs) ToTunnelDestGroupIamMemberConditionOutput 

func (i TunnelDestGroupIamMemberConditionArgs) ToTunnelDestGroupIamMemberConditionOutput() TunnelDestGroupIamMemberConditionOutput

func (TunnelDestGroupIamMemberConditionArgs) ToTunnelDestGroupIamMemberConditionOutputWithContext 

func (i TunnelDestGroupIamMemberConditionArgs) ToTunnelDestGroupIamMemberConditionOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberConditionOutput

func (TunnelDestGroupIamMemberConditionArgs) ToTunnelDestGroupIamMemberConditionPtrOutput 

func (i TunnelDestGroupIamMemberConditionArgs) ToTunnelDestGroupIamMemberConditionPtrOutput() TunnelDestGroupIamMemberConditionPtrOutput

func (TunnelDestGroupIamMemberConditionArgs) ToTunnelDestGroupIamMemberConditionPtrOutputWithContext 

func (i TunnelDestGroupIamMemberConditionArgs) ToTunnelDestGroupIamMemberConditionPtrOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberConditionPtrOutput

type TunnelDestGroupIamMemberConditionInput 

type TunnelDestGroupIamMemberConditionInput interface {
	pulumi.Input

	ToTunnelDestGroupIamMemberConditionOutput() TunnelDestGroupIamMemberConditionOutput
	ToTunnelDestGroupIamMemberConditionOutputWithContext(context.Context) TunnelDestGroupIamMemberConditionOutput
}

TunnelDestGroupIamMemberConditionInput is an input type that accepts TunnelDestGroupIamMemberConditionArgs and TunnelDestGroupIamMemberConditionOutput values. You can construct a concrete instance of `TunnelDestGroupIamMemberConditionInput` via: 

TunnelDestGroupIamMemberConditionArgs{...}

type TunnelDestGroupIamMemberConditionOutput 

type TunnelDestGroupIamMemberConditionOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamMemberConditionOutput) Description 

func (o TunnelDestGroupIamMemberConditionOutput) Description() pulumi.StringPtrOutput

func (TunnelDestGroupIamMemberConditionOutput) ElementType 

func (TunnelDestGroupIamMemberConditionOutput) ElementType() reflect.Type

func (TunnelDestGroupIamMemberConditionOutput) Expression 

func (o TunnelDestGroupIamMemberConditionOutput) Expression() pulumi.StringOutput

Textual representation of an expression in Common Expression Language syntax.

func (TunnelDestGroupIamMemberConditionOutput) Title 

func (o TunnelDestGroupIamMemberConditionOutput) Title() pulumi.StringOutput

A title for the expression, i.e. a short string describing its purpose.

func (TunnelDestGroupIamMemberConditionOutput) ToTunnelDestGroupIamMemberConditionOutput 

func (o TunnelDestGroupIamMemberConditionOutput) ToTunnelDestGroupIamMemberConditionOutput() TunnelDestGroupIamMemberConditionOutput

func (TunnelDestGroupIamMemberConditionOutput) ToTunnelDestGroupIamMemberConditionOutputWithContext 

func (o TunnelDestGroupIamMemberConditionOutput) ToTunnelDestGroupIamMemberConditionOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberConditionOutput

func (TunnelDestGroupIamMemberConditionOutput) ToTunnelDestGroupIamMemberConditionPtrOutput 

func (o TunnelDestGroupIamMemberConditionOutput) ToTunnelDestGroupIamMemberConditionPtrOutput() TunnelDestGroupIamMemberConditionPtrOutput

func (TunnelDestGroupIamMemberConditionOutput) ToTunnelDestGroupIamMemberConditionPtrOutputWithContext 

func (o TunnelDestGroupIamMemberConditionOutput) ToTunnelDestGroupIamMemberConditionPtrOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberConditionPtrOutput

type TunnelDestGroupIamMemberConditionPtrInput 

type TunnelDestGroupIamMemberConditionPtrInput interface {
	pulumi.Input

	ToTunnelDestGroupIamMemberConditionPtrOutput() TunnelDestGroupIamMemberConditionPtrOutput
	ToTunnelDestGroupIamMemberConditionPtrOutputWithContext(context.Context) TunnelDestGroupIamMemberConditionPtrOutput
}

TunnelDestGroupIamMemberConditionPtrInput is an input type that accepts TunnelDestGroupIamMemberConditionArgs, TunnelDestGroupIamMemberConditionPtr and TunnelDestGroupIamMemberConditionPtrOutput values. You can construct a concrete instance of `TunnelDestGroupIamMemberConditionPtrInput` via: 

        TunnelDestGroupIamMemberConditionArgs{...}

or:

        nil

func TunnelDestGroupIamMemberConditionPtr 

func TunnelDestGroupIamMemberConditionPtr(v *TunnelDestGroupIamMemberConditionArgs) TunnelDestGroupIamMemberConditionPtrInput

type TunnelDestGroupIamMemberConditionPtrOutput 

type TunnelDestGroupIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamMemberConditionPtrOutput) Description 

func (o TunnelDestGroupIamMemberConditionPtrOutput) Description() pulumi.StringPtrOutput

func (TunnelDestGroupIamMemberConditionPtrOutput) Elem 

func (o TunnelDestGroupIamMemberConditionPtrOutput) Elem() TunnelDestGroupIamMemberConditionOutput

func (TunnelDestGroupIamMemberConditionPtrOutput) ElementType 

func (TunnelDestGroupIamMemberConditionPtrOutput) ElementType() reflect.Type

func (TunnelDestGroupIamMemberConditionPtrOutput) Expression 

func (o TunnelDestGroupIamMemberConditionPtrOutput) Expression() pulumi.StringPtrOutput

Textual representation of an expression in Common Expression Language syntax.

func (TunnelDestGroupIamMemberConditionPtrOutput) Title 

func (o TunnelDestGroupIamMemberConditionPtrOutput) Title() pulumi.StringPtrOutput

A title for the expression, i.e. a short string describing its purpose.

func (TunnelDestGroupIamMemberConditionPtrOutput) ToTunnelDestGroupIamMemberConditionPtrOutput 

func (o TunnelDestGroupIamMemberConditionPtrOutput) ToTunnelDestGroupIamMemberConditionPtrOutput() TunnelDestGroupIamMemberConditionPtrOutput

func (TunnelDestGroupIamMemberConditionPtrOutput) ToTunnelDestGroupIamMemberConditionPtrOutputWithContext 

func (o TunnelDestGroupIamMemberConditionPtrOutput) ToTunnelDestGroupIamMemberConditionPtrOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberConditionPtrOutput

type TunnelDestGroupIamMemberInput 

type TunnelDestGroupIamMemberInput interface {
	pulumi.Input

	ToTunnelDestGroupIamMemberOutput() TunnelDestGroupIamMemberOutput
	ToTunnelDestGroupIamMemberOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberOutput
}

type TunnelDestGroupIamMemberMap 

type TunnelDestGroupIamMemberMap map[string]TunnelDestGroupIamMemberInput

func (TunnelDestGroupIamMemberMap) ElementType 

func (TunnelDestGroupIamMemberMap) ElementType() reflect.Type

func (TunnelDestGroupIamMemberMap) ToTunnelDestGroupIamMemberMapOutput 

func (i TunnelDestGroupIamMemberMap) ToTunnelDestGroupIamMemberMapOutput() TunnelDestGroupIamMemberMapOutput

func (TunnelDestGroupIamMemberMap) ToTunnelDestGroupIamMemberMapOutputWithContext 

func (i TunnelDestGroupIamMemberMap) ToTunnelDestGroupIamMemberMapOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberMapOutput

type TunnelDestGroupIamMemberMapInput 

type TunnelDestGroupIamMemberMapInput interface {
	pulumi.Input

	ToTunnelDestGroupIamMemberMapOutput() TunnelDestGroupIamMemberMapOutput
	ToTunnelDestGroupIamMemberMapOutputWithContext(context.Context) TunnelDestGroupIamMemberMapOutput
}

TunnelDestGroupIamMemberMapInput is an input type that accepts TunnelDestGroupIamMemberMap and TunnelDestGroupIamMemberMapOutput values. You can construct a concrete instance of `TunnelDestGroupIamMemberMapInput` via: 

TunnelDestGroupIamMemberMap{ "key": TunnelDestGroupIamMemberArgs{...} }

type TunnelDestGroupIamMemberMapOutput 

type TunnelDestGroupIamMemberMapOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamMemberMapOutput) ElementType 

func (TunnelDestGroupIamMemberMapOutput) ElementType() reflect.Type

func (TunnelDestGroupIamMemberMapOutput) MapIndex 

func (o TunnelDestGroupIamMemberMapOutput) MapIndex(k pulumi.StringInput) TunnelDestGroupIamMemberOutput

func (TunnelDestGroupIamMemberMapOutput) ToTunnelDestGroupIamMemberMapOutput 

func (o TunnelDestGroupIamMemberMapOutput) ToTunnelDestGroupIamMemberMapOutput() TunnelDestGroupIamMemberMapOutput

func (TunnelDestGroupIamMemberMapOutput) ToTunnelDestGroupIamMemberMapOutputWithContext 

func (o TunnelDestGroupIamMemberMapOutput) ToTunnelDestGroupIamMemberMapOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberMapOutput

type TunnelDestGroupIamMemberOutput 

type TunnelDestGroupIamMemberOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamMemberOutput) Condition 

func (o TunnelDestGroupIamMemberOutput) Condition() TunnelDestGroupIamMemberConditionPtrOutput

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (TunnelDestGroupIamMemberOutput) DestGroup 

func (o TunnelDestGroupIamMemberOutput) DestGroup() pulumi.StringOutput

func (TunnelDestGroupIamMemberOutput) ElementType 

func (TunnelDestGroupIamMemberOutput) ElementType() reflect.Type

func (TunnelDestGroupIamMemberOutput) Etag 

func (o TunnelDestGroupIamMemberOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (TunnelDestGroupIamMemberOutput) Member 

func (o TunnelDestGroupIamMemberOutput) Member() pulumi.StringOutput

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (TunnelDestGroupIamMemberOutput) Project 

func (o TunnelDestGroupIamMemberOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (TunnelDestGroupIamMemberOutput) Region 

func (o TunnelDestGroupIamMemberOutput) Region() pulumi.StringOutput

The region of the tunnel group. Must be the same as the network resources in the group. Used to find the parent resource to bind the IAM policy to. If not specified, the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no region is specified, it is taken from the provider configuration.

func (TunnelDestGroupIamMemberOutput) Role 

func (o TunnelDestGroupIamMemberOutput) Role() pulumi.StringOutput

The role that should be applied. Only one `iap.TunnelDestGroupIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (TunnelDestGroupIamMemberOutput) ToTunnelDestGroupIamMemberOutput 

func (o TunnelDestGroupIamMemberOutput) ToTunnelDestGroupIamMemberOutput() TunnelDestGroupIamMemberOutput

func (TunnelDestGroupIamMemberOutput) ToTunnelDestGroupIamMemberOutputWithContext 

func (o TunnelDestGroupIamMemberOutput) ToTunnelDestGroupIamMemberOutputWithContext(ctx context.Context) TunnelDestGroupIamMemberOutput

type TunnelDestGroupIamMemberState 

type TunnelDestGroupIamMemberState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelDestGroupIamMemberConditionPtrInput
	DestGroup pulumi.StringPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The region of the tunnel group. Must be the same as the network resources in the group.
	// Used to find the parent resource to bind the IAM policy to. If not specified,
	// the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no
	// region is specified, it is taken from the provider configuration.
	Region pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelDestGroupIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (TunnelDestGroupIamMemberState) ElementType 

func (TunnelDestGroupIamMemberState) ElementType() reflect.Type

type TunnelDestGroupIamPolicy 

type TunnelDestGroupIamPolicy struct {
	pulumi.CustomResourceState

	DestGroup pulumi.StringOutput `pulumi:"destGroup"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The region of the tunnel group. Must be the same as the network resources in the group.
	// Used to find the parent resource to bind the IAM policy to. If not specified,
	// the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no
	// region is specified, it is taken from the provider configuration.
	Region pulumi.StringOutput `pulumi:"region"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelDestGroup. Each of these resources serves a different use case:

* `iap.TunnelDestGroupIamPolicy`: Authoritative. Sets the IAM policy for the tunneldestgroup and replaces any existing policy already attached. * `iap.TunnelDestGroupIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunneldestgroup are preserved. * `iap.TunnelDestGroupIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunneldestgroup are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelDestGroupIamPolicy`: Retrieves the IAM policy for the tunneldestgroup

> **Note:** `iap.TunnelDestGroupIamPolicy` **cannot** be used in conjunction with `iap.TunnelDestGroupIamBinding` and `iap.TunnelDestGroupIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelDestGroupIamBinding` resources **can be** used in conjunction with `iap.TunnelDestGroupIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelDestGroupIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelDestGroupIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelDestGroupIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy TunnelDestGroup Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelDestGroup. Each of these resources serves a different use case:

* `iap.TunnelDestGroupIamPolicy`: Authoritative. Sets the IAM policy for the tunneldestgroup and replaces any existing policy already attached. * `iap.TunnelDestGroupIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunneldestgroup are preserved. * `iap.TunnelDestGroupIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunneldestgroup are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelDestGroupIamPolicy`: Retrieves the IAM policy for the tunneldestgroup

> **Note:** `iap.TunnelDestGroupIamPolicy` **cannot** be used in conjunction with `iap.TunnelDestGroupIamBinding` and `iap.TunnelDestGroupIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelDestGroupIamBinding` resources **can be** used in conjunction with `iap.TunnelDestGroupIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelDestGroupIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelDestGroupIamPolicy(ctx, "policy", &iap.TunnelDestGroupIamPolicyArgs{
			Project:    pulumi.Any(destGroup.Project),
			Region:     pulumi.Any(destGroup.Region),
			DestGroup:  pulumi.Any(destGroup.GroupName),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelDestGroupIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelDestGroupIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
			Project:   pulumi.Any(destGroup.Project),
			Region:    pulumi.Any(destGroup.Region),
			DestGroup: pulumi.Any(destGroup.GroupName),
			Role:      pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelDestGroupIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}}

* {{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}}

* {{project}}/{{region}}/{{dest_group}}

* {{region}}/{{dest_group}}

* {{dest_group}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy tunneldestgroup IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/tunnelDestGroupIamPolicy:TunnelDestGroupIamPolicy editor "projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}} roles/iap.tunnelResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/tunnelDestGroupIamPolicy:TunnelDestGroupIamPolicy editor "projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}} roles/iap.tunnelResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/tunnelDestGroupIamPolicy:TunnelDestGroupIamPolicy editor projects/{{project}}/iap_tunnel/locations/{{region}}/destGroups/{{dest_group}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelDestGroupIamPolicy 

func GetTunnelDestGroupIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelDestGroupIamPolicyState, opts ...pulumi.ResourceOption) (*TunnelDestGroupIamPolicy, error)

GetTunnelDestGroupIamPolicy gets an existing TunnelDestGroupIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelDestGroupIamPolicy 

func NewTunnelDestGroupIamPolicy(ctx *pulumi.Context,
	name string, args *TunnelDestGroupIamPolicyArgs, opts ...pulumi.ResourceOption) (*TunnelDestGroupIamPolicy, error)

NewTunnelDestGroupIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*TunnelDestGroupIamPolicy) ElementType 

func (*TunnelDestGroupIamPolicy) ElementType() reflect.Type

func (*TunnelDestGroupIamPolicy) ToTunnelDestGroupIamPolicyOutput 

func (i *TunnelDestGroupIamPolicy) ToTunnelDestGroupIamPolicyOutput() TunnelDestGroupIamPolicyOutput

func (*TunnelDestGroupIamPolicy) ToTunnelDestGroupIamPolicyOutputWithContext 

func (i *TunnelDestGroupIamPolicy) ToTunnelDestGroupIamPolicyOutputWithContext(ctx context.Context) TunnelDestGroupIamPolicyOutput

type TunnelDestGroupIamPolicyArgs 

type TunnelDestGroupIamPolicyArgs struct {
	DestGroup pulumi.StringInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The region of the tunnel group. Must be the same as the network resources in the group.
	// Used to find the parent resource to bind the IAM policy to. If not specified,
	// the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no
	// region is specified, it is taken from the provider configuration.
	Region pulumi.StringPtrInput
}

The set of arguments for constructing a TunnelDestGroupIamPolicy resource.

func (TunnelDestGroupIamPolicyArgs) ElementType 

func (TunnelDestGroupIamPolicyArgs) ElementType() reflect.Type

type TunnelDestGroupIamPolicyArray 

type TunnelDestGroupIamPolicyArray []TunnelDestGroupIamPolicyInput

func (TunnelDestGroupIamPolicyArray) ElementType 

func (TunnelDestGroupIamPolicyArray) ElementType() reflect.Type

func (TunnelDestGroupIamPolicyArray) ToTunnelDestGroupIamPolicyArrayOutput 

func (i TunnelDestGroupIamPolicyArray) ToTunnelDestGroupIamPolicyArrayOutput() TunnelDestGroupIamPolicyArrayOutput

func (TunnelDestGroupIamPolicyArray) ToTunnelDestGroupIamPolicyArrayOutputWithContext 

func (i TunnelDestGroupIamPolicyArray) ToTunnelDestGroupIamPolicyArrayOutputWithContext(ctx context.Context) TunnelDestGroupIamPolicyArrayOutput

type TunnelDestGroupIamPolicyArrayInput 

type TunnelDestGroupIamPolicyArrayInput interface {
	pulumi.Input

	ToTunnelDestGroupIamPolicyArrayOutput() TunnelDestGroupIamPolicyArrayOutput
	ToTunnelDestGroupIamPolicyArrayOutputWithContext(context.Context) TunnelDestGroupIamPolicyArrayOutput
}

TunnelDestGroupIamPolicyArrayInput is an input type that accepts TunnelDestGroupIamPolicyArray and TunnelDestGroupIamPolicyArrayOutput values. You can construct a concrete instance of `TunnelDestGroupIamPolicyArrayInput` via: 

TunnelDestGroupIamPolicyArray{ TunnelDestGroupIamPolicyArgs{...} }

type TunnelDestGroupIamPolicyArrayOutput 

type TunnelDestGroupIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamPolicyArrayOutput) ElementType 

func (TunnelDestGroupIamPolicyArrayOutput) ElementType() reflect.Type

func (TunnelDestGroupIamPolicyArrayOutput) Index 

func (o TunnelDestGroupIamPolicyArrayOutput) Index(i pulumi.IntInput) TunnelDestGroupIamPolicyOutput

func (TunnelDestGroupIamPolicyArrayOutput) ToTunnelDestGroupIamPolicyArrayOutput 

func (o TunnelDestGroupIamPolicyArrayOutput) ToTunnelDestGroupIamPolicyArrayOutput() TunnelDestGroupIamPolicyArrayOutput

func (TunnelDestGroupIamPolicyArrayOutput) ToTunnelDestGroupIamPolicyArrayOutputWithContext 

func (o TunnelDestGroupIamPolicyArrayOutput) ToTunnelDestGroupIamPolicyArrayOutputWithContext(ctx context.Context) TunnelDestGroupIamPolicyArrayOutput

type TunnelDestGroupIamPolicyInput 

type TunnelDestGroupIamPolicyInput interface {
	pulumi.Input

	ToTunnelDestGroupIamPolicyOutput() TunnelDestGroupIamPolicyOutput
	ToTunnelDestGroupIamPolicyOutputWithContext(ctx context.Context) TunnelDestGroupIamPolicyOutput
}

type TunnelDestGroupIamPolicyMap 

type TunnelDestGroupIamPolicyMap map[string]TunnelDestGroupIamPolicyInput

func (TunnelDestGroupIamPolicyMap) ElementType 

func (TunnelDestGroupIamPolicyMap) ElementType() reflect.Type

func (TunnelDestGroupIamPolicyMap) ToTunnelDestGroupIamPolicyMapOutput 

func (i TunnelDestGroupIamPolicyMap) ToTunnelDestGroupIamPolicyMapOutput() TunnelDestGroupIamPolicyMapOutput

func (TunnelDestGroupIamPolicyMap) ToTunnelDestGroupIamPolicyMapOutputWithContext 

func (i TunnelDestGroupIamPolicyMap) ToTunnelDestGroupIamPolicyMapOutputWithContext(ctx context.Context) TunnelDestGroupIamPolicyMapOutput

type TunnelDestGroupIamPolicyMapInput 

type TunnelDestGroupIamPolicyMapInput interface {
	pulumi.Input

	ToTunnelDestGroupIamPolicyMapOutput() TunnelDestGroupIamPolicyMapOutput
	ToTunnelDestGroupIamPolicyMapOutputWithContext(context.Context) TunnelDestGroupIamPolicyMapOutput
}

TunnelDestGroupIamPolicyMapInput is an input type that accepts TunnelDestGroupIamPolicyMap and TunnelDestGroupIamPolicyMapOutput values. You can construct a concrete instance of `TunnelDestGroupIamPolicyMapInput` via: 

TunnelDestGroupIamPolicyMap{ "key": TunnelDestGroupIamPolicyArgs{...} }

type TunnelDestGroupIamPolicyMapOutput 

type TunnelDestGroupIamPolicyMapOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamPolicyMapOutput) ElementType 

func (TunnelDestGroupIamPolicyMapOutput) ElementType() reflect.Type

func (TunnelDestGroupIamPolicyMapOutput) MapIndex 

func (o TunnelDestGroupIamPolicyMapOutput) MapIndex(k pulumi.StringInput) TunnelDestGroupIamPolicyOutput

func (TunnelDestGroupIamPolicyMapOutput) ToTunnelDestGroupIamPolicyMapOutput 

func (o TunnelDestGroupIamPolicyMapOutput) ToTunnelDestGroupIamPolicyMapOutput() TunnelDestGroupIamPolicyMapOutput

func (TunnelDestGroupIamPolicyMapOutput) ToTunnelDestGroupIamPolicyMapOutputWithContext 

func (o TunnelDestGroupIamPolicyMapOutput) ToTunnelDestGroupIamPolicyMapOutputWithContext(ctx context.Context) TunnelDestGroupIamPolicyMapOutput

type TunnelDestGroupIamPolicyOutput 

type TunnelDestGroupIamPolicyOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupIamPolicyOutput) DestGroup 

func (o TunnelDestGroupIamPolicyOutput) DestGroup() pulumi.StringOutput

func (TunnelDestGroupIamPolicyOutput) ElementType 

func (TunnelDestGroupIamPolicyOutput) ElementType() reflect.Type

func (TunnelDestGroupIamPolicyOutput) Etag 

func (o TunnelDestGroupIamPolicyOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (TunnelDestGroupIamPolicyOutput) PolicyData 

func (o TunnelDestGroupIamPolicyOutput) PolicyData() pulumi.StringOutput

The policy data generated by a `organizations.getIAMPolicy` data source.

func (TunnelDestGroupIamPolicyOutput) Project 

func (o TunnelDestGroupIamPolicyOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (TunnelDestGroupIamPolicyOutput) Region 

func (o TunnelDestGroupIamPolicyOutput) Region() pulumi.StringOutput

The region of the tunnel group. Must be the same as the network resources in the group. Used to find the parent resource to bind the IAM policy to. If not specified, the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no region is specified, it is taken from the provider configuration.

func (TunnelDestGroupIamPolicyOutput) ToTunnelDestGroupIamPolicyOutput 

func (o TunnelDestGroupIamPolicyOutput) ToTunnelDestGroupIamPolicyOutput() TunnelDestGroupIamPolicyOutput

func (TunnelDestGroupIamPolicyOutput) ToTunnelDestGroupIamPolicyOutputWithContext 

func (o TunnelDestGroupIamPolicyOutput) ToTunnelDestGroupIamPolicyOutputWithContext(ctx context.Context) TunnelDestGroupIamPolicyOutput

type TunnelDestGroupIamPolicyState 

type TunnelDestGroupIamPolicyState struct {
	DestGroup pulumi.StringPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The region of the tunnel group. Must be the same as the network resources in the group.
	// Used to find the parent resource to bind the IAM policy to. If not specified,
	// the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no
	// region is specified, it is taken from the provider configuration.
	Region pulumi.StringPtrInput
}

func (TunnelDestGroupIamPolicyState) ElementType 

func (TunnelDestGroupIamPolicyState) ElementType() reflect.Type

type TunnelDestGroupInput 

type TunnelDestGroupInput interface {
	pulumi.Input

	ToTunnelDestGroupOutput() TunnelDestGroupOutput
	ToTunnelDestGroupOutputWithContext(ctx context.Context) TunnelDestGroupOutput
}

type TunnelDestGroupMap 

type TunnelDestGroupMap map[string]TunnelDestGroupInput

func (TunnelDestGroupMap) ElementType 

func (TunnelDestGroupMap) ElementType() reflect.Type

func (TunnelDestGroupMap) ToTunnelDestGroupMapOutput 

func (i TunnelDestGroupMap) ToTunnelDestGroupMapOutput() TunnelDestGroupMapOutput

func (TunnelDestGroupMap) ToTunnelDestGroupMapOutputWithContext 

func (i TunnelDestGroupMap) ToTunnelDestGroupMapOutputWithContext(ctx context.Context) TunnelDestGroupMapOutput

type TunnelDestGroupMapInput 

type TunnelDestGroupMapInput interface {
	pulumi.Input

	ToTunnelDestGroupMapOutput() TunnelDestGroupMapOutput
	ToTunnelDestGroupMapOutputWithContext(context.Context) TunnelDestGroupMapOutput
}

TunnelDestGroupMapInput is an input type that accepts TunnelDestGroupMap and TunnelDestGroupMapOutput values. You can construct a concrete instance of `TunnelDestGroupMapInput` via: 

TunnelDestGroupMap{ "key": TunnelDestGroupArgs{...} }

type TunnelDestGroupMapOutput 

type TunnelDestGroupMapOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupMapOutput) ElementType 

func (TunnelDestGroupMapOutput) ElementType() reflect.Type

func (TunnelDestGroupMapOutput) MapIndex 

func (o TunnelDestGroupMapOutput) MapIndex(k pulumi.StringInput) TunnelDestGroupOutput

func (TunnelDestGroupMapOutput) ToTunnelDestGroupMapOutput 

func (o TunnelDestGroupMapOutput) ToTunnelDestGroupMapOutput() TunnelDestGroupMapOutput

func (TunnelDestGroupMapOutput) ToTunnelDestGroupMapOutputWithContext 

func (o TunnelDestGroupMapOutput) ToTunnelDestGroupMapOutputWithContext(ctx context.Context) TunnelDestGroupMapOutput

type TunnelDestGroupOutput 

type TunnelDestGroupOutput struct{ *pulumi.OutputState }

func (TunnelDestGroupOutput) Cidrs 

func (o TunnelDestGroupOutput) Cidrs() pulumi.StringArrayOutput

List of CIDRs that this group applies to.

func (TunnelDestGroupOutput) ElementType 

func (TunnelDestGroupOutput) ElementType() reflect.Type

func (TunnelDestGroupOutput) Fqdns 

func (o TunnelDestGroupOutput) Fqdns() pulumi.StringArrayOutput

List of FQDNs that this group applies to.

func (TunnelDestGroupOutput) GroupName 

func (o TunnelDestGroupOutput) GroupName() pulumi.StringOutput

Unique tunnel destination group name.

***

func (TunnelDestGroupOutput) Name 

func (o TunnelDestGroupOutput) Name() pulumi.StringOutput

Full resource name.

func (TunnelDestGroupOutput) Project 

func (o TunnelDestGroupOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

func (TunnelDestGroupOutput) Region 

func (o TunnelDestGroupOutput) Region() pulumi.StringOutput

The region of the tunnel group. Must be the same as the network resources in the group.

func (TunnelDestGroupOutput) ToTunnelDestGroupOutput 

func (o TunnelDestGroupOutput) ToTunnelDestGroupOutput() TunnelDestGroupOutput

func (TunnelDestGroupOutput) ToTunnelDestGroupOutputWithContext 

func (o TunnelDestGroupOutput) ToTunnelDestGroupOutputWithContext(ctx context.Context) TunnelDestGroupOutput

type TunnelDestGroupState 

type TunnelDestGroupState struct {
	// List of CIDRs that this group applies to.
	Cidrs pulumi.StringArrayInput
	// List of FQDNs that this group applies to.
	Fqdns pulumi.StringArrayInput
	// Unique tunnel destination group name.
	//
	// ***
	GroupName pulumi.StringPtrInput
	// Full resource name.
	Name pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	Project pulumi.StringPtrInput
	// The region of the tunnel group. Must be the same as the network resources in the group.
	Region pulumi.StringPtrInput
}

func (TunnelDestGroupState) ElementType 

func (TunnelDestGroupState) ElementType() reflect.Type

type TunnelIamBinding 

type TunnelIamBinding struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy Tunnel. Each of these resources serves a different use case:

* `iap.TunnelIamPolicy`: Authoritative. Sets the IAM policy for the tunnel and replaces any existing policy already attached. * `iap.TunnelIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnel are preserved. * `iap.TunnelIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnel are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelIamPolicy`: Retrieves the IAM policy for the tunnel

> **Note:** `iap.TunnelIamPolicy` **cannot** be used in conjunction with `iap.TunnelIamBinding` and `iap.TunnelIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelIamBinding` resources **can be** used in conjunction with `iap.TunnelIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy Tunnel Three different resources help you manage your IAM policy for Identity-Aware Proxy Tunnel. Each of these resources serves a different use case:

* `iap.TunnelIamPolicy`: Authoritative. Sets the IAM policy for the tunnel and replaces any existing policy already attached. * `iap.TunnelIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnel are preserved. * `iap.TunnelIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnel are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelIamPolicy`: Retrieves the IAM policy for the tunnel

> **Note:** `iap.TunnelIamPolicy` **cannot** be used in conjunction with `iap.TunnelIamBinding` and `iap.TunnelIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelIamBinding` resources **can be** used in conjunction with `iap.TunnelIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_tunnel

* {{project}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy tunnel IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/tunnelIamBinding:TunnelIamBinding editor "projects/{{project}}/iap_tunnel roles/iap.tunnelResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/tunnelIamBinding:TunnelIamBinding editor "projects/{{project}}/iap_tunnel roles/iap.tunnelResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/tunnelIamBinding:TunnelIamBinding editor projects/{{project}}/iap_tunnel ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelIamBinding 

func GetTunnelIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelIamBindingState, opts ...pulumi.ResourceOption) (*TunnelIamBinding, error)

GetTunnelIamBinding gets an existing TunnelIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelIamBinding 

func NewTunnelIamBinding(ctx *pulumi.Context,
	name string, args *TunnelIamBindingArgs, opts ...pulumi.ResourceOption) (*TunnelIamBinding, error)

NewTunnelIamBinding registers a new resource with the given unique name, arguments, and options.

func (*TunnelIamBinding) ElementType 

func (*TunnelIamBinding) ElementType() reflect.Type

func (*TunnelIamBinding) ToTunnelIamBindingOutput 

func (i *TunnelIamBinding) ToTunnelIamBindingOutput() TunnelIamBindingOutput

func (*TunnelIamBinding) ToTunnelIamBindingOutputWithContext 

func (i *TunnelIamBinding) ToTunnelIamBindingOutputWithContext(ctx context.Context) TunnelIamBindingOutput

type TunnelIamBindingArgs 

type TunnelIamBindingArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelIamBindingConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a TunnelIamBinding resource.

func (TunnelIamBindingArgs) ElementType 

func (TunnelIamBindingArgs) ElementType() reflect.Type

type TunnelIamBindingArray 

type TunnelIamBindingArray []TunnelIamBindingInput

func (TunnelIamBindingArray) ElementType 

func (TunnelIamBindingArray) ElementType() reflect.Type

func (TunnelIamBindingArray) ToTunnelIamBindingArrayOutput 

func (i TunnelIamBindingArray) ToTunnelIamBindingArrayOutput() TunnelIamBindingArrayOutput

func (TunnelIamBindingArray) ToTunnelIamBindingArrayOutputWithContext 

func (i TunnelIamBindingArray) ToTunnelIamBindingArrayOutputWithContext(ctx context.Context) TunnelIamBindingArrayOutput

type TunnelIamBindingArrayInput 

type TunnelIamBindingArrayInput interface {
	pulumi.Input

	ToTunnelIamBindingArrayOutput() TunnelIamBindingArrayOutput
	ToTunnelIamBindingArrayOutputWithContext(context.Context) TunnelIamBindingArrayOutput
}

TunnelIamBindingArrayInput is an input type that accepts TunnelIamBindingArray and TunnelIamBindingArrayOutput values. You can construct a concrete instance of `TunnelIamBindingArrayInput` via: 

TunnelIamBindingArray{ TunnelIamBindingArgs{...} }

type TunnelIamBindingArrayOutput 

type TunnelIamBindingArrayOutput struct{ *pulumi.OutputState }

func (TunnelIamBindingArrayOutput) ElementType 

func (TunnelIamBindingArrayOutput) ElementType() reflect.Type

func (TunnelIamBindingArrayOutput) Index 

func (o TunnelIamBindingArrayOutput) Index(i pulumi.IntInput) TunnelIamBindingOutput

func (TunnelIamBindingArrayOutput) ToTunnelIamBindingArrayOutput 

func (o TunnelIamBindingArrayOutput) ToTunnelIamBindingArrayOutput() TunnelIamBindingArrayOutput

func (TunnelIamBindingArrayOutput) ToTunnelIamBindingArrayOutputWithContext 

func (o TunnelIamBindingArrayOutput) ToTunnelIamBindingArrayOutputWithContext(ctx context.Context) TunnelIamBindingArrayOutput

type TunnelIamBindingCondition 

type TunnelIamBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type TunnelIamBindingConditionArgs 

type TunnelIamBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (TunnelIamBindingConditionArgs) ElementType 

func (TunnelIamBindingConditionArgs) ElementType() reflect.Type

func (TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionOutput 

func (i TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionOutput() TunnelIamBindingConditionOutput

func (TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionOutputWithContext 

func (i TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionOutputWithContext(ctx context.Context) TunnelIamBindingConditionOutput

func (TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionPtrOutput 

func (i TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionPtrOutput() TunnelIamBindingConditionPtrOutput

func (TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionPtrOutputWithContext 

func (i TunnelIamBindingConditionArgs) ToTunnelIamBindingConditionPtrOutputWithContext(ctx context.Context) TunnelIamBindingConditionPtrOutput

type TunnelIamBindingConditionInput 

type TunnelIamBindingConditionInput interface {
	pulumi.Input

	ToTunnelIamBindingConditionOutput() TunnelIamBindingConditionOutput
	ToTunnelIamBindingConditionOutputWithContext(context.Context) TunnelIamBindingConditionOutput
}

TunnelIamBindingConditionInput is an input type that accepts TunnelIamBindingConditionArgs and TunnelIamBindingConditionOutput values. You can construct a concrete instance of `TunnelIamBindingConditionInput` via: 

TunnelIamBindingConditionArgs{...}

type TunnelIamBindingConditionOutput 

type TunnelIamBindingConditionOutput struct{ *pulumi.OutputState }

func (TunnelIamBindingConditionOutput) Description 

func (o TunnelIamBindingConditionOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

func (TunnelIamBindingConditionOutput) ElementType 

func (TunnelIamBindingConditionOutput) ElementType() reflect.Type

func (TunnelIamBindingConditionOutput) Expression 

func (o TunnelIamBindingConditionOutput) Expression() pulumi.StringOutput

Textual representation of an expression in Common Expression Language syntax.

func (TunnelIamBindingConditionOutput) Title 

func (o TunnelIamBindingConditionOutput) Title() pulumi.StringOutput

A title for the expression, i.e. a short string describing its purpose.

func (TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionOutput 

func (o TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionOutput() TunnelIamBindingConditionOutput

func (TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionOutputWithContext 

func (o TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionOutputWithContext(ctx context.Context) TunnelIamBindingConditionOutput

func (TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionPtrOutput 

func (o TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionPtrOutput() TunnelIamBindingConditionPtrOutput

func (TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionPtrOutputWithContext 

func (o TunnelIamBindingConditionOutput) ToTunnelIamBindingConditionPtrOutputWithContext(ctx context.Context) TunnelIamBindingConditionPtrOutput

type TunnelIamBindingConditionPtrInput 

type TunnelIamBindingConditionPtrInput interface {
	pulumi.Input

	ToTunnelIamBindingConditionPtrOutput() TunnelIamBindingConditionPtrOutput
	ToTunnelIamBindingConditionPtrOutputWithContext(context.Context) TunnelIamBindingConditionPtrOutput
}

TunnelIamBindingConditionPtrInput is an input type that accepts TunnelIamBindingConditionArgs, TunnelIamBindingConditionPtr and TunnelIamBindingConditionPtrOutput values. You can construct a concrete instance of `TunnelIamBindingConditionPtrInput` via: 

        TunnelIamBindingConditionArgs{...}

or:

        nil

func TunnelIamBindingConditionPtr 

func TunnelIamBindingConditionPtr(v *TunnelIamBindingConditionArgs) TunnelIamBindingConditionPtrInput

type TunnelIamBindingConditionPtrOutput 

type TunnelIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (TunnelIamBindingConditionPtrOutput) Description 

func (o TunnelIamBindingConditionPtrOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

func (TunnelIamBindingConditionPtrOutput) Elem 

func (o TunnelIamBindingConditionPtrOutput) Elem() TunnelIamBindingConditionOutput

func (TunnelIamBindingConditionPtrOutput) ElementType 

func (TunnelIamBindingConditionPtrOutput) ElementType() reflect.Type

func (TunnelIamBindingConditionPtrOutput) Expression 

func (o TunnelIamBindingConditionPtrOutput) Expression() pulumi.StringPtrOutput

Textual representation of an expression in Common Expression Language syntax.

func (TunnelIamBindingConditionPtrOutput) Title 

func (o TunnelIamBindingConditionPtrOutput) Title() pulumi.StringPtrOutput

A title for the expression, i.e. a short string describing its purpose.

func (TunnelIamBindingConditionPtrOutput) ToTunnelIamBindingConditionPtrOutput 

func (o TunnelIamBindingConditionPtrOutput) ToTunnelIamBindingConditionPtrOutput() TunnelIamBindingConditionPtrOutput

func (TunnelIamBindingConditionPtrOutput) ToTunnelIamBindingConditionPtrOutputWithContext 

func (o TunnelIamBindingConditionPtrOutput) ToTunnelIamBindingConditionPtrOutputWithContext(ctx context.Context) TunnelIamBindingConditionPtrOutput

type TunnelIamBindingInput 

type TunnelIamBindingInput interface {
	pulumi.Input

	ToTunnelIamBindingOutput() TunnelIamBindingOutput
	ToTunnelIamBindingOutputWithContext(ctx context.Context) TunnelIamBindingOutput
}

type TunnelIamBindingMap 

type TunnelIamBindingMap map[string]TunnelIamBindingInput

func (TunnelIamBindingMap) ElementType 

func (TunnelIamBindingMap) ElementType() reflect.Type

func (TunnelIamBindingMap) ToTunnelIamBindingMapOutput 

func (i TunnelIamBindingMap) ToTunnelIamBindingMapOutput() TunnelIamBindingMapOutput

func (TunnelIamBindingMap) ToTunnelIamBindingMapOutputWithContext 

func (i TunnelIamBindingMap) ToTunnelIamBindingMapOutputWithContext(ctx context.Context) TunnelIamBindingMapOutput

type TunnelIamBindingMapInput 

type TunnelIamBindingMapInput interface {
	pulumi.Input

	ToTunnelIamBindingMapOutput() TunnelIamBindingMapOutput
	ToTunnelIamBindingMapOutputWithContext(context.Context) TunnelIamBindingMapOutput
}

TunnelIamBindingMapInput is an input type that accepts TunnelIamBindingMap and TunnelIamBindingMapOutput values. You can construct a concrete instance of `TunnelIamBindingMapInput` via: 

TunnelIamBindingMap{ "key": TunnelIamBindingArgs{...} }

type TunnelIamBindingMapOutput 

type TunnelIamBindingMapOutput struct{ *pulumi.OutputState }

func (TunnelIamBindingMapOutput) ElementType 

func (TunnelIamBindingMapOutput) ElementType() reflect.Type

func (TunnelIamBindingMapOutput) MapIndex 

func (o TunnelIamBindingMapOutput) MapIndex(k pulumi.StringInput) TunnelIamBindingOutput

func (TunnelIamBindingMapOutput) ToTunnelIamBindingMapOutput 

func (o TunnelIamBindingMapOutput) ToTunnelIamBindingMapOutput() TunnelIamBindingMapOutput

func (TunnelIamBindingMapOutput) ToTunnelIamBindingMapOutputWithContext 

func (o TunnelIamBindingMapOutput) ToTunnelIamBindingMapOutputWithContext(ctx context.Context) TunnelIamBindingMapOutput

type TunnelIamBindingOutput 

type TunnelIamBindingOutput struct{ *pulumi.OutputState }

func (TunnelIamBindingOutput) Condition 

func (o TunnelIamBindingOutput) Condition() TunnelIamBindingConditionPtrOutput

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (TunnelIamBindingOutput) ElementType 

func (TunnelIamBindingOutput) ElementType() reflect.Type

func (TunnelIamBindingOutput) Etag 

func (o TunnelIamBindingOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (TunnelIamBindingOutput) Members 

func (o TunnelIamBindingOutput) Members() pulumi.StringArrayOutput

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (TunnelIamBindingOutput) Project 

func (o TunnelIamBindingOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (TunnelIamBindingOutput) Role 

func (o TunnelIamBindingOutput) Role() pulumi.StringOutput

The role that should be applied. Only one `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (TunnelIamBindingOutput) ToTunnelIamBindingOutput 

func (o TunnelIamBindingOutput) ToTunnelIamBindingOutput() TunnelIamBindingOutput

func (TunnelIamBindingOutput) ToTunnelIamBindingOutputWithContext 

func (o TunnelIamBindingOutput) ToTunnelIamBindingOutputWithContext(ctx context.Context) TunnelIamBindingOutput

type TunnelIamBindingState 

type TunnelIamBindingState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (TunnelIamBindingState) ElementType 

func (TunnelIamBindingState) ElementType() reflect.Type

type TunnelIamMember 

type TunnelIamMember struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy Tunnel. Each of these resources serves a different use case:

* `iap.TunnelIamPolicy`: Authoritative. Sets the IAM policy for the tunnel and replaces any existing policy already attached. * `iap.TunnelIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnel are preserved. * `iap.TunnelIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnel are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelIamPolicy`: Retrieves the IAM policy for the tunnel

> **Note:** `iap.TunnelIamPolicy` **cannot** be used in conjunction with `iap.TunnelIamBinding` and `iap.TunnelIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelIamBinding` resources **can be** used in conjunction with `iap.TunnelIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy Tunnel Three different resources help you manage your IAM policy for Identity-Aware Proxy Tunnel. Each of these resources serves a different use case:

* `iap.TunnelIamPolicy`: Authoritative. Sets the IAM policy for the tunnel and replaces any existing policy already attached. * `iap.TunnelIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnel are preserved. * `iap.TunnelIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnel are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelIamPolicy`: Retrieves the IAM policy for the tunnel

> **Note:** `iap.TunnelIamPolicy` **cannot** be used in conjunction with `iap.TunnelIamBinding` and `iap.TunnelIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelIamBinding` resources **can be** used in conjunction with `iap.TunnelIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_tunnel

* {{project}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy tunnel IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/tunnelIamMember:TunnelIamMember editor "projects/{{project}}/iap_tunnel roles/iap.tunnelResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/tunnelIamMember:TunnelIamMember editor "projects/{{project}}/iap_tunnel roles/iap.tunnelResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/tunnelIamMember:TunnelIamMember editor projects/{{project}}/iap_tunnel ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelIamMember 

func GetTunnelIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelIamMemberState, opts ...pulumi.ResourceOption) (*TunnelIamMember, error)

GetTunnelIamMember gets an existing TunnelIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelIamMember 

func NewTunnelIamMember(ctx *pulumi.Context,
	name string, args *TunnelIamMemberArgs, opts ...pulumi.ResourceOption) (*TunnelIamMember, error)

NewTunnelIamMember registers a new resource with the given unique name, arguments, and options.

func (*TunnelIamMember) ElementType 

func (*TunnelIamMember) ElementType() reflect.Type

func (*TunnelIamMember) ToTunnelIamMemberOutput 

func (i *TunnelIamMember) ToTunnelIamMemberOutput() TunnelIamMemberOutput

func (*TunnelIamMember) ToTunnelIamMemberOutputWithContext 

func (i *TunnelIamMember) ToTunnelIamMemberOutputWithContext(ctx context.Context) TunnelIamMemberOutput

type TunnelIamMemberArgs 

type TunnelIamMemberArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelIamMemberConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a TunnelIamMember resource.

func (TunnelIamMemberArgs) ElementType 

func (TunnelIamMemberArgs) ElementType() reflect.Type

type TunnelIamMemberArray 

type TunnelIamMemberArray []TunnelIamMemberInput

func (TunnelIamMemberArray) ElementType 

func (TunnelIamMemberArray) ElementType() reflect.Type

func (TunnelIamMemberArray) ToTunnelIamMemberArrayOutput 

func (i TunnelIamMemberArray) ToTunnelIamMemberArrayOutput() TunnelIamMemberArrayOutput

func (TunnelIamMemberArray) ToTunnelIamMemberArrayOutputWithContext 

func (i TunnelIamMemberArray) ToTunnelIamMemberArrayOutputWithContext(ctx context.Context) TunnelIamMemberArrayOutput

type TunnelIamMemberArrayInput 

type TunnelIamMemberArrayInput interface {
	pulumi.Input

	ToTunnelIamMemberArrayOutput() TunnelIamMemberArrayOutput
	ToTunnelIamMemberArrayOutputWithContext(context.Context) TunnelIamMemberArrayOutput
}

TunnelIamMemberArrayInput is an input type that accepts TunnelIamMemberArray and TunnelIamMemberArrayOutput values. You can construct a concrete instance of `TunnelIamMemberArrayInput` via: 

TunnelIamMemberArray{ TunnelIamMemberArgs{...} }

type TunnelIamMemberArrayOutput 

type TunnelIamMemberArrayOutput struct{ *pulumi.OutputState }

func (TunnelIamMemberArrayOutput) ElementType 

func (TunnelIamMemberArrayOutput) ElementType() reflect.Type

func (TunnelIamMemberArrayOutput) Index 

func (o TunnelIamMemberArrayOutput) Index(i pulumi.IntInput) TunnelIamMemberOutput

func (TunnelIamMemberArrayOutput) ToTunnelIamMemberArrayOutput 

func (o TunnelIamMemberArrayOutput) ToTunnelIamMemberArrayOutput() TunnelIamMemberArrayOutput

func (TunnelIamMemberArrayOutput) ToTunnelIamMemberArrayOutputWithContext 

func (o TunnelIamMemberArrayOutput) ToTunnelIamMemberArrayOutputWithContext(ctx context.Context) TunnelIamMemberArrayOutput

type TunnelIamMemberCondition 

type TunnelIamMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type TunnelIamMemberConditionArgs 

type TunnelIamMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (TunnelIamMemberConditionArgs) ElementType 

func (TunnelIamMemberConditionArgs) ElementType() reflect.Type

func (TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionOutput 

func (i TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionOutput() TunnelIamMemberConditionOutput

func (TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionOutputWithContext 

func (i TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionOutputWithContext(ctx context.Context) TunnelIamMemberConditionOutput

func (TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionPtrOutput 

func (i TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionPtrOutput() TunnelIamMemberConditionPtrOutput

func (TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionPtrOutputWithContext 

func (i TunnelIamMemberConditionArgs) ToTunnelIamMemberConditionPtrOutputWithContext(ctx context.Context) TunnelIamMemberConditionPtrOutput

type TunnelIamMemberConditionInput 

type TunnelIamMemberConditionInput interface {
	pulumi.Input

	ToTunnelIamMemberConditionOutput() TunnelIamMemberConditionOutput
	ToTunnelIamMemberConditionOutputWithContext(context.Context) TunnelIamMemberConditionOutput
}

TunnelIamMemberConditionInput is an input type that accepts TunnelIamMemberConditionArgs and TunnelIamMemberConditionOutput values. You can construct a concrete instance of `TunnelIamMemberConditionInput` via: 

TunnelIamMemberConditionArgs{...}

type TunnelIamMemberConditionOutput 

type TunnelIamMemberConditionOutput struct{ *pulumi.OutputState }

func (TunnelIamMemberConditionOutput) Description 

func (o TunnelIamMemberConditionOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

func (TunnelIamMemberConditionOutput) ElementType 

func (TunnelIamMemberConditionOutput) ElementType() reflect.Type

func (TunnelIamMemberConditionOutput) Expression 

func (o TunnelIamMemberConditionOutput) Expression() pulumi.StringOutput

Textual representation of an expression in Common Expression Language syntax.

func (TunnelIamMemberConditionOutput) Title 

func (o TunnelIamMemberConditionOutput) Title() pulumi.StringOutput

A title for the expression, i.e. a short string describing its purpose.

func (TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionOutput 

func (o TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionOutput() TunnelIamMemberConditionOutput

func (TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionOutputWithContext 

func (o TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionOutputWithContext(ctx context.Context) TunnelIamMemberConditionOutput

func (TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionPtrOutput 

func (o TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionPtrOutput() TunnelIamMemberConditionPtrOutput

func (TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionPtrOutputWithContext 

func (o TunnelIamMemberConditionOutput) ToTunnelIamMemberConditionPtrOutputWithContext(ctx context.Context) TunnelIamMemberConditionPtrOutput

type TunnelIamMemberConditionPtrInput 

type TunnelIamMemberConditionPtrInput interface {
	pulumi.Input

	ToTunnelIamMemberConditionPtrOutput() TunnelIamMemberConditionPtrOutput
	ToTunnelIamMemberConditionPtrOutputWithContext(context.Context) TunnelIamMemberConditionPtrOutput
}

TunnelIamMemberConditionPtrInput is an input type that accepts TunnelIamMemberConditionArgs, TunnelIamMemberConditionPtr and TunnelIamMemberConditionPtrOutput values. You can construct a concrete instance of `TunnelIamMemberConditionPtrInput` via: 

        TunnelIamMemberConditionArgs{...}

or:

        nil

func TunnelIamMemberConditionPtr 

func TunnelIamMemberConditionPtr(v *TunnelIamMemberConditionArgs) TunnelIamMemberConditionPtrInput

type TunnelIamMemberConditionPtrOutput 

type TunnelIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (TunnelIamMemberConditionPtrOutput) Description 

func (o TunnelIamMemberConditionPtrOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

func (TunnelIamMemberConditionPtrOutput) Elem 

func (o TunnelIamMemberConditionPtrOutput) Elem() TunnelIamMemberConditionOutput

func (TunnelIamMemberConditionPtrOutput) ElementType 

func (TunnelIamMemberConditionPtrOutput) ElementType() reflect.Type

func (TunnelIamMemberConditionPtrOutput) Expression 

func (o TunnelIamMemberConditionPtrOutput) Expression() pulumi.StringPtrOutput

Textual representation of an expression in Common Expression Language syntax.

func (TunnelIamMemberConditionPtrOutput) Title 

func (o TunnelIamMemberConditionPtrOutput) Title() pulumi.StringPtrOutput

A title for the expression, i.e. a short string describing its purpose.

func (TunnelIamMemberConditionPtrOutput) ToTunnelIamMemberConditionPtrOutput 

func (o TunnelIamMemberConditionPtrOutput) ToTunnelIamMemberConditionPtrOutput() TunnelIamMemberConditionPtrOutput

func (TunnelIamMemberConditionPtrOutput) ToTunnelIamMemberConditionPtrOutputWithContext 

func (o TunnelIamMemberConditionPtrOutput) ToTunnelIamMemberConditionPtrOutputWithContext(ctx context.Context) TunnelIamMemberConditionPtrOutput

type TunnelIamMemberInput 

type TunnelIamMemberInput interface {
	pulumi.Input

	ToTunnelIamMemberOutput() TunnelIamMemberOutput
	ToTunnelIamMemberOutputWithContext(ctx context.Context) TunnelIamMemberOutput
}

type TunnelIamMemberMap 

type TunnelIamMemberMap map[string]TunnelIamMemberInput

func (TunnelIamMemberMap) ElementType 

func (TunnelIamMemberMap) ElementType() reflect.Type

func (TunnelIamMemberMap) ToTunnelIamMemberMapOutput 

func (i TunnelIamMemberMap) ToTunnelIamMemberMapOutput() TunnelIamMemberMapOutput

func (TunnelIamMemberMap) ToTunnelIamMemberMapOutputWithContext 

func (i TunnelIamMemberMap) ToTunnelIamMemberMapOutputWithContext(ctx context.Context) TunnelIamMemberMapOutput

type TunnelIamMemberMapInput 

type TunnelIamMemberMapInput interface {
	pulumi.Input

	ToTunnelIamMemberMapOutput() TunnelIamMemberMapOutput
	ToTunnelIamMemberMapOutputWithContext(context.Context) TunnelIamMemberMapOutput
}

TunnelIamMemberMapInput is an input type that accepts TunnelIamMemberMap and TunnelIamMemberMapOutput values. You can construct a concrete instance of `TunnelIamMemberMapInput` via: 

TunnelIamMemberMap{ "key": TunnelIamMemberArgs{...} }

type TunnelIamMemberMapOutput 

type TunnelIamMemberMapOutput struct{ *pulumi.OutputState }

func (TunnelIamMemberMapOutput) ElementType 

func (TunnelIamMemberMapOutput) ElementType() reflect.Type

func (TunnelIamMemberMapOutput) MapIndex 

func (o TunnelIamMemberMapOutput) MapIndex(k pulumi.StringInput) TunnelIamMemberOutput

func (TunnelIamMemberMapOutput) ToTunnelIamMemberMapOutput 

func (o TunnelIamMemberMapOutput) ToTunnelIamMemberMapOutput() TunnelIamMemberMapOutput

func (TunnelIamMemberMapOutput) ToTunnelIamMemberMapOutputWithContext 

func (o TunnelIamMemberMapOutput) ToTunnelIamMemberMapOutputWithContext(ctx context.Context) TunnelIamMemberMapOutput

type TunnelIamMemberOutput 

type TunnelIamMemberOutput struct{ *pulumi.OutputState }

func (TunnelIamMemberOutput) Condition 

func (o TunnelIamMemberOutput) Condition() TunnelIamMemberConditionPtrOutput

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (TunnelIamMemberOutput) ElementType 

func (TunnelIamMemberOutput) ElementType() reflect.Type

func (TunnelIamMemberOutput) Etag 

func (o TunnelIamMemberOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (TunnelIamMemberOutput) Member 

func (o TunnelIamMemberOutput) Member() pulumi.StringOutput

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (TunnelIamMemberOutput) Project 

func (o TunnelIamMemberOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (TunnelIamMemberOutput) Role 

func (o TunnelIamMemberOutput) Role() pulumi.StringOutput

The role that should be applied. Only one `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (TunnelIamMemberOutput) ToTunnelIamMemberOutput 

func (o TunnelIamMemberOutput) ToTunnelIamMemberOutput() TunnelIamMemberOutput

func (TunnelIamMemberOutput) ToTunnelIamMemberOutputWithContext 

func (o TunnelIamMemberOutput) ToTunnelIamMemberOutputWithContext(ctx context.Context) TunnelIamMemberOutput

type TunnelIamMemberState 

type TunnelIamMemberState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (TunnelIamMemberState) ElementType 

func (TunnelIamMemberState) ElementType() reflect.Type

type TunnelIamPolicy 

type TunnelIamPolicy struct {
	pulumi.CustomResourceState

	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy Tunnel. Each of these resources serves a different use case:

* `iap.TunnelIamPolicy`: Authoritative. Sets the IAM policy for the tunnel and replaces any existing policy already attached. * `iap.TunnelIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnel are preserved. * `iap.TunnelIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnel are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelIamPolicy`: Retrieves the IAM policy for the tunnel

> **Note:** `iap.TunnelIamPolicy` **cannot** be used in conjunction with `iap.TunnelIamBinding` and `iap.TunnelIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelIamBinding` resources **can be** used in conjunction with `iap.TunnelIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy Tunnel Three different resources help you manage your IAM policy for Identity-Aware Proxy Tunnel. Each of these resources serves a different use case:

* `iap.TunnelIamPolicy`: Authoritative. Sets the IAM policy for the tunnel and replaces any existing policy already attached. * `iap.TunnelIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnel are preserved. * `iap.TunnelIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnel are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelIamPolicy`: Retrieves the IAM policy for the tunnel

> **Note:** `iap.TunnelIamPolicy` **cannot** be used in conjunction with `iap.TunnelIamBinding` and `iap.TunnelIamMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelIamBinding` resources **can be** used in conjunction with `iap.TunnelIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelIamPolicy(ctx, "policy", &iap.TunnelIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamBinding(ctx, "binding", &iap.TunnelIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelIamMember(ctx, "member", &iap.TunnelIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_tunnel

* {{project}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy tunnel IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/tunnelIamPolicy:TunnelIamPolicy editor "projects/{{project}}/iap_tunnel roles/iap.tunnelResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/tunnelIamPolicy:TunnelIamPolicy editor "projects/{{project}}/iap_tunnel roles/iap.tunnelResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/tunnelIamPolicy:TunnelIamPolicy editor projects/{{project}}/iap_tunnel ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelIamPolicy 

func GetTunnelIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelIamPolicyState, opts ...pulumi.ResourceOption) (*TunnelIamPolicy, error)

GetTunnelIamPolicy gets an existing TunnelIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelIamPolicy 

func NewTunnelIamPolicy(ctx *pulumi.Context,
	name string, args *TunnelIamPolicyArgs, opts ...pulumi.ResourceOption) (*TunnelIamPolicy, error)

NewTunnelIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*TunnelIamPolicy) ElementType 

func (*TunnelIamPolicy) ElementType() reflect.Type

func (*TunnelIamPolicy) ToTunnelIamPolicyOutput 

func (i *TunnelIamPolicy) ToTunnelIamPolicyOutput() TunnelIamPolicyOutput

func (*TunnelIamPolicy) ToTunnelIamPolicyOutputWithContext 

func (i *TunnelIamPolicy) ToTunnelIamPolicyOutputWithContext(ctx context.Context) TunnelIamPolicyOutput

type TunnelIamPolicyArgs 

type TunnelIamPolicyArgs struct {
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
}

The set of arguments for constructing a TunnelIamPolicy resource.

func (TunnelIamPolicyArgs) ElementType 

func (TunnelIamPolicyArgs) ElementType() reflect.Type

type TunnelIamPolicyArray 

type TunnelIamPolicyArray []TunnelIamPolicyInput

func (TunnelIamPolicyArray) ElementType 

func (TunnelIamPolicyArray) ElementType() reflect.Type

func (TunnelIamPolicyArray) ToTunnelIamPolicyArrayOutput 

func (i TunnelIamPolicyArray) ToTunnelIamPolicyArrayOutput() TunnelIamPolicyArrayOutput

func (TunnelIamPolicyArray) ToTunnelIamPolicyArrayOutputWithContext 

func (i TunnelIamPolicyArray) ToTunnelIamPolicyArrayOutputWithContext(ctx context.Context) TunnelIamPolicyArrayOutput

type TunnelIamPolicyArrayInput 

type TunnelIamPolicyArrayInput interface {
	pulumi.Input

	ToTunnelIamPolicyArrayOutput() TunnelIamPolicyArrayOutput
	ToTunnelIamPolicyArrayOutputWithContext(context.Context) TunnelIamPolicyArrayOutput
}

TunnelIamPolicyArrayInput is an input type that accepts TunnelIamPolicyArray and TunnelIamPolicyArrayOutput values. You can construct a concrete instance of `TunnelIamPolicyArrayInput` via: 

TunnelIamPolicyArray{ TunnelIamPolicyArgs{...} }

type TunnelIamPolicyArrayOutput 

type TunnelIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (TunnelIamPolicyArrayOutput) ElementType 

func (TunnelIamPolicyArrayOutput) ElementType() reflect.Type

func (TunnelIamPolicyArrayOutput) Index 

func (o TunnelIamPolicyArrayOutput) Index(i pulumi.IntInput) TunnelIamPolicyOutput

func (TunnelIamPolicyArrayOutput) ToTunnelIamPolicyArrayOutput 

func (o TunnelIamPolicyArrayOutput) ToTunnelIamPolicyArrayOutput() TunnelIamPolicyArrayOutput

func (TunnelIamPolicyArrayOutput) ToTunnelIamPolicyArrayOutputWithContext 

func (o TunnelIamPolicyArrayOutput) ToTunnelIamPolicyArrayOutputWithContext(ctx context.Context) TunnelIamPolicyArrayOutput

type TunnelIamPolicyInput 

type TunnelIamPolicyInput interface {
	pulumi.Input

	ToTunnelIamPolicyOutput() TunnelIamPolicyOutput
	ToTunnelIamPolicyOutputWithContext(ctx context.Context) TunnelIamPolicyOutput
}

type TunnelIamPolicyMap 

type TunnelIamPolicyMap map[string]TunnelIamPolicyInput

func (TunnelIamPolicyMap) ElementType 

func (TunnelIamPolicyMap) ElementType() reflect.Type

func (TunnelIamPolicyMap) ToTunnelIamPolicyMapOutput 

func (i TunnelIamPolicyMap) ToTunnelIamPolicyMapOutput() TunnelIamPolicyMapOutput

func (TunnelIamPolicyMap) ToTunnelIamPolicyMapOutputWithContext 

func (i TunnelIamPolicyMap) ToTunnelIamPolicyMapOutputWithContext(ctx context.Context) TunnelIamPolicyMapOutput

type TunnelIamPolicyMapInput 

type TunnelIamPolicyMapInput interface {
	pulumi.Input

	ToTunnelIamPolicyMapOutput() TunnelIamPolicyMapOutput
	ToTunnelIamPolicyMapOutputWithContext(context.Context) TunnelIamPolicyMapOutput
}

TunnelIamPolicyMapInput is an input type that accepts TunnelIamPolicyMap and TunnelIamPolicyMapOutput values. You can construct a concrete instance of `TunnelIamPolicyMapInput` via: 

TunnelIamPolicyMap{ "key": TunnelIamPolicyArgs{...} }

type TunnelIamPolicyMapOutput 

type TunnelIamPolicyMapOutput struct{ *pulumi.OutputState }

func (TunnelIamPolicyMapOutput) ElementType 

func (TunnelIamPolicyMapOutput) ElementType() reflect.Type

func (TunnelIamPolicyMapOutput) MapIndex 

func (o TunnelIamPolicyMapOutput) MapIndex(k pulumi.StringInput) TunnelIamPolicyOutput

func (TunnelIamPolicyMapOutput) ToTunnelIamPolicyMapOutput 

func (o TunnelIamPolicyMapOutput) ToTunnelIamPolicyMapOutput() TunnelIamPolicyMapOutput

func (TunnelIamPolicyMapOutput) ToTunnelIamPolicyMapOutputWithContext 

func (o TunnelIamPolicyMapOutput) ToTunnelIamPolicyMapOutputWithContext(ctx context.Context) TunnelIamPolicyMapOutput

type TunnelIamPolicyOutput 

type TunnelIamPolicyOutput struct{ *pulumi.OutputState }

func (TunnelIamPolicyOutput) ElementType 

func (TunnelIamPolicyOutput) ElementType() reflect.Type

func (TunnelIamPolicyOutput) Etag 

func (o TunnelIamPolicyOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (TunnelIamPolicyOutput) PolicyData 

func (o TunnelIamPolicyOutput) PolicyData() pulumi.StringOutput

The policy data generated by a `organizations.getIAMPolicy` data source.

func (TunnelIamPolicyOutput) Project 

func (o TunnelIamPolicyOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (TunnelIamPolicyOutput) ToTunnelIamPolicyOutput 

func (o TunnelIamPolicyOutput) ToTunnelIamPolicyOutput() TunnelIamPolicyOutput

func (TunnelIamPolicyOutput) ToTunnelIamPolicyOutputWithContext 

func (o TunnelIamPolicyOutput) ToTunnelIamPolicyOutputWithContext(ctx context.Context) TunnelIamPolicyOutput

type TunnelIamPolicyState 

type TunnelIamPolicyState struct {
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
}

func (TunnelIamPolicyState) ElementType 

func (TunnelIamPolicyState) ElementType() reflect.Type

type TunnelInstanceIAMBinding 

type TunnelInstanceIAMBinding struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelInstanceIAMBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringOutput `pulumi:"instance"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	Zone pulumi.StringOutput `pulumi:"zone"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelInstance. Each of these resources serves a different use case:

* `iap.TunnelInstanceIAMPolicy`: Authoritative. Sets the IAM policy for the tunnelinstance and replaces any existing policy already attached. * `iap.TunnelInstanceIAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnelinstance are preserved. * `iap.TunnelInstanceIAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnelinstance are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelInstanceIAMPolicy`: Retrieves the IAM policy for the tunnelinstance

> **Note:** `iap.TunnelInstanceIAMPolicy` **cannot** be used in conjunction with `iap.TunnelInstanceIAMBinding` and `iap.TunnelInstanceIAMMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelInstanceIAMBinding` resources **can be** used in conjunction with `iap.TunnelInstanceIAMMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelInstanceIAMPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelInstanceIAMBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelInstanceIAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy TunnelInstance Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelInstance. Each of these resources serves a different use case:

* `iap.TunnelInstanceIAMPolicy`: Authoritative. Sets the IAM policy for the tunnelinstance and replaces any existing policy already attached. * `iap.TunnelInstanceIAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnelinstance are preserved. * `iap.TunnelInstanceIAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnelinstance are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelInstanceIAMPolicy`: Retrieves the IAM policy for the tunnelinstance

> **Note:** `iap.TunnelInstanceIAMPolicy` **cannot** be used in conjunction with `iap.TunnelInstanceIAMBinding` and `iap.TunnelInstanceIAMMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelInstanceIAMBinding` resources **can be** used in conjunction with `iap.TunnelInstanceIAMMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelInstanceIAMPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelInstanceIAMBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelInstanceIAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{name}}

* projects/{{project}}/zones/{{zone}}/instances/{{name}}

* {{project}}/{{zone}}/{{name}}

* {{zone}}/{{name}}

* {{name}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy tunnelinstance IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/tunnelInstanceIAMBinding:TunnelInstanceIAMBinding editor "projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} roles/iap.tunnelResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/tunnelInstanceIAMBinding:TunnelInstanceIAMBinding editor "projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} roles/iap.tunnelResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/tunnelInstanceIAMBinding:TunnelInstanceIAMBinding editor projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelInstanceIAMBinding 

func GetTunnelInstanceIAMBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelInstanceIAMBindingState, opts ...pulumi.ResourceOption) (*TunnelInstanceIAMBinding, error)

GetTunnelInstanceIAMBinding gets an existing TunnelInstanceIAMBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelInstanceIAMBinding 

func NewTunnelInstanceIAMBinding(ctx *pulumi.Context,
	name string, args *TunnelInstanceIAMBindingArgs, opts ...pulumi.ResourceOption) (*TunnelInstanceIAMBinding, error)

NewTunnelInstanceIAMBinding registers a new resource with the given unique name, arguments, and options.

func (*TunnelInstanceIAMBinding) ElementType 

func (*TunnelInstanceIAMBinding) ElementType() reflect.Type

func (*TunnelInstanceIAMBinding) ToTunnelInstanceIAMBindingOutput 

func (i *TunnelInstanceIAMBinding) ToTunnelInstanceIAMBindingOutput() TunnelInstanceIAMBindingOutput

func (*TunnelInstanceIAMBinding) ToTunnelInstanceIAMBindingOutputWithContext 

func (i *TunnelInstanceIAMBinding) ToTunnelInstanceIAMBindingOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingOutput

type TunnelInstanceIAMBindingArgs 

type TunnelInstanceIAMBindingArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelInstanceIAMBindingConditionPtrInput
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	Zone pulumi.StringPtrInput
}

The set of arguments for constructing a TunnelInstanceIAMBinding resource.

func (TunnelInstanceIAMBindingArgs) ElementType 

func (TunnelInstanceIAMBindingArgs) ElementType() reflect.Type

type TunnelInstanceIAMBindingArray 

type TunnelInstanceIAMBindingArray []TunnelInstanceIAMBindingInput

func (TunnelInstanceIAMBindingArray) ElementType 

func (TunnelInstanceIAMBindingArray) ElementType() reflect.Type

func (TunnelInstanceIAMBindingArray) ToTunnelInstanceIAMBindingArrayOutput 

func (i TunnelInstanceIAMBindingArray) ToTunnelInstanceIAMBindingArrayOutput() TunnelInstanceIAMBindingArrayOutput

func (TunnelInstanceIAMBindingArray) ToTunnelInstanceIAMBindingArrayOutputWithContext 

func (i TunnelInstanceIAMBindingArray) ToTunnelInstanceIAMBindingArrayOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingArrayOutput

type TunnelInstanceIAMBindingArrayInput 

type TunnelInstanceIAMBindingArrayInput interface {
	pulumi.Input

	ToTunnelInstanceIAMBindingArrayOutput() TunnelInstanceIAMBindingArrayOutput
	ToTunnelInstanceIAMBindingArrayOutputWithContext(context.Context) TunnelInstanceIAMBindingArrayOutput
}

TunnelInstanceIAMBindingArrayInput is an input type that accepts TunnelInstanceIAMBindingArray and TunnelInstanceIAMBindingArrayOutput values. You can construct a concrete instance of `TunnelInstanceIAMBindingArrayInput` via: 

TunnelInstanceIAMBindingArray{ TunnelInstanceIAMBindingArgs{...} }

type TunnelInstanceIAMBindingArrayOutput 

type TunnelInstanceIAMBindingArrayOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMBindingArrayOutput) ElementType 

func (TunnelInstanceIAMBindingArrayOutput) ElementType() reflect.Type

func (TunnelInstanceIAMBindingArrayOutput) Index 

func (o TunnelInstanceIAMBindingArrayOutput) Index(i pulumi.IntInput) TunnelInstanceIAMBindingOutput

func (TunnelInstanceIAMBindingArrayOutput) ToTunnelInstanceIAMBindingArrayOutput 

func (o TunnelInstanceIAMBindingArrayOutput) ToTunnelInstanceIAMBindingArrayOutput() TunnelInstanceIAMBindingArrayOutput

func (TunnelInstanceIAMBindingArrayOutput) ToTunnelInstanceIAMBindingArrayOutputWithContext 

func (o TunnelInstanceIAMBindingArrayOutput) ToTunnelInstanceIAMBindingArrayOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingArrayOutput

type TunnelInstanceIAMBindingCondition 

type TunnelInstanceIAMBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type TunnelInstanceIAMBindingConditionArgs 

type TunnelInstanceIAMBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (TunnelInstanceIAMBindingConditionArgs) ElementType 

func (TunnelInstanceIAMBindingConditionArgs) ElementType() reflect.Type

func (TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionOutput 

func (i TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionOutput() TunnelInstanceIAMBindingConditionOutput

func (TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionOutputWithContext 

func (i TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingConditionOutput

func (TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionPtrOutput 

func (i TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionPtrOutput() TunnelInstanceIAMBindingConditionPtrOutput

func (TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionPtrOutputWithContext 

func (i TunnelInstanceIAMBindingConditionArgs) ToTunnelInstanceIAMBindingConditionPtrOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingConditionPtrOutput

type TunnelInstanceIAMBindingConditionInput 

type TunnelInstanceIAMBindingConditionInput interface {
	pulumi.Input

	ToTunnelInstanceIAMBindingConditionOutput() TunnelInstanceIAMBindingConditionOutput
	ToTunnelInstanceIAMBindingConditionOutputWithContext(context.Context) TunnelInstanceIAMBindingConditionOutput
}

TunnelInstanceIAMBindingConditionInput is an input type that accepts TunnelInstanceIAMBindingConditionArgs and TunnelInstanceIAMBindingConditionOutput values. You can construct a concrete instance of `TunnelInstanceIAMBindingConditionInput` via: 

TunnelInstanceIAMBindingConditionArgs{...}

type TunnelInstanceIAMBindingConditionOutput 

type TunnelInstanceIAMBindingConditionOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMBindingConditionOutput) Description 

func (o TunnelInstanceIAMBindingConditionOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (TunnelInstanceIAMBindingConditionOutput) ElementType 

func (TunnelInstanceIAMBindingConditionOutput) ElementType() reflect.Type

func (TunnelInstanceIAMBindingConditionOutput) Expression 

func (o TunnelInstanceIAMBindingConditionOutput) Expression() pulumi.StringOutput

Textual representation of an expression in Common Expression Language syntax.

func (TunnelInstanceIAMBindingConditionOutput) Title 

func (o TunnelInstanceIAMBindingConditionOutput) Title() pulumi.StringOutput

A title for the expression, i.e. a short string describing its purpose.

func (TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionOutput 

func (o TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionOutput() TunnelInstanceIAMBindingConditionOutput

func (TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionOutputWithContext 

func (o TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingConditionOutput

func (TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionPtrOutput 

func (o TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionPtrOutput() TunnelInstanceIAMBindingConditionPtrOutput

func (TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionPtrOutputWithContext 

func (o TunnelInstanceIAMBindingConditionOutput) ToTunnelInstanceIAMBindingConditionPtrOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingConditionPtrOutput

type TunnelInstanceIAMBindingConditionPtrInput 

type TunnelInstanceIAMBindingConditionPtrInput interface {
	pulumi.Input

	ToTunnelInstanceIAMBindingConditionPtrOutput() TunnelInstanceIAMBindingConditionPtrOutput
	ToTunnelInstanceIAMBindingConditionPtrOutputWithContext(context.Context) TunnelInstanceIAMBindingConditionPtrOutput
}

TunnelInstanceIAMBindingConditionPtrInput is an input type that accepts TunnelInstanceIAMBindingConditionArgs, TunnelInstanceIAMBindingConditionPtr and TunnelInstanceIAMBindingConditionPtrOutput values. You can construct a concrete instance of `TunnelInstanceIAMBindingConditionPtrInput` via: 

        TunnelInstanceIAMBindingConditionArgs{...}

or:

        nil

func TunnelInstanceIAMBindingConditionPtr 

func TunnelInstanceIAMBindingConditionPtr(v *TunnelInstanceIAMBindingConditionArgs) TunnelInstanceIAMBindingConditionPtrInput

type TunnelInstanceIAMBindingConditionPtrOutput 

type TunnelInstanceIAMBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMBindingConditionPtrOutput) Description 

func (o TunnelInstanceIAMBindingConditionPtrOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (TunnelInstanceIAMBindingConditionPtrOutput) Elem 

func (o TunnelInstanceIAMBindingConditionPtrOutput) Elem() TunnelInstanceIAMBindingConditionOutput

func (TunnelInstanceIAMBindingConditionPtrOutput) ElementType 

func (TunnelInstanceIAMBindingConditionPtrOutput) ElementType() reflect.Type

func (TunnelInstanceIAMBindingConditionPtrOutput) Expression 

func (o TunnelInstanceIAMBindingConditionPtrOutput) Expression() pulumi.StringPtrOutput

Textual representation of an expression in Common Expression Language syntax.

func (TunnelInstanceIAMBindingConditionPtrOutput) Title 

func (o TunnelInstanceIAMBindingConditionPtrOutput) Title() pulumi.StringPtrOutput

A title for the expression, i.e. a short string describing its purpose.

func (TunnelInstanceIAMBindingConditionPtrOutput) ToTunnelInstanceIAMBindingConditionPtrOutput 

func (o TunnelInstanceIAMBindingConditionPtrOutput) ToTunnelInstanceIAMBindingConditionPtrOutput() TunnelInstanceIAMBindingConditionPtrOutput

func (TunnelInstanceIAMBindingConditionPtrOutput) ToTunnelInstanceIAMBindingConditionPtrOutputWithContext 

func (o TunnelInstanceIAMBindingConditionPtrOutput) ToTunnelInstanceIAMBindingConditionPtrOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingConditionPtrOutput

type TunnelInstanceIAMBindingInput 

type TunnelInstanceIAMBindingInput interface {
	pulumi.Input

	ToTunnelInstanceIAMBindingOutput() TunnelInstanceIAMBindingOutput
	ToTunnelInstanceIAMBindingOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingOutput
}

type TunnelInstanceIAMBindingMap 

type TunnelInstanceIAMBindingMap map[string]TunnelInstanceIAMBindingInput

func (TunnelInstanceIAMBindingMap) ElementType 

func (TunnelInstanceIAMBindingMap) ElementType() reflect.Type

func (TunnelInstanceIAMBindingMap) ToTunnelInstanceIAMBindingMapOutput 

func (i TunnelInstanceIAMBindingMap) ToTunnelInstanceIAMBindingMapOutput() TunnelInstanceIAMBindingMapOutput

func (TunnelInstanceIAMBindingMap) ToTunnelInstanceIAMBindingMapOutputWithContext 

func (i TunnelInstanceIAMBindingMap) ToTunnelInstanceIAMBindingMapOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingMapOutput

type TunnelInstanceIAMBindingMapInput 

type TunnelInstanceIAMBindingMapInput interface {
	pulumi.Input

	ToTunnelInstanceIAMBindingMapOutput() TunnelInstanceIAMBindingMapOutput
	ToTunnelInstanceIAMBindingMapOutputWithContext(context.Context) TunnelInstanceIAMBindingMapOutput
}

TunnelInstanceIAMBindingMapInput is an input type that accepts TunnelInstanceIAMBindingMap and TunnelInstanceIAMBindingMapOutput values. You can construct a concrete instance of `TunnelInstanceIAMBindingMapInput` via: 

TunnelInstanceIAMBindingMap{ "key": TunnelInstanceIAMBindingArgs{...} }

type TunnelInstanceIAMBindingMapOutput 

type TunnelInstanceIAMBindingMapOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMBindingMapOutput) ElementType 

func (TunnelInstanceIAMBindingMapOutput) ElementType() reflect.Type

func (TunnelInstanceIAMBindingMapOutput) MapIndex 

func (o TunnelInstanceIAMBindingMapOutput) MapIndex(k pulumi.StringInput) TunnelInstanceIAMBindingOutput

func (TunnelInstanceIAMBindingMapOutput) ToTunnelInstanceIAMBindingMapOutput 

func (o TunnelInstanceIAMBindingMapOutput) ToTunnelInstanceIAMBindingMapOutput() TunnelInstanceIAMBindingMapOutput

func (TunnelInstanceIAMBindingMapOutput) ToTunnelInstanceIAMBindingMapOutputWithContext 

func (o TunnelInstanceIAMBindingMapOutput) ToTunnelInstanceIAMBindingMapOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingMapOutput

type TunnelInstanceIAMBindingOutput 

type TunnelInstanceIAMBindingOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMBindingOutput) Condition 

func (o TunnelInstanceIAMBindingOutput) Condition() TunnelInstanceIAMBindingConditionPtrOutput

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (TunnelInstanceIAMBindingOutput) ElementType 

func (TunnelInstanceIAMBindingOutput) ElementType() reflect.Type

func (TunnelInstanceIAMBindingOutput) Etag 

func (o TunnelInstanceIAMBindingOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (TunnelInstanceIAMBindingOutput) Instance 

func (o TunnelInstanceIAMBindingOutput) Instance() pulumi.StringOutput

Used to find the parent resource to bind the IAM policy to

func (TunnelInstanceIAMBindingOutput) Members 

func (o TunnelInstanceIAMBindingOutput) Members() pulumi.StringArrayOutput

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (TunnelInstanceIAMBindingOutput) Project 

func (o TunnelInstanceIAMBindingOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (TunnelInstanceIAMBindingOutput) Role 

func (o TunnelInstanceIAMBindingOutput) Role() pulumi.StringOutput

The role that should be applied. Only one `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (TunnelInstanceIAMBindingOutput) ToTunnelInstanceIAMBindingOutput 

func (o TunnelInstanceIAMBindingOutput) ToTunnelInstanceIAMBindingOutput() TunnelInstanceIAMBindingOutput

func (TunnelInstanceIAMBindingOutput) ToTunnelInstanceIAMBindingOutputWithContext 

func (o TunnelInstanceIAMBindingOutput) ToTunnelInstanceIAMBindingOutputWithContext(ctx context.Context) TunnelInstanceIAMBindingOutput

func (TunnelInstanceIAMBindingOutput) Zone 

func (o TunnelInstanceIAMBindingOutput) Zone() pulumi.StringOutput

type TunnelInstanceIAMBindingState 

type TunnelInstanceIAMBindingState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelInstanceIAMBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	Zone pulumi.StringPtrInput
}

func (TunnelInstanceIAMBindingState) ElementType 

func (TunnelInstanceIAMBindingState) ElementType() reflect.Type

type TunnelInstanceIAMMember 

type TunnelInstanceIAMMember struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelInstanceIAMMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringOutput `pulumi:"instance"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	Zone pulumi.StringOutput `pulumi:"zone"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelInstance. Each of these resources serves a different use case:

* `iap.TunnelInstanceIAMPolicy`: Authoritative. Sets the IAM policy for the tunnelinstance and replaces any existing policy already attached. * `iap.TunnelInstanceIAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnelinstance are preserved. * `iap.TunnelInstanceIAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnelinstance are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelInstanceIAMPolicy`: Retrieves the IAM policy for the tunnelinstance

> **Note:** `iap.TunnelInstanceIAMPolicy` **cannot** be used in conjunction with `iap.TunnelInstanceIAMBinding` and `iap.TunnelInstanceIAMMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelInstanceIAMBinding` resources **can be** used in conjunction with `iap.TunnelInstanceIAMMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelInstanceIAMPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelInstanceIAMBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelInstanceIAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy TunnelInstance Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelInstance. Each of these resources serves a different use case:

* `iap.TunnelInstanceIAMPolicy`: Authoritative. Sets the IAM policy for the tunnelinstance and replaces any existing policy already attached. * `iap.TunnelInstanceIAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnelinstance are preserved. * `iap.TunnelInstanceIAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnelinstance are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelInstanceIAMPolicy`: Retrieves the IAM policy for the tunnelinstance

> **Note:** `iap.TunnelInstanceIAMPolicy` **cannot** be used in conjunction with `iap.TunnelInstanceIAMBinding` and `iap.TunnelInstanceIAMMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelInstanceIAMBinding` resources **can be** used in conjunction with `iap.TunnelInstanceIAMMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelInstanceIAMPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelInstanceIAMBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelInstanceIAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{name}}

* projects/{{project}}/zones/{{zone}}/instances/{{name}}

* {{project}}/{{zone}}/{{name}}

* {{zone}}/{{name}}

* {{name}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy tunnelinstance IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/tunnelInstanceIAMMember:TunnelInstanceIAMMember editor "projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} roles/iap.tunnelResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/tunnelInstanceIAMMember:TunnelInstanceIAMMember editor "projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} roles/iap.tunnelResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/tunnelInstanceIAMMember:TunnelInstanceIAMMember editor projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelInstanceIAMMember 

func GetTunnelInstanceIAMMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelInstanceIAMMemberState, opts ...pulumi.ResourceOption) (*TunnelInstanceIAMMember, error)

GetTunnelInstanceIAMMember gets an existing TunnelInstanceIAMMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelInstanceIAMMember 

func NewTunnelInstanceIAMMember(ctx *pulumi.Context,
	name string, args *TunnelInstanceIAMMemberArgs, opts ...pulumi.ResourceOption) (*TunnelInstanceIAMMember, error)

NewTunnelInstanceIAMMember registers a new resource with the given unique name, arguments, and options.

func (*TunnelInstanceIAMMember) ElementType 

func (*TunnelInstanceIAMMember) ElementType() reflect.Type

func (*TunnelInstanceIAMMember) ToTunnelInstanceIAMMemberOutput 

func (i *TunnelInstanceIAMMember) ToTunnelInstanceIAMMemberOutput() TunnelInstanceIAMMemberOutput

func (*TunnelInstanceIAMMember) ToTunnelInstanceIAMMemberOutputWithContext 

func (i *TunnelInstanceIAMMember) ToTunnelInstanceIAMMemberOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberOutput

type TunnelInstanceIAMMemberArgs 

type TunnelInstanceIAMMemberArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelInstanceIAMMemberConditionPtrInput
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	Zone pulumi.StringPtrInput
}

The set of arguments for constructing a TunnelInstanceIAMMember resource.

func (TunnelInstanceIAMMemberArgs) ElementType 

func (TunnelInstanceIAMMemberArgs) ElementType() reflect.Type

type TunnelInstanceIAMMemberArray 

type TunnelInstanceIAMMemberArray []TunnelInstanceIAMMemberInput

func (TunnelInstanceIAMMemberArray) ElementType 

func (TunnelInstanceIAMMemberArray) ElementType() reflect.Type

func (TunnelInstanceIAMMemberArray) ToTunnelInstanceIAMMemberArrayOutput 

func (i TunnelInstanceIAMMemberArray) ToTunnelInstanceIAMMemberArrayOutput() TunnelInstanceIAMMemberArrayOutput

func (TunnelInstanceIAMMemberArray) ToTunnelInstanceIAMMemberArrayOutputWithContext 

func (i TunnelInstanceIAMMemberArray) ToTunnelInstanceIAMMemberArrayOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberArrayOutput

type TunnelInstanceIAMMemberArrayInput 

type TunnelInstanceIAMMemberArrayInput interface {
	pulumi.Input

	ToTunnelInstanceIAMMemberArrayOutput() TunnelInstanceIAMMemberArrayOutput
	ToTunnelInstanceIAMMemberArrayOutputWithContext(context.Context) TunnelInstanceIAMMemberArrayOutput
}

TunnelInstanceIAMMemberArrayInput is an input type that accepts TunnelInstanceIAMMemberArray and TunnelInstanceIAMMemberArrayOutput values. You can construct a concrete instance of `TunnelInstanceIAMMemberArrayInput` via: 

TunnelInstanceIAMMemberArray{ TunnelInstanceIAMMemberArgs{...} }

type TunnelInstanceIAMMemberArrayOutput 

type TunnelInstanceIAMMemberArrayOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMMemberArrayOutput) ElementType 

func (TunnelInstanceIAMMemberArrayOutput) ElementType() reflect.Type

func (TunnelInstanceIAMMemberArrayOutput) Index 

func (o TunnelInstanceIAMMemberArrayOutput) Index(i pulumi.IntInput) TunnelInstanceIAMMemberOutput

func (TunnelInstanceIAMMemberArrayOutput) ToTunnelInstanceIAMMemberArrayOutput 

func (o TunnelInstanceIAMMemberArrayOutput) ToTunnelInstanceIAMMemberArrayOutput() TunnelInstanceIAMMemberArrayOutput

func (TunnelInstanceIAMMemberArrayOutput) ToTunnelInstanceIAMMemberArrayOutputWithContext 

func (o TunnelInstanceIAMMemberArrayOutput) ToTunnelInstanceIAMMemberArrayOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberArrayOutput

type TunnelInstanceIAMMemberCondition 

type TunnelInstanceIAMMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type TunnelInstanceIAMMemberConditionArgs 

type TunnelInstanceIAMMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (TunnelInstanceIAMMemberConditionArgs) ElementType 

func (TunnelInstanceIAMMemberConditionArgs) ElementType() reflect.Type

func (TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionOutput 

func (i TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionOutput() TunnelInstanceIAMMemberConditionOutput

func (TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionOutputWithContext 

func (i TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberConditionOutput

func (TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionPtrOutput 

func (i TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionPtrOutput() TunnelInstanceIAMMemberConditionPtrOutput

func (TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionPtrOutputWithContext 

func (i TunnelInstanceIAMMemberConditionArgs) ToTunnelInstanceIAMMemberConditionPtrOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberConditionPtrOutput

type TunnelInstanceIAMMemberConditionInput 

type TunnelInstanceIAMMemberConditionInput interface {
	pulumi.Input

	ToTunnelInstanceIAMMemberConditionOutput() TunnelInstanceIAMMemberConditionOutput
	ToTunnelInstanceIAMMemberConditionOutputWithContext(context.Context) TunnelInstanceIAMMemberConditionOutput
}

TunnelInstanceIAMMemberConditionInput is an input type that accepts TunnelInstanceIAMMemberConditionArgs and TunnelInstanceIAMMemberConditionOutput values. You can construct a concrete instance of `TunnelInstanceIAMMemberConditionInput` via: 

TunnelInstanceIAMMemberConditionArgs{...}

type TunnelInstanceIAMMemberConditionOutput 

type TunnelInstanceIAMMemberConditionOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMMemberConditionOutput) Description 

func (o TunnelInstanceIAMMemberConditionOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (TunnelInstanceIAMMemberConditionOutput) ElementType 

func (TunnelInstanceIAMMemberConditionOutput) ElementType() reflect.Type

func (TunnelInstanceIAMMemberConditionOutput) Expression 

func (o TunnelInstanceIAMMemberConditionOutput) Expression() pulumi.StringOutput

Textual representation of an expression in Common Expression Language syntax.

func (TunnelInstanceIAMMemberConditionOutput) Title 

func (o TunnelInstanceIAMMemberConditionOutput) Title() pulumi.StringOutput

A title for the expression, i.e. a short string describing its purpose.

func (TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionOutput 

func (o TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionOutput() TunnelInstanceIAMMemberConditionOutput

func (TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionOutputWithContext 

func (o TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberConditionOutput

func (TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionPtrOutput 

func (o TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionPtrOutput() TunnelInstanceIAMMemberConditionPtrOutput

func (TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionPtrOutputWithContext 

func (o TunnelInstanceIAMMemberConditionOutput) ToTunnelInstanceIAMMemberConditionPtrOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberConditionPtrOutput

type TunnelInstanceIAMMemberConditionPtrInput 

type TunnelInstanceIAMMemberConditionPtrInput interface {
	pulumi.Input

	ToTunnelInstanceIAMMemberConditionPtrOutput() TunnelInstanceIAMMemberConditionPtrOutput
	ToTunnelInstanceIAMMemberConditionPtrOutputWithContext(context.Context) TunnelInstanceIAMMemberConditionPtrOutput
}

TunnelInstanceIAMMemberConditionPtrInput is an input type that accepts TunnelInstanceIAMMemberConditionArgs, TunnelInstanceIAMMemberConditionPtr and TunnelInstanceIAMMemberConditionPtrOutput values. You can construct a concrete instance of `TunnelInstanceIAMMemberConditionPtrInput` via: 

        TunnelInstanceIAMMemberConditionArgs{...}

or:

        nil

func TunnelInstanceIAMMemberConditionPtr 

func TunnelInstanceIAMMemberConditionPtr(v *TunnelInstanceIAMMemberConditionArgs) TunnelInstanceIAMMemberConditionPtrInput

type TunnelInstanceIAMMemberConditionPtrOutput 

type TunnelInstanceIAMMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMMemberConditionPtrOutput) Description 

func (o TunnelInstanceIAMMemberConditionPtrOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (TunnelInstanceIAMMemberConditionPtrOutput) Elem 

func (o TunnelInstanceIAMMemberConditionPtrOutput) Elem() TunnelInstanceIAMMemberConditionOutput

func (TunnelInstanceIAMMemberConditionPtrOutput) ElementType 

func (TunnelInstanceIAMMemberConditionPtrOutput) ElementType() reflect.Type

func (TunnelInstanceIAMMemberConditionPtrOutput) Expression 

func (o TunnelInstanceIAMMemberConditionPtrOutput) Expression() pulumi.StringPtrOutput

Textual representation of an expression in Common Expression Language syntax.

func (TunnelInstanceIAMMemberConditionPtrOutput) Title 

func (o TunnelInstanceIAMMemberConditionPtrOutput) Title() pulumi.StringPtrOutput

A title for the expression, i.e. a short string describing its purpose.

func (TunnelInstanceIAMMemberConditionPtrOutput) ToTunnelInstanceIAMMemberConditionPtrOutput 

func (o TunnelInstanceIAMMemberConditionPtrOutput) ToTunnelInstanceIAMMemberConditionPtrOutput() TunnelInstanceIAMMemberConditionPtrOutput

func (TunnelInstanceIAMMemberConditionPtrOutput) ToTunnelInstanceIAMMemberConditionPtrOutputWithContext 

func (o TunnelInstanceIAMMemberConditionPtrOutput) ToTunnelInstanceIAMMemberConditionPtrOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberConditionPtrOutput

type TunnelInstanceIAMMemberInput 

type TunnelInstanceIAMMemberInput interface {
	pulumi.Input

	ToTunnelInstanceIAMMemberOutput() TunnelInstanceIAMMemberOutput
	ToTunnelInstanceIAMMemberOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberOutput
}

type TunnelInstanceIAMMemberMap 

type TunnelInstanceIAMMemberMap map[string]TunnelInstanceIAMMemberInput

func (TunnelInstanceIAMMemberMap) ElementType 

func (TunnelInstanceIAMMemberMap) ElementType() reflect.Type

func (TunnelInstanceIAMMemberMap) ToTunnelInstanceIAMMemberMapOutput 

func (i TunnelInstanceIAMMemberMap) ToTunnelInstanceIAMMemberMapOutput() TunnelInstanceIAMMemberMapOutput

func (TunnelInstanceIAMMemberMap) ToTunnelInstanceIAMMemberMapOutputWithContext 

func (i TunnelInstanceIAMMemberMap) ToTunnelInstanceIAMMemberMapOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberMapOutput

type TunnelInstanceIAMMemberMapInput 

type TunnelInstanceIAMMemberMapInput interface {
	pulumi.Input

	ToTunnelInstanceIAMMemberMapOutput() TunnelInstanceIAMMemberMapOutput
	ToTunnelInstanceIAMMemberMapOutputWithContext(context.Context) TunnelInstanceIAMMemberMapOutput
}

TunnelInstanceIAMMemberMapInput is an input type that accepts TunnelInstanceIAMMemberMap and TunnelInstanceIAMMemberMapOutput values. You can construct a concrete instance of `TunnelInstanceIAMMemberMapInput` via: 

TunnelInstanceIAMMemberMap{ "key": TunnelInstanceIAMMemberArgs{...} }

type TunnelInstanceIAMMemberMapOutput 

type TunnelInstanceIAMMemberMapOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMMemberMapOutput) ElementType 

func (TunnelInstanceIAMMemberMapOutput) ElementType() reflect.Type

func (TunnelInstanceIAMMemberMapOutput) MapIndex 

func (o TunnelInstanceIAMMemberMapOutput) MapIndex(k pulumi.StringInput) TunnelInstanceIAMMemberOutput

func (TunnelInstanceIAMMemberMapOutput) ToTunnelInstanceIAMMemberMapOutput 

func (o TunnelInstanceIAMMemberMapOutput) ToTunnelInstanceIAMMemberMapOutput() TunnelInstanceIAMMemberMapOutput

func (TunnelInstanceIAMMemberMapOutput) ToTunnelInstanceIAMMemberMapOutputWithContext 

func (o TunnelInstanceIAMMemberMapOutput) ToTunnelInstanceIAMMemberMapOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberMapOutput

type TunnelInstanceIAMMemberOutput 

type TunnelInstanceIAMMemberOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMMemberOutput) Condition 

func (o TunnelInstanceIAMMemberOutput) Condition() TunnelInstanceIAMMemberConditionPtrOutput

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (TunnelInstanceIAMMemberOutput) ElementType 

func (TunnelInstanceIAMMemberOutput) ElementType() reflect.Type

func (TunnelInstanceIAMMemberOutput) Etag 

func (o TunnelInstanceIAMMemberOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (TunnelInstanceIAMMemberOutput) Instance 

func (o TunnelInstanceIAMMemberOutput) Instance() pulumi.StringOutput

Used to find the parent resource to bind the IAM policy to

func (TunnelInstanceIAMMemberOutput) Member 

func (o TunnelInstanceIAMMemberOutput) Member() pulumi.StringOutput

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (TunnelInstanceIAMMemberOutput) Project 

func (o TunnelInstanceIAMMemberOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (TunnelInstanceIAMMemberOutput) Role 

func (o TunnelInstanceIAMMemberOutput) Role() pulumi.StringOutput

The role that should be applied. Only one `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (TunnelInstanceIAMMemberOutput) ToTunnelInstanceIAMMemberOutput 

func (o TunnelInstanceIAMMemberOutput) ToTunnelInstanceIAMMemberOutput() TunnelInstanceIAMMemberOutput

func (TunnelInstanceIAMMemberOutput) ToTunnelInstanceIAMMemberOutputWithContext 

func (o TunnelInstanceIAMMemberOutput) ToTunnelInstanceIAMMemberOutputWithContext(ctx context.Context) TunnelInstanceIAMMemberOutput

func (TunnelInstanceIAMMemberOutput) Zone 

func (o TunnelInstanceIAMMemberOutput) Zone() pulumi.StringOutput

type TunnelInstanceIAMMemberState 

type TunnelInstanceIAMMemberState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition TunnelInstanceIAMMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.TunnelInstanceIAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	Zone pulumi.StringPtrInput
}

func (TunnelInstanceIAMMemberState) ElementType 

func (TunnelInstanceIAMMemberState) ElementType() reflect.Type

type TunnelInstanceIAMPolicy 

type TunnelInstanceIAMPolicy struct {
	pulumi.CustomResourceState

	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringOutput `pulumi:"instance"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	Zone    pulumi.StringOutput `pulumi:"zone"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelInstance. Each of these resources serves a different use case:

* `iap.TunnelInstanceIAMPolicy`: Authoritative. Sets the IAM policy for the tunnelinstance and replaces any existing policy already attached. * `iap.TunnelInstanceIAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnelinstance are preserved. * `iap.TunnelInstanceIAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnelinstance are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelInstanceIAMPolicy`: Retrieves the IAM policy for the tunnelinstance

> **Note:** `iap.TunnelInstanceIAMPolicy` **cannot** be used in conjunction with `iap.TunnelInstanceIAMBinding` and `iap.TunnelInstanceIAMMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelInstanceIAMBinding` resources **can be** used in conjunction with `iap.TunnelInstanceIAMMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelInstanceIAMPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelInstanceIAMBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelInstanceIAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy TunnelInstance Three different resources help you manage your IAM policy for Identity-Aware Proxy TunnelInstance. Each of these resources serves a different use case:

* `iap.TunnelInstanceIAMPolicy`: Authoritative. Sets the IAM policy for the tunnelinstance and replaces any existing policy already attached. * `iap.TunnelInstanceIAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the tunnelinstance are preserved. * `iap.TunnelInstanceIAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the tunnelinstance are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.TunnelInstanceIAMPolicy`: Retrieves the IAM policy for the tunnelinstance

> **Note:** `iap.TunnelInstanceIAMPolicy` **cannot** be used in conjunction with `iap.TunnelInstanceIAMBinding` and `iap.TunnelInstanceIAMMember` or they will fight over what your policy should be.

> **Note:** `iap.TunnelInstanceIAMBinding` resources **can be** used in conjunction with `iap.TunnelInstanceIAMMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.TunnelInstanceIAMPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.tunnelResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
			Project:    pulumi.Any(tunnelvm.Project),
			Zone:       pulumi.Any(tunnelvm.Zone),
			Instance:   pulumi.Any(tunnelvm.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.TunnelInstanceIAMBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.TunnelInstanceIAMMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
			Project:  pulumi.Any(tunnelvm.Project),
			Zone:     pulumi.Any(tunnelvm.Zone),
			Instance: pulumi.Any(tunnelvm.Name),
			Role:     pulumi.String("roles/iap.tunnelResourceAccessor"),
			Member:   pulumi.String("user:jane@example.com"),
			Condition: &iap.TunnelInstanceIAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{name}}

* projects/{{project}}/zones/{{zone}}/instances/{{name}}

* {{project}}/{{zone}}/{{name}}

* {{zone}}/{{name}}

* {{name}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy tunnelinstance IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/tunnelInstanceIAMPolicy:TunnelInstanceIAMPolicy editor "projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} roles/iap.tunnelResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/tunnelInstanceIAMPolicy:TunnelInstanceIAMPolicy editor "projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} roles/iap.tunnelResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/tunnelInstanceIAMPolicy:TunnelInstanceIAMPolicy editor projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetTunnelInstanceIAMPolicy 

func GetTunnelInstanceIAMPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *TunnelInstanceIAMPolicyState, opts ...pulumi.ResourceOption) (*TunnelInstanceIAMPolicy, error)

GetTunnelInstanceIAMPolicy gets an existing TunnelInstanceIAMPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewTunnelInstanceIAMPolicy 

func NewTunnelInstanceIAMPolicy(ctx *pulumi.Context,
	name string, args *TunnelInstanceIAMPolicyArgs, opts ...pulumi.ResourceOption) (*TunnelInstanceIAMPolicy, error)

NewTunnelInstanceIAMPolicy registers a new resource with the given unique name, arguments, and options.

func (*TunnelInstanceIAMPolicy) ElementType 

func (*TunnelInstanceIAMPolicy) ElementType() reflect.Type

func (*TunnelInstanceIAMPolicy) ToTunnelInstanceIAMPolicyOutput 

func (i *TunnelInstanceIAMPolicy) ToTunnelInstanceIAMPolicyOutput() TunnelInstanceIAMPolicyOutput

func (*TunnelInstanceIAMPolicy) ToTunnelInstanceIAMPolicyOutputWithContext 

func (i *TunnelInstanceIAMPolicy) ToTunnelInstanceIAMPolicyOutputWithContext(ctx context.Context) TunnelInstanceIAMPolicyOutput

type TunnelInstanceIAMPolicyArgs 

type TunnelInstanceIAMPolicyArgs struct {
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	Zone    pulumi.StringPtrInput
}

The set of arguments for constructing a TunnelInstanceIAMPolicy resource.

func (TunnelInstanceIAMPolicyArgs) ElementType 

func (TunnelInstanceIAMPolicyArgs) ElementType() reflect.Type

type TunnelInstanceIAMPolicyArray 

type TunnelInstanceIAMPolicyArray []TunnelInstanceIAMPolicyInput

func (TunnelInstanceIAMPolicyArray) ElementType 

func (TunnelInstanceIAMPolicyArray) ElementType() reflect.Type

func (TunnelInstanceIAMPolicyArray) ToTunnelInstanceIAMPolicyArrayOutput 

func (i TunnelInstanceIAMPolicyArray) ToTunnelInstanceIAMPolicyArrayOutput() TunnelInstanceIAMPolicyArrayOutput

func (TunnelInstanceIAMPolicyArray) ToTunnelInstanceIAMPolicyArrayOutputWithContext 

func (i TunnelInstanceIAMPolicyArray) ToTunnelInstanceIAMPolicyArrayOutputWithContext(ctx context.Context) TunnelInstanceIAMPolicyArrayOutput

type TunnelInstanceIAMPolicyArrayInput 

type TunnelInstanceIAMPolicyArrayInput interface {
	pulumi.Input

	ToTunnelInstanceIAMPolicyArrayOutput() TunnelInstanceIAMPolicyArrayOutput
	ToTunnelInstanceIAMPolicyArrayOutputWithContext(context.Context) TunnelInstanceIAMPolicyArrayOutput
}

TunnelInstanceIAMPolicyArrayInput is an input type that accepts TunnelInstanceIAMPolicyArray and TunnelInstanceIAMPolicyArrayOutput values. You can construct a concrete instance of `TunnelInstanceIAMPolicyArrayInput` via: 

TunnelInstanceIAMPolicyArray{ TunnelInstanceIAMPolicyArgs{...} }

type TunnelInstanceIAMPolicyArrayOutput 

type TunnelInstanceIAMPolicyArrayOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMPolicyArrayOutput) ElementType 

func (TunnelInstanceIAMPolicyArrayOutput) ElementType() reflect.Type

func (TunnelInstanceIAMPolicyArrayOutput) Index 

func (o TunnelInstanceIAMPolicyArrayOutput) Index(i pulumi.IntInput) TunnelInstanceIAMPolicyOutput

func (TunnelInstanceIAMPolicyArrayOutput) ToTunnelInstanceIAMPolicyArrayOutput 

func (o TunnelInstanceIAMPolicyArrayOutput) ToTunnelInstanceIAMPolicyArrayOutput() TunnelInstanceIAMPolicyArrayOutput

func (TunnelInstanceIAMPolicyArrayOutput) ToTunnelInstanceIAMPolicyArrayOutputWithContext 

func (o TunnelInstanceIAMPolicyArrayOutput) ToTunnelInstanceIAMPolicyArrayOutputWithContext(ctx context.Context) TunnelInstanceIAMPolicyArrayOutput

type TunnelInstanceIAMPolicyInput 

type TunnelInstanceIAMPolicyInput interface {
	pulumi.Input

	ToTunnelInstanceIAMPolicyOutput() TunnelInstanceIAMPolicyOutput
	ToTunnelInstanceIAMPolicyOutputWithContext(ctx context.Context) TunnelInstanceIAMPolicyOutput
}

type TunnelInstanceIAMPolicyMap 

type TunnelInstanceIAMPolicyMap map[string]TunnelInstanceIAMPolicyInput

func (TunnelInstanceIAMPolicyMap) ElementType 

func (TunnelInstanceIAMPolicyMap) ElementType() reflect.Type

func (TunnelInstanceIAMPolicyMap) ToTunnelInstanceIAMPolicyMapOutput 

func (i TunnelInstanceIAMPolicyMap) ToTunnelInstanceIAMPolicyMapOutput() TunnelInstanceIAMPolicyMapOutput

func (TunnelInstanceIAMPolicyMap) ToTunnelInstanceIAMPolicyMapOutputWithContext 

func (i TunnelInstanceIAMPolicyMap) ToTunnelInstanceIAMPolicyMapOutputWithContext(ctx context.Context) TunnelInstanceIAMPolicyMapOutput

type TunnelInstanceIAMPolicyMapInput 

type TunnelInstanceIAMPolicyMapInput interface {
	pulumi.Input

	ToTunnelInstanceIAMPolicyMapOutput() TunnelInstanceIAMPolicyMapOutput
	ToTunnelInstanceIAMPolicyMapOutputWithContext(context.Context) TunnelInstanceIAMPolicyMapOutput
}

TunnelInstanceIAMPolicyMapInput is an input type that accepts TunnelInstanceIAMPolicyMap and TunnelInstanceIAMPolicyMapOutput values. You can construct a concrete instance of `TunnelInstanceIAMPolicyMapInput` via: 

TunnelInstanceIAMPolicyMap{ "key": TunnelInstanceIAMPolicyArgs{...} }

type TunnelInstanceIAMPolicyMapOutput 

type TunnelInstanceIAMPolicyMapOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMPolicyMapOutput) ElementType 

func (TunnelInstanceIAMPolicyMapOutput) ElementType() reflect.Type

func (TunnelInstanceIAMPolicyMapOutput) MapIndex 

func (o TunnelInstanceIAMPolicyMapOutput) MapIndex(k pulumi.StringInput) TunnelInstanceIAMPolicyOutput

func (TunnelInstanceIAMPolicyMapOutput) ToTunnelInstanceIAMPolicyMapOutput 

func (o TunnelInstanceIAMPolicyMapOutput) ToTunnelInstanceIAMPolicyMapOutput() TunnelInstanceIAMPolicyMapOutput

func (TunnelInstanceIAMPolicyMapOutput) ToTunnelInstanceIAMPolicyMapOutputWithContext 

func (o TunnelInstanceIAMPolicyMapOutput) ToTunnelInstanceIAMPolicyMapOutputWithContext(ctx context.Context) TunnelInstanceIAMPolicyMapOutput

type TunnelInstanceIAMPolicyOutput 

type TunnelInstanceIAMPolicyOutput struct{ *pulumi.OutputState }

func (TunnelInstanceIAMPolicyOutput) ElementType 

func (TunnelInstanceIAMPolicyOutput) ElementType() reflect.Type

func (TunnelInstanceIAMPolicyOutput) Etag 

func (o TunnelInstanceIAMPolicyOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (TunnelInstanceIAMPolicyOutput) Instance 

func (o TunnelInstanceIAMPolicyOutput) Instance() pulumi.StringOutput

Used to find the parent resource to bind the IAM policy to

func (TunnelInstanceIAMPolicyOutput) PolicyData 

func (o TunnelInstanceIAMPolicyOutput) PolicyData() pulumi.StringOutput

The policy data generated by a `organizations.getIAMPolicy` data source.

func (TunnelInstanceIAMPolicyOutput) Project 

func (o TunnelInstanceIAMPolicyOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (TunnelInstanceIAMPolicyOutput) ToTunnelInstanceIAMPolicyOutput 

func (o TunnelInstanceIAMPolicyOutput) ToTunnelInstanceIAMPolicyOutput() TunnelInstanceIAMPolicyOutput

func (TunnelInstanceIAMPolicyOutput) ToTunnelInstanceIAMPolicyOutputWithContext 

func (o TunnelInstanceIAMPolicyOutput) ToTunnelInstanceIAMPolicyOutputWithContext(ctx context.Context) TunnelInstanceIAMPolicyOutput

func (TunnelInstanceIAMPolicyOutput) Zone 

func (o TunnelInstanceIAMPolicyOutput) Zone() pulumi.StringOutput

type TunnelInstanceIAMPolicyState 

type TunnelInstanceIAMPolicyState struct {
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	Instance pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	Zone    pulumi.StringPtrInput
}

func (TunnelInstanceIAMPolicyState) ElementType 

func (TunnelInstanceIAMPolicyState) ElementType() reflect.Type

type WebBackendServiceIamBinding 

type WebBackendServiceIamBinding struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebBackendServiceIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringOutput `pulumi:"webBackendService"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebBackendService. Each of these resources serves a different use case:

* `iap.WebBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webbackendservice and replaces any existing policy already attached. * `iap.WebBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webbackendservice are preserved. * `iap.WebBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebBackendServiceIamPolicy`: Retrieves the IAM policy for the webbackendservice

> **Note:** `iap.WebBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebBackendServiceIamBinding` and `iap.WebBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebBackendServiceIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
			Condition: &iap.WebBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebBackendService Three different resources help you manage your IAM policy for Identity-Aware Proxy WebBackendService. Each of these resources serves a different use case:

* `iap.WebBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webbackendservice and replaces any existing policy already attached. * `iap.WebBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webbackendservice are preserved. * `iap.WebBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebBackendServiceIamPolicy`: Retrieves the IAM policy for the webbackendservice

> **Note:** `iap.WebBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebBackendServiceIamBinding` and `iap.WebBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebBackendServiceIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
			Condition: &iap.WebBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/compute/services/{{name}}

* {{project}}/{{name}}

* {{name}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webbackendservice IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webBackendServiceIamBinding:WebBackendServiceIamBinding editor "projects/{{project}}/iap_web/compute/services/{{web_backend_service}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webBackendServiceIamBinding:WebBackendServiceIamBinding editor "projects/{{project}}/iap_web/compute/services/{{web_backend_service}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webBackendServiceIamBinding:WebBackendServiceIamBinding editor projects/{{project}}/iap_web/compute/services/{{web_backend_service}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebBackendServiceIamBinding 

func GetWebBackendServiceIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebBackendServiceIamBindingState, opts ...pulumi.ResourceOption) (*WebBackendServiceIamBinding, error)

GetWebBackendServiceIamBinding gets an existing WebBackendServiceIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebBackendServiceIamBinding 

func NewWebBackendServiceIamBinding(ctx *pulumi.Context,
	name string, args *WebBackendServiceIamBindingArgs, opts ...pulumi.ResourceOption) (*WebBackendServiceIamBinding, error)

NewWebBackendServiceIamBinding registers a new resource with the given unique name, arguments, and options.

func (*WebBackendServiceIamBinding) ElementType 

func (*WebBackendServiceIamBinding) ElementType() reflect.Type

func (*WebBackendServiceIamBinding) ToWebBackendServiceIamBindingOutput 

func (i *WebBackendServiceIamBinding) ToWebBackendServiceIamBindingOutput() WebBackendServiceIamBindingOutput

func (*WebBackendServiceIamBinding) ToWebBackendServiceIamBindingOutputWithContext 

func (i *WebBackendServiceIamBinding) ToWebBackendServiceIamBindingOutputWithContext(ctx context.Context) WebBackendServiceIamBindingOutput

type WebBackendServiceIamBindingArgs 

type WebBackendServiceIamBindingArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebBackendServiceIamBindingConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringInput
}

The set of arguments for constructing a WebBackendServiceIamBinding resource.

func (WebBackendServiceIamBindingArgs) ElementType 

func (WebBackendServiceIamBindingArgs) ElementType() reflect.Type

type WebBackendServiceIamBindingArray 

type WebBackendServiceIamBindingArray []WebBackendServiceIamBindingInput

func (WebBackendServiceIamBindingArray) ElementType 

func (WebBackendServiceIamBindingArray) ElementType() reflect.Type

func (WebBackendServiceIamBindingArray) ToWebBackendServiceIamBindingArrayOutput 

func (i WebBackendServiceIamBindingArray) ToWebBackendServiceIamBindingArrayOutput() WebBackendServiceIamBindingArrayOutput

func (WebBackendServiceIamBindingArray) ToWebBackendServiceIamBindingArrayOutputWithContext 

func (i WebBackendServiceIamBindingArray) ToWebBackendServiceIamBindingArrayOutputWithContext(ctx context.Context) WebBackendServiceIamBindingArrayOutput

type WebBackendServiceIamBindingArrayInput 

type WebBackendServiceIamBindingArrayInput interface {
	pulumi.Input

	ToWebBackendServiceIamBindingArrayOutput() WebBackendServiceIamBindingArrayOutput
	ToWebBackendServiceIamBindingArrayOutputWithContext(context.Context) WebBackendServiceIamBindingArrayOutput
}

WebBackendServiceIamBindingArrayInput is an input type that accepts WebBackendServiceIamBindingArray and WebBackendServiceIamBindingArrayOutput values. You can construct a concrete instance of `WebBackendServiceIamBindingArrayInput` via: 

WebBackendServiceIamBindingArray{ WebBackendServiceIamBindingArgs{...} }

type WebBackendServiceIamBindingArrayOutput 

type WebBackendServiceIamBindingArrayOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamBindingArrayOutput) ElementType 

func (WebBackendServiceIamBindingArrayOutput) ElementType() reflect.Type

func (WebBackendServiceIamBindingArrayOutput) Index 

func (o WebBackendServiceIamBindingArrayOutput) Index(i pulumi.IntInput) WebBackendServiceIamBindingOutput

func (WebBackendServiceIamBindingArrayOutput) ToWebBackendServiceIamBindingArrayOutput 

func (o WebBackendServiceIamBindingArrayOutput) ToWebBackendServiceIamBindingArrayOutput() WebBackendServiceIamBindingArrayOutput

func (WebBackendServiceIamBindingArrayOutput) ToWebBackendServiceIamBindingArrayOutputWithContext 

func (o WebBackendServiceIamBindingArrayOutput) ToWebBackendServiceIamBindingArrayOutputWithContext(ctx context.Context) WebBackendServiceIamBindingArrayOutput

type WebBackendServiceIamBindingCondition 

type WebBackendServiceIamBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebBackendServiceIamBindingConditionArgs 

type WebBackendServiceIamBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebBackendServiceIamBindingConditionArgs) ElementType 

func (WebBackendServiceIamBindingConditionArgs) ElementType() reflect.Type

func (WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionOutput 

func (i WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionOutput() WebBackendServiceIamBindingConditionOutput

func (WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionOutputWithContext 

func (i WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionOutputWithContext(ctx context.Context) WebBackendServiceIamBindingConditionOutput

func (WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionPtrOutput 

func (i WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionPtrOutput() WebBackendServiceIamBindingConditionPtrOutput

func (WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionPtrOutputWithContext 

func (i WebBackendServiceIamBindingConditionArgs) ToWebBackendServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) WebBackendServiceIamBindingConditionPtrOutput

type WebBackendServiceIamBindingConditionInput 

type WebBackendServiceIamBindingConditionInput interface {
	pulumi.Input

	ToWebBackendServiceIamBindingConditionOutput() WebBackendServiceIamBindingConditionOutput
	ToWebBackendServiceIamBindingConditionOutputWithContext(context.Context) WebBackendServiceIamBindingConditionOutput
}

WebBackendServiceIamBindingConditionInput is an input type that accepts WebBackendServiceIamBindingConditionArgs and WebBackendServiceIamBindingConditionOutput values. You can construct a concrete instance of `WebBackendServiceIamBindingConditionInput` via: 

WebBackendServiceIamBindingConditionArgs{...}

type WebBackendServiceIamBindingConditionOutput 

type WebBackendServiceIamBindingConditionOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamBindingConditionOutput) Description 

func (o WebBackendServiceIamBindingConditionOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebBackendServiceIamBindingConditionOutput) ElementType 

func (WebBackendServiceIamBindingConditionOutput) ElementType() reflect.Type

func (WebBackendServiceIamBindingConditionOutput) Expression 

func (o WebBackendServiceIamBindingConditionOutput) Expression() pulumi.StringOutput

Textual representation of an expression in Common Expression Language syntax.

func (WebBackendServiceIamBindingConditionOutput) Title 

func (o WebBackendServiceIamBindingConditionOutput) Title() pulumi.StringOutput

A title for the expression, i.e. a short string describing its purpose.

func (WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionOutput 

func (o WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionOutput() WebBackendServiceIamBindingConditionOutput

func (WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionOutputWithContext 

func (o WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionOutputWithContext(ctx context.Context) WebBackendServiceIamBindingConditionOutput

func (WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionPtrOutput 

func (o WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionPtrOutput() WebBackendServiceIamBindingConditionPtrOutput

func (WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionPtrOutputWithContext 

func (o WebBackendServiceIamBindingConditionOutput) ToWebBackendServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) WebBackendServiceIamBindingConditionPtrOutput

type WebBackendServiceIamBindingConditionPtrInput 

type WebBackendServiceIamBindingConditionPtrInput interface {
	pulumi.Input

	ToWebBackendServiceIamBindingConditionPtrOutput() WebBackendServiceIamBindingConditionPtrOutput
	ToWebBackendServiceIamBindingConditionPtrOutputWithContext(context.Context) WebBackendServiceIamBindingConditionPtrOutput
}

WebBackendServiceIamBindingConditionPtrInput is an input type that accepts WebBackendServiceIamBindingConditionArgs, WebBackendServiceIamBindingConditionPtr and WebBackendServiceIamBindingConditionPtrOutput values. You can construct a concrete instance of `WebBackendServiceIamBindingConditionPtrInput` via: 

        WebBackendServiceIamBindingConditionArgs{...}

or:

        nil

func WebBackendServiceIamBindingConditionPtr 

func WebBackendServiceIamBindingConditionPtr(v *WebBackendServiceIamBindingConditionArgs) WebBackendServiceIamBindingConditionPtrInput

type WebBackendServiceIamBindingConditionPtrOutput 

type WebBackendServiceIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamBindingConditionPtrOutput) Description 

func (o WebBackendServiceIamBindingConditionPtrOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebBackendServiceIamBindingConditionPtrOutput) Elem 

func (o WebBackendServiceIamBindingConditionPtrOutput) Elem() WebBackendServiceIamBindingConditionOutput

func (WebBackendServiceIamBindingConditionPtrOutput) ElementType 

func (WebBackendServiceIamBindingConditionPtrOutput) ElementType() reflect.Type

func (WebBackendServiceIamBindingConditionPtrOutput) Expression 

func (o WebBackendServiceIamBindingConditionPtrOutput) Expression() pulumi.StringPtrOutput

Textual representation of an expression in Common Expression Language syntax.

func (WebBackendServiceIamBindingConditionPtrOutput) Title 

func (o WebBackendServiceIamBindingConditionPtrOutput) Title() pulumi.StringPtrOutput

A title for the expression, i.e. a short string describing its purpose.

func (WebBackendServiceIamBindingConditionPtrOutput) ToWebBackendServiceIamBindingConditionPtrOutput 

func (o WebBackendServiceIamBindingConditionPtrOutput) ToWebBackendServiceIamBindingConditionPtrOutput() WebBackendServiceIamBindingConditionPtrOutput

func (WebBackendServiceIamBindingConditionPtrOutput) ToWebBackendServiceIamBindingConditionPtrOutputWithContext 

func (o WebBackendServiceIamBindingConditionPtrOutput) ToWebBackendServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) WebBackendServiceIamBindingConditionPtrOutput

type WebBackendServiceIamBindingInput 

type WebBackendServiceIamBindingInput interface {
	pulumi.Input

	ToWebBackendServiceIamBindingOutput() WebBackendServiceIamBindingOutput
	ToWebBackendServiceIamBindingOutputWithContext(ctx context.Context) WebBackendServiceIamBindingOutput
}

type WebBackendServiceIamBindingMap 

type WebBackendServiceIamBindingMap map[string]WebBackendServiceIamBindingInput

func (WebBackendServiceIamBindingMap) ElementType 

func (WebBackendServiceIamBindingMap) ElementType() reflect.Type

func (WebBackendServiceIamBindingMap) ToWebBackendServiceIamBindingMapOutput 

func (i WebBackendServiceIamBindingMap) ToWebBackendServiceIamBindingMapOutput() WebBackendServiceIamBindingMapOutput

func (WebBackendServiceIamBindingMap) ToWebBackendServiceIamBindingMapOutputWithContext 

func (i WebBackendServiceIamBindingMap) ToWebBackendServiceIamBindingMapOutputWithContext(ctx context.Context) WebBackendServiceIamBindingMapOutput

type WebBackendServiceIamBindingMapInput 

type WebBackendServiceIamBindingMapInput interface {
	pulumi.Input

	ToWebBackendServiceIamBindingMapOutput() WebBackendServiceIamBindingMapOutput
	ToWebBackendServiceIamBindingMapOutputWithContext(context.Context) WebBackendServiceIamBindingMapOutput
}

WebBackendServiceIamBindingMapInput is an input type that accepts WebBackendServiceIamBindingMap and WebBackendServiceIamBindingMapOutput values. You can construct a concrete instance of `WebBackendServiceIamBindingMapInput` via: 

WebBackendServiceIamBindingMap{ "key": WebBackendServiceIamBindingArgs{...} }

type WebBackendServiceIamBindingMapOutput 

type WebBackendServiceIamBindingMapOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamBindingMapOutput) ElementType 

func (WebBackendServiceIamBindingMapOutput) ElementType() reflect.Type

func (WebBackendServiceIamBindingMapOutput) MapIndex 

func (o WebBackendServiceIamBindingMapOutput) MapIndex(k pulumi.StringInput) WebBackendServiceIamBindingOutput

func (WebBackendServiceIamBindingMapOutput) ToWebBackendServiceIamBindingMapOutput 

func (o WebBackendServiceIamBindingMapOutput) ToWebBackendServiceIamBindingMapOutput() WebBackendServiceIamBindingMapOutput

func (WebBackendServiceIamBindingMapOutput) ToWebBackendServiceIamBindingMapOutputWithContext 

func (o WebBackendServiceIamBindingMapOutput) ToWebBackendServiceIamBindingMapOutputWithContext(ctx context.Context) WebBackendServiceIamBindingMapOutput

type WebBackendServiceIamBindingOutput 

type WebBackendServiceIamBindingOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamBindingOutput) Condition 

func (o WebBackendServiceIamBindingOutput) Condition() WebBackendServiceIamBindingConditionPtrOutput

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebBackendServiceIamBindingOutput) ElementType 

func (WebBackendServiceIamBindingOutput) ElementType() reflect.Type

func (WebBackendServiceIamBindingOutput) Etag 

func (o WebBackendServiceIamBindingOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (WebBackendServiceIamBindingOutput) Members 

func (o WebBackendServiceIamBindingOutput) Members() pulumi.StringArrayOutput

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebBackendServiceIamBindingOutput) Project 

func (o WebBackendServiceIamBindingOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebBackendServiceIamBindingOutput) Role 

func (o WebBackendServiceIamBindingOutput) Role() pulumi.StringOutput

The role that should be applied. Only one `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebBackendServiceIamBindingOutput) ToWebBackendServiceIamBindingOutput 

func (o WebBackendServiceIamBindingOutput) ToWebBackendServiceIamBindingOutput() WebBackendServiceIamBindingOutput

func (WebBackendServiceIamBindingOutput) ToWebBackendServiceIamBindingOutputWithContext 

func (o WebBackendServiceIamBindingOutput) ToWebBackendServiceIamBindingOutputWithContext(ctx context.Context) WebBackendServiceIamBindingOutput

func (WebBackendServiceIamBindingOutput) WebBackendService 

func (o WebBackendServiceIamBindingOutput) WebBackendService() pulumi.StringOutput

Used to find the parent resource to bind the IAM policy to

type WebBackendServiceIamBindingState 

type WebBackendServiceIamBindingState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebBackendServiceIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringPtrInput
}

func (WebBackendServiceIamBindingState) ElementType 

func (WebBackendServiceIamBindingState) ElementType() reflect.Type

type WebBackendServiceIamMember 

type WebBackendServiceIamMember struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebBackendServiceIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringOutput `pulumi:"webBackendService"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebBackendService. Each of these resources serves a different use case:

* `iap.WebBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webbackendservice and replaces any existing policy already attached. * `iap.WebBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webbackendservice are preserved. * `iap.WebBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebBackendServiceIamPolicy`: Retrieves the IAM policy for the webbackendservice

> **Note:** `iap.WebBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebBackendServiceIamBinding` and `iap.WebBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebBackendServiceIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
			Condition: &iap.WebBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebBackendService Three different resources help you manage your IAM policy for Identity-Aware Proxy WebBackendService. Each of these resources serves a different use case:

* `iap.WebBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webbackendservice and replaces any existing policy already attached. * `iap.WebBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webbackendservice are preserved. * `iap.WebBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebBackendServiceIamPolicy`: Retrieves the IAM policy for the webbackendservice

> **Note:** `iap.WebBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebBackendServiceIamBinding` and `iap.WebBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebBackendServiceIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
			Condition: &iap.WebBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/compute/services/{{name}}

* {{project}}/{{name}}

* {{name}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webbackendservice IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webBackendServiceIamMember:WebBackendServiceIamMember editor "projects/{{project}}/iap_web/compute/services/{{web_backend_service}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webBackendServiceIamMember:WebBackendServiceIamMember editor "projects/{{project}}/iap_web/compute/services/{{web_backend_service}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webBackendServiceIamMember:WebBackendServiceIamMember editor projects/{{project}}/iap_web/compute/services/{{web_backend_service}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebBackendServiceIamMember 

func GetWebBackendServiceIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebBackendServiceIamMemberState, opts ...pulumi.ResourceOption) (*WebBackendServiceIamMember, error)

GetWebBackendServiceIamMember gets an existing WebBackendServiceIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebBackendServiceIamMember 

func NewWebBackendServiceIamMember(ctx *pulumi.Context,
	name string, args *WebBackendServiceIamMemberArgs, opts ...pulumi.ResourceOption) (*WebBackendServiceIamMember, error)

NewWebBackendServiceIamMember registers a new resource with the given unique name, arguments, and options.

func (*WebBackendServiceIamMember) ElementType 

func (*WebBackendServiceIamMember) ElementType() reflect.Type

func (*WebBackendServiceIamMember) ToWebBackendServiceIamMemberOutput 

func (i *WebBackendServiceIamMember) ToWebBackendServiceIamMemberOutput() WebBackendServiceIamMemberOutput

func (*WebBackendServiceIamMember) ToWebBackendServiceIamMemberOutputWithContext 

func (i *WebBackendServiceIamMember) ToWebBackendServiceIamMemberOutputWithContext(ctx context.Context) WebBackendServiceIamMemberOutput

type WebBackendServiceIamMemberArgs 

type WebBackendServiceIamMemberArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebBackendServiceIamMemberConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringInput
}

The set of arguments for constructing a WebBackendServiceIamMember resource.

func (WebBackendServiceIamMemberArgs) ElementType 

func (WebBackendServiceIamMemberArgs) ElementType() reflect.Type

type WebBackendServiceIamMemberArray 

type WebBackendServiceIamMemberArray []WebBackendServiceIamMemberInput

func (WebBackendServiceIamMemberArray) ElementType 

func (WebBackendServiceIamMemberArray) ElementType() reflect.Type

func (WebBackendServiceIamMemberArray) ToWebBackendServiceIamMemberArrayOutput 

func (i WebBackendServiceIamMemberArray) ToWebBackendServiceIamMemberArrayOutput() WebBackendServiceIamMemberArrayOutput

func (WebBackendServiceIamMemberArray) ToWebBackendServiceIamMemberArrayOutputWithContext 

func (i WebBackendServiceIamMemberArray) ToWebBackendServiceIamMemberArrayOutputWithContext(ctx context.Context) WebBackendServiceIamMemberArrayOutput

type WebBackendServiceIamMemberArrayInput 

type WebBackendServiceIamMemberArrayInput interface {
	pulumi.Input

	ToWebBackendServiceIamMemberArrayOutput() WebBackendServiceIamMemberArrayOutput
	ToWebBackendServiceIamMemberArrayOutputWithContext(context.Context) WebBackendServiceIamMemberArrayOutput
}

WebBackendServiceIamMemberArrayInput is an input type that accepts WebBackendServiceIamMemberArray and WebBackendServiceIamMemberArrayOutput values. You can construct a concrete instance of `WebBackendServiceIamMemberArrayInput` via: 

WebBackendServiceIamMemberArray{ WebBackendServiceIamMemberArgs{...} }

type WebBackendServiceIamMemberArrayOutput 

type WebBackendServiceIamMemberArrayOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamMemberArrayOutput) ElementType 

func (WebBackendServiceIamMemberArrayOutput) ElementType() reflect.Type

func (WebBackendServiceIamMemberArrayOutput) Index 

func (o WebBackendServiceIamMemberArrayOutput) Index(i pulumi.IntInput) WebBackendServiceIamMemberOutput

func (WebBackendServiceIamMemberArrayOutput) ToWebBackendServiceIamMemberArrayOutput 

func (o WebBackendServiceIamMemberArrayOutput) ToWebBackendServiceIamMemberArrayOutput() WebBackendServiceIamMemberArrayOutput

func (WebBackendServiceIamMemberArrayOutput) ToWebBackendServiceIamMemberArrayOutputWithContext 

func (o WebBackendServiceIamMemberArrayOutput) ToWebBackendServiceIamMemberArrayOutputWithContext(ctx context.Context) WebBackendServiceIamMemberArrayOutput

type WebBackendServiceIamMemberCondition 

type WebBackendServiceIamMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebBackendServiceIamMemberConditionArgs 

type WebBackendServiceIamMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebBackendServiceIamMemberConditionArgs) ElementType 

func (WebBackendServiceIamMemberConditionArgs) ElementType() reflect.Type

func (WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionOutput 

func (i WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionOutput() WebBackendServiceIamMemberConditionOutput

func (WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionOutputWithContext 

func (i WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionOutputWithContext(ctx context.Context) WebBackendServiceIamMemberConditionOutput

func (WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionPtrOutput 

func (i WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionPtrOutput() WebBackendServiceIamMemberConditionPtrOutput

func (WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionPtrOutputWithContext 

func (i WebBackendServiceIamMemberConditionArgs) ToWebBackendServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) WebBackendServiceIamMemberConditionPtrOutput

type WebBackendServiceIamMemberConditionInput 

type WebBackendServiceIamMemberConditionInput interface {
	pulumi.Input

	ToWebBackendServiceIamMemberConditionOutput() WebBackendServiceIamMemberConditionOutput
	ToWebBackendServiceIamMemberConditionOutputWithContext(context.Context) WebBackendServiceIamMemberConditionOutput
}

WebBackendServiceIamMemberConditionInput is an input type that accepts WebBackendServiceIamMemberConditionArgs and WebBackendServiceIamMemberConditionOutput values. You can construct a concrete instance of `WebBackendServiceIamMemberConditionInput` via: 

WebBackendServiceIamMemberConditionArgs{...}

type WebBackendServiceIamMemberConditionOutput 

type WebBackendServiceIamMemberConditionOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamMemberConditionOutput) Description 

func (o WebBackendServiceIamMemberConditionOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebBackendServiceIamMemberConditionOutput) ElementType 

func (WebBackendServiceIamMemberConditionOutput) ElementType() reflect.Type

func (WebBackendServiceIamMemberConditionOutput) Expression 

func (o WebBackendServiceIamMemberConditionOutput) Expression() pulumi.StringOutput

Textual representation of an expression in Common Expression Language syntax.

func (WebBackendServiceIamMemberConditionOutput) Title 

func (o WebBackendServiceIamMemberConditionOutput) Title() pulumi.StringOutput

A title for the expression, i.e. a short string describing its purpose.

func (WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionOutput 

func (o WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionOutput() WebBackendServiceIamMemberConditionOutput

func (WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionOutputWithContext 

func (o WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionOutputWithContext(ctx context.Context) WebBackendServiceIamMemberConditionOutput

func (WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionPtrOutput 

func (o WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionPtrOutput() WebBackendServiceIamMemberConditionPtrOutput

func (WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionPtrOutputWithContext 

func (o WebBackendServiceIamMemberConditionOutput) ToWebBackendServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) WebBackendServiceIamMemberConditionPtrOutput

type WebBackendServiceIamMemberConditionPtrInput 

type WebBackendServiceIamMemberConditionPtrInput interface {
	pulumi.Input

	ToWebBackendServiceIamMemberConditionPtrOutput() WebBackendServiceIamMemberConditionPtrOutput
	ToWebBackendServiceIamMemberConditionPtrOutputWithContext(context.Context) WebBackendServiceIamMemberConditionPtrOutput
}

WebBackendServiceIamMemberConditionPtrInput is an input type that accepts WebBackendServiceIamMemberConditionArgs, WebBackendServiceIamMemberConditionPtr and WebBackendServiceIamMemberConditionPtrOutput values. You can construct a concrete instance of `WebBackendServiceIamMemberConditionPtrInput` via: 

        WebBackendServiceIamMemberConditionArgs{...}

or:

        nil

func WebBackendServiceIamMemberConditionPtr 

func WebBackendServiceIamMemberConditionPtr(v *WebBackendServiceIamMemberConditionArgs) WebBackendServiceIamMemberConditionPtrInput

type WebBackendServiceIamMemberConditionPtrOutput 

type WebBackendServiceIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamMemberConditionPtrOutput) Description 

func (o WebBackendServiceIamMemberConditionPtrOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebBackendServiceIamMemberConditionPtrOutput) Elem 

func (o WebBackendServiceIamMemberConditionPtrOutput) Elem() WebBackendServiceIamMemberConditionOutput

func (WebBackendServiceIamMemberConditionPtrOutput) ElementType 

func (WebBackendServiceIamMemberConditionPtrOutput) ElementType() reflect.Type

func (WebBackendServiceIamMemberConditionPtrOutput) Expression 

func (o WebBackendServiceIamMemberConditionPtrOutput) Expression() pulumi.StringPtrOutput

Textual representation of an expression in Common Expression Language syntax.

func (WebBackendServiceIamMemberConditionPtrOutput) Title 

func (o WebBackendServiceIamMemberConditionPtrOutput) Title() pulumi.StringPtrOutput

A title for the expression, i.e. a short string describing its purpose.

func (WebBackendServiceIamMemberConditionPtrOutput) ToWebBackendServiceIamMemberConditionPtrOutput 

func (o WebBackendServiceIamMemberConditionPtrOutput) ToWebBackendServiceIamMemberConditionPtrOutput() WebBackendServiceIamMemberConditionPtrOutput

func (WebBackendServiceIamMemberConditionPtrOutput) ToWebBackendServiceIamMemberConditionPtrOutputWithContext 

func (o WebBackendServiceIamMemberConditionPtrOutput) ToWebBackendServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) WebBackendServiceIamMemberConditionPtrOutput

type WebBackendServiceIamMemberInput 

type WebBackendServiceIamMemberInput interface {
	pulumi.Input

	ToWebBackendServiceIamMemberOutput() WebBackendServiceIamMemberOutput
	ToWebBackendServiceIamMemberOutputWithContext(ctx context.Context) WebBackendServiceIamMemberOutput
}

type WebBackendServiceIamMemberMap 

type WebBackendServiceIamMemberMap map[string]WebBackendServiceIamMemberInput

func (WebBackendServiceIamMemberMap) ElementType 

func (WebBackendServiceIamMemberMap) ElementType() reflect.Type

func (WebBackendServiceIamMemberMap) ToWebBackendServiceIamMemberMapOutput 

func (i WebBackendServiceIamMemberMap) ToWebBackendServiceIamMemberMapOutput() WebBackendServiceIamMemberMapOutput

func (WebBackendServiceIamMemberMap) ToWebBackendServiceIamMemberMapOutputWithContext 

func (i WebBackendServiceIamMemberMap) ToWebBackendServiceIamMemberMapOutputWithContext(ctx context.Context) WebBackendServiceIamMemberMapOutput

type WebBackendServiceIamMemberMapInput 

type WebBackendServiceIamMemberMapInput interface {
	pulumi.Input

	ToWebBackendServiceIamMemberMapOutput() WebBackendServiceIamMemberMapOutput
	ToWebBackendServiceIamMemberMapOutputWithContext(context.Context) WebBackendServiceIamMemberMapOutput
}

WebBackendServiceIamMemberMapInput is an input type that accepts WebBackendServiceIamMemberMap and WebBackendServiceIamMemberMapOutput values. You can construct a concrete instance of `WebBackendServiceIamMemberMapInput` via: 

WebBackendServiceIamMemberMap{ "key": WebBackendServiceIamMemberArgs{...} }

type WebBackendServiceIamMemberMapOutput 

type WebBackendServiceIamMemberMapOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamMemberMapOutput) ElementType 

func (WebBackendServiceIamMemberMapOutput) ElementType() reflect.Type

func (WebBackendServiceIamMemberMapOutput) MapIndex 

func (o WebBackendServiceIamMemberMapOutput) MapIndex(k pulumi.StringInput) WebBackendServiceIamMemberOutput

func (WebBackendServiceIamMemberMapOutput) ToWebBackendServiceIamMemberMapOutput 

func (o WebBackendServiceIamMemberMapOutput) ToWebBackendServiceIamMemberMapOutput() WebBackendServiceIamMemberMapOutput

func (WebBackendServiceIamMemberMapOutput) ToWebBackendServiceIamMemberMapOutputWithContext 

func (o WebBackendServiceIamMemberMapOutput) ToWebBackendServiceIamMemberMapOutputWithContext(ctx context.Context) WebBackendServiceIamMemberMapOutput

type WebBackendServiceIamMemberOutput 

type WebBackendServiceIamMemberOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamMemberOutput) Condition 

func (o WebBackendServiceIamMemberOutput) Condition() WebBackendServiceIamMemberConditionPtrOutput

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebBackendServiceIamMemberOutput) ElementType 

func (WebBackendServiceIamMemberOutput) ElementType() reflect.Type

func (WebBackendServiceIamMemberOutput) Etag 

func (o WebBackendServiceIamMemberOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (WebBackendServiceIamMemberOutput) Member 

func (o WebBackendServiceIamMemberOutput) Member() pulumi.StringOutput

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebBackendServiceIamMemberOutput) Project 

func (o WebBackendServiceIamMemberOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebBackendServiceIamMemberOutput) Role 

func (o WebBackendServiceIamMemberOutput) Role() pulumi.StringOutput

The role that should be applied. Only one `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebBackendServiceIamMemberOutput) ToWebBackendServiceIamMemberOutput 

func (o WebBackendServiceIamMemberOutput) ToWebBackendServiceIamMemberOutput() WebBackendServiceIamMemberOutput

func (WebBackendServiceIamMemberOutput) ToWebBackendServiceIamMemberOutputWithContext 

func (o WebBackendServiceIamMemberOutput) ToWebBackendServiceIamMemberOutputWithContext(ctx context.Context) WebBackendServiceIamMemberOutput

func (WebBackendServiceIamMemberOutput) WebBackendService 

func (o WebBackendServiceIamMemberOutput) WebBackendService() pulumi.StringOutput

Used to find the parent resource to bind the IAM policy to

type WebBackendServiceIamMemberState 

type WebBackendServiceIamMemberState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebBackendServiceIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringPtrInput
}

func (WebBackendServiceIamMemberState) ElementType 

func (WebBackendServiceIamMemberState) ElementType() reflect.Type

type WebBackendServiceIamPolicy 

type WebBackendServiceIamPolicy struct {
	pulumi.CustomResourceState

	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringOutput `pulumi:"webBackendService"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebBackendService. Each of these resources serves a different use case:

* `iap.WebBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webbackendservice and replaces any existing policy already attached. * `iap.WebBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webbackendservice are preserved. * `iap.WebBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebBackendServiceIamPolicy`: Retrieves the IAM policy for the webbackendservice

> **Note:** `iap.WebBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebBackendServiceIamBinding` and `iap.WebBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebBackendServiceIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
			Condition: &iap.WebBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebBackendService Three different resources help you manage your IAM policy for Identity-Aware Proxy WebBackendService. Each of these resources serves a different use case:

* `iap.WebBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webbackendservice and replaces any existing policy already attached. * `iap.WebBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webbackendservice are preserved. * `iap.WebBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebBackendServiceIamPolicy`: Retrieves the IAM policy for the webbackendservice

> **Note:** `iap.WebBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebBackendServiceIamBinding` and `iap.WebBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebBackendServiceIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebBackendServiceIamPolicy(ctx, "policy", &iap.WebBackendServiceIamPolicyArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			PolicyData:        pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamBinding(ctx, "binding", &iap.WebBackendServiceIamBindingArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebBackendServiceIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebBackendServiceIamMember(ctx, "member", &iap.WebBackendServiceIamMemberArgs{
			Project:           pulumi.Any(_default.Project),
			WebBackendService: pulumi.Any(_default.Name),
			Role:              pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:            pulumi.String("user:jane@example.com"),
			Condition: &iap.WebBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/compute/services/{{name}}

* {{project}}/{{name}}

* {{name}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webbackendservice IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webBackendServiceIamPolicy:WebBackendServiceIamPolicy editor "projects/{{project}}/iap_web/compute/services/{{web_backend_service}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webBackendServiceIamPolicy:WebBackendServiceIamPolicy editor "projects/{{project}}/iap_web/compute/services/{{web_backend_service}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webBackendServiceIamPolicy:WebBackendServiceIamPolicy editor projects/{{project}}/iap_web/compute/services/{{web_backend_service}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebBackendServiceIamPolicy 

func GetWebBackendServiceIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebBackendServiceIamPolicyState, opts ...pulumi.ResourceOption) (*WebBackendServiceIamPolicy, error)

GetWebBackendServiceIamPolicy gets an existing WebBackendServiceIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebBackendServiceIamPolicy 

func NewWebBackendServiceIamPolicy(ctx *pulumi.Context,
	name string, args *WebBackendServiceIamPolicyArgs, opts ...pulumi.ResourceOption) (*WebBackendServiceIamPolicy, error)

NewWebBackendServiceIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*WebBackendServiceIamPolicy) ElementType 

func (*WebBackendServiceIamPolicy) ElementType() reflect.Type

func (*WebBackendServiceIamPolicy) ToWebBackendServiceIamPolicyOutput 

func (i *WebBackendServiceIamPolicy) ToWebBackendServiceIamPolicyOutput() WebBackendServiceIamPolicyOutput

func (*WebBackendServiceIamPolicy) ToWebBackendServiceIamPolicyOutputWithContext 

func (i *WebBackendServiceIamPolicy) ToWebBackendServiceIamPolicyOutputWithContext(ctx context.Context) WebBackendServiceIamPolicyOutput

type WebBackendServiceIamPolicyArgs 

type WebBackendServiceIamPolicyArgs struct {
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringInput
}

The set of arguments for constructing a WebBackendServiceIamPolicy resource.

func (WebBackendServiceIamPolicyArgs) ElementType 

func (WebBackendServiceIamPolicyArgs) ElementType() reflect.Type

type WebBackendServiceIamPolicyArray 

type WebBackendServiceIamPolicyArray []WebBackendServiceIamPolicyInput

func (WebBackendServiceIamPolicyArray) ElementType 

func (WebBackendServiceIamPolicyArray) ElementType() reflect.Type

func (WebBackendServiceIamPolicyArray) ToWebBackendServiceIamPolicyArrayOutput 

func (i WebBackendServiceIamPolicyArray) ToWebBackendServiceIamPolicyArrayOutput() WebBackendServiceIamPolicyArrayOutput

func (WebBackendServiceIamPolicyArray) ToWebBackendServiceIamPolicyArrayOutputWithContext 

func (i WebBackendServiceIamPolicyArray) ToWebBackendServiceIamPolicyArrayOutputWithContext(ctx context.Context) WebBackendServiceIamPolicyArrayOutput

type WebBackendServiceIamPolicyArrayInput 

type WebBackendServiceIamPolicyArrayInput interface {
	pulumi.Input

	ToWebBackendServiceIamPolicyArrayOutput() WebBackendServiceIamPolicyArrayOutput
	ToWebBackendServiceIamPolicyArrayOutputWithContext(context.Context) WebBackendServiceIamPolicyArrayOutput
}

WebBackendServiceIamPolicyArrayInput is an input type that accepts WebBackendServiceIamPolicyArray and WebBackendServiceIamPolicyArrayOutput values. You can construct a concrete instance of `WebBackendServiceIamPolicyArrayInput` via: 

WebBackendServiceIamPolicyArray{ WebBackendServiceIamPolicyArgs{...} }

type WebBackendServiceIamPolicyArrayOutput 

type WebBackendServiceIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamPolicyArrayOutput) ElementType 

func (WebBackendServiceIamPolicyArrayOutput) ElementType() reflect.Type

func (WebBackendServiceIamPolicyArrayOutput) Index 

func (o WebBackendServiceIamPolicyArrayOutput) Index(i pulumi.IntInput) WebBackendServiceIamPolicyOutput

func (WebBackendServiceIamPolicyArrayOutput) ToWebBackendServiceIamPolicyArrayOutput 

func (o WebBackendServiceIamPolicyArrayOutput) ToWebBackendServiceIamPolicyArrayOutput() WebBackendServiceIamPolicyArrayOutput

func (WebBackendServiceIamPolicyArrayOutput) ToWebBackendServiceIamPolicyArrayOutputWithContext 

func (o WebBackendServiceIamPolicyArrayOutput) ToWebBackendServiceIamPolicyArrayOutputWithContext(ctx context.Context) WebBackendServiceIamPolicyArrayOutput

type WebBackendServiceIamPolicyInput 

type WebBackendServiceIamPolicyInput interface {
	pulumi.Input

	ToWebBackendServiceIamPolicyOutput() WebBackendServiceIamPolicyOutput
	ToWebBackendServiceIamPolicyOutputWithContext(ctx context.Context) WebBackendServiceIamPolicyOutput
}

type WebBackendServiceIamPolicyMap 

type WebBackendServiceIamPolicyMap map[string]WebBackendServiceIamPolicyInput

func (WebBackendServiceIamPolicyMap) ElementType 

func (WebBackendServiceIamPolicyMap) ElementType() reflect.Type

func (WebBackendServiceIamPolicyMap) ToWebBackendServiceIamPolicyMapOutput 

func (i WebBackendServiceIamPolicyMap) ToWebBackendServiceIamPolicyMapOutput() WebBackendServiceIamPolicyMapOutput

func (WebBackendServiceIamPolicyMap) ToWebBackendServiceIamPolicyMapOutputWithContext 

func (i WebBackendServiceIamPolicyMap) ToWebBackendServiceIamPolicyMapOutputWithContext(ctx context.Context) WebBackendServiceIamPolicyMapOutput

type WebBackendServiceIamPolicyMapInput 

type WebBackendServiceIamPolicyMapInput interface {
	pulumi.Input

	ToWebBackendServiceIamPolicyMapOutput() WebBackendServiceIamPolicyMapOutput
	ToWebBackendServiceIamPolicyMapOutputWithContext(context.Context) WebBackendServiceIamPolicyMapOutput
}

WebBackendServiceIamPolicyMapInput is an input type that accepts WebBackendServiceIamPolicyMap and WebBackendServiceIamPolicyMapOutput values. You can construct a concrete instance of `WebBackendServiceIamPolicyMapInput` via: 

WebBackendServiceIamPolicyMap{ "key": WebBackendServiceIamPolicyArgs{...} }

type WebBackendServiceIamPolicyMapOutput 

type WebBackendServiceIamPolicyMapOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamPolicyMapOutput) ElementType 

func (WebBackendServiceIamPolicyMapOutput) ElementType() reflect.Type

func (WebBackendServiceIamPolicyMapOutput) MapIndex 

func (o WebBackendServiceIamPolicyMapOutput) MapIndex(k pulumi.StringInput) WebBackendServiceIamPolicyOutput

func (WebBackendServiceIamPolicyMapOutput) ToWebBackendServiceIamPolicyMapOutput 

func (o WebBackendServiceIamPolicyMapOutput) ToWebBackendServiceIamPolicyMapOutput() WebBackendServiceIamPolicyMapOutput

func (WebBackendServiceIamPolicyMapOutput) ToWebBackendServiceIamPolicyMapOutputWithContext 

func (o WebBackendServiceIamPolicyMapOutput) ToWebBackendServiceIamPolicyMapOutputWithContext(ctx context.Context) WebBackendServiceIamPolicyMapOutput

type WebBackendServiceIamPolicyOutput 

type WebBackendServiceIamPolicyOutput struct{ *pulumi.OutputState }

func (WebBackendServiceIamPolicyOutput) ElementType 

func (WebBackendServiceIamPolicyOutput) ElementType() reflect.Type

func (WebBackendServiceIamPolicyOutput) Etag 

func (o WebBackendServiceIamPolicyOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (WebBackendServiceIamPolicyOutput) PolicyData 

func (o WebBackendServiceIamPolicyOutput) PolicyData() pulumi.StringOutput

The policy data generated by a `organizations.getIAMPolicy` data source.

func (WebBackendServiceIamPolicyOutput) Project 

func (o WebBackendServiceIamPolicyOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebBackendServiceIamPolicyOutput) ToWebBackendServiceIamPolicyOutput 

func (o WebBackendServiceIamPolicyOutput) ToWebBackendServiceIamPolicyOutput() WebBackendServiceIamPolicyOutput

func (WebBackendServiceIamPolicyOutput) ToWebBackendServiceIamPolicyOutputWithContext 

func (o WebBackendServiceIamPolicyOutput) ToWebBackendServiceIamPolicyOutputWithContext(ctx context.Context) WebBackendServiceIamPolicyOutput

func (WebBackendServiceIamPolicyOutput) WebBackendService 

func (o WebBackendServiceIamPolicyOutput) WebBackendService() pulumi.StringOutput

Used to find the parent resource to bind the IAM policy to

type WebBackendServiceIamPolicyState 

type WebBackendServiceIamPolicyState struct {
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	WebBackendService pulumi.StringPtrInput
}

func (WebBackendServiceIamPolicyState) ElementType 

func (WebBackendServiceIamPolicyState) ElementType() reflect.Type

type WebIamBinding 

type WebIamBinding struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy Web. Each of these resources serves a different use case:

* `iap.WebIamPolicy`: Authoritative. Sets the IAM policy for the web and replaces any existing policy already attached. * `iap.WebIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the web are preserved. * `iap.WebIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the web are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebIamPolicy`: Retrieves the IAM policy for the web

> **Note:** `iap.WebIamPolicy` **cannot** be used in conjunction with `iap.WebIamBinding` and `iap.WebIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebIamBinding` resources **can be** used in conjunction with `iap.WebIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy Web Three different resources help you manage your IAM policy for Identity-Aware Proxy Web. Each of these resources serves a different use case:

* `iap.WebIamPolicy`: Authoritative. Sets the IAM policy for the web and replaces any existing policy already attached. * `iap.WebIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the web are preserved. * `iap.WebIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the web are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebIamPolicy`: Retrieves the IAM policy for the web

> **Note:** `iap.WebIamPolicy` **cannot** be used in conjunction with `iap.WebIamBinding` and `iap.WebIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebIamBinding` resources **can be** used in conjunction with `iap.WebIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web

* {{project}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy web IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webIamBinding:WebIamBinding editor "projects/{{project}}/iap_web roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webIamBinding:WebIamBinding editor "projects/{{project}}/iap_web roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webIamBinding:WebIamBinding editor projects/{{project}}/iap_web ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebIamBinding 

func GetWebIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebIamBindingState, opts ...pulumi.ResourceOption) (*WebIamBinding, error)

GetWebIamBinding gets an existing WebIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebIamBinding 

func NewWebIamBinding(ctx *pulumi.Context,
	name string, args *WebIamBindingArgs, opts ...pulumi.ResourceOption) (*WebIamBinding, error)

NewWebIamBinding registers a new resource with the given unique name, arguments, and options.

func (*WebIamBinding) ElementType 

func (*WebIamBinding) ElementType() reflect.Type

func (*WebIamBinding) ToWebIamBindingOutput 

func (i *WebIamBinding) ToWebIamBindingOutput() WebIamBindingOutput

func (*WebIamBinding) ToWebIamBindingOutputWithContext 

func (i *WebIamBinding) ToWebIamBindingOutputWithContext(ctx context.Context) WebIamBindingOutput

type WebIamBindingArgs 

type WebIamBindingArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebIamBindingConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a WebIamBinding resource.

func (WebIamBindingArgs) ElementType 

func (WebIamBindingArgs) ElementType() reflect.Type

type WebIamBindingArray 

type WebIamBindingArray []WebIamBindingInput

func (WebIamBindingArray) ElementType 

func (WebIamBindingArray) ElementType() reflect.Type

func (WebIamBindingArray) ToWebIamBindingArrayOutput 

func (i WebIamBindingArray) ToWebIamBindingArrayOutput() WebIamBindingArrayOutput

func (WebIamBindingArray) ToWebIamBindingArrayOutputWithContext 

func (i WebIamBindingArray) ToWebIamBindingArrayOutputWithContext(ctx context.Context) WebIamBindingArrayOutput

type WebIamBindingArrayInput 

type WebIamBindingArrayInput interface {
	pulumi.Input

	ToWebIamBindingArrayOutput() WebIamBindingArrayOutput
	ToWebIamBindingArrayOutputWithContext(context.Context) WebIamBindingArrayOutput
}

WebIamBindingArrayInput is an input type that accepts WebIamBindingArray and WebIamBindingArrayOutput values. You can construct a concrete instance of `WebIamBindingArrayInput` via: 

WebIamBindingArray{ WebIamBindingArgs{...} }

type WebIamBindingArrayOutput 

type WebIamBindingArrayOutput struct{ *pulumi.OutputState }

func (WebIamBindingArrayOutput) ElementType 

func (WebIamBindingArrayOutput) ElementType() reflect.Type

func (WebIamBindingArrayOutput) Index 

func (o WebIamBindingArrayOutput) Index(i pulumi.IntInput) WebIamBindingOutput

func (WebIamBindingArrayOutput) ToWebIamBindingArrayOutput 

func (o WebIamBindingArrayOutput) ToWebIamBindingArrayOutput() WebIamBindingArrayOutput

func (WebIamBindingArrayOutput) ToWebIamBindingArrayOutputWithContext 

func (o WebIamBindingArrayOutput) ToWebIamBindingArrayOutputWithContext(ctx context.Context) WebIamBindingArrayOutput

type WebIamBindingCondition 

type WebIamBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebIamBindingConditionArgs 

type WebIamBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebIamBindingConditionArgs) ElementType 

func (WebIamBindingConditionArgs) ElementType() reflect.Type

func (WebIamBindingConditionArgs) ToWebIamBindingConditionOutput 

func (i WebIamBindingConditionArgs) ToWebIamBindingConditionOutput() WebIamBindingConditionOutput

func (WebIamBindingConditionArgs) ToWebIamBindingConditionOutputWithContext 

func (i WebIamBindingConditionArgs) ToWebIamBindingConditionOutputWithContext(ctx context.Context) WebIamBindingConditionOutput

func (WebIamBindingConditionArgs) ToWebIamBindingConditionPtrOutput 

func (i WebIamBindingConditionArgs) ToWebIamBindingConditionPtrOutput() WebIamBindingConditionPtrOutput

func (WebIamBindingConditionArgs) ToWebIamBindingConditionPtrOutputWithContext 

func (i WebIamBindingConditionArgs) ToWebIamBindingConditionPtrOutputWithContext(ctx context.Context) WebIamBindingConditionPtrOutput

type WebIamBindingConditionInput 

type WebIamBindingConditionInput interface {
	pulumi.Input

	ToWebIamBindingConditionOutput() WebIamBindingConditionOutput
	ToWebIamBindingConditionOutputWithContext(context.Context) WebIamBindingConditionOutput
}

WebIamBindingConditionInput is an input type that accepts WebIamBindingConditionArgs and WebIamBindingConditionOutput values. You can construct a concrete instance of `WebIamBindingConditionInput` via: 

WebIamBindingConditionArgs{...}

type WebIamBindingConditionOutput 

type WebIamBindingConditionOutput struct{ *pulumi.OutputState }

func (WebIamBindingConditionOutput) Description 

func (o WebIamBindingConditionOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebIamBindingConditionOutput) ElementType 

func (WebIamBindingConditionOutput) ElementType() reflect.Type

func (WebIamBindingConditionOutput) Expression 

func (o WebIamBindingConditionOutput) Expression() pulumi.StringOutput

Textual representation of an expression in Common Expression Language syntax.

func (WebIamBindingConditionOutput) Title 

func (o WebIamBindingConditionOutput) Title() pulumi.StringOutput

A title for the expression, i.e. a short string describing its purpose.

func (WebIamBindingConditionOutput) ToWebIamBindingConditionOutput 

func (o WebIamBindingConditionOutput) ToWebIamBindingConditionOutput() WebIamBindingConditionOutput

func (WebIamBindingConditionOutput) ToWebIamBindingConditionOutputWithContext 

func (o WebIamBindingConditionOutput) ToWebIamBindingConditionOutputWithContext(ctx context.Context) WebIamBindingConditionOutput

func (WebIamBindingConditionOutput) ToWebIamBindingConditionPtrOutput 

func (o WebIamBindingConditionOutput) ToWebIamBindingConditionPtrOutput() WebIamBindingConditionPtrOutput

func (WebIamBindingConditionOutput) ToWebIamBindingConditionPtrOutputWithContext 

func (o WebIamBindingConditionOutput) ToWebIamBindingConditionPtrOutputWithContext(ctx context.Context) WebIamBindingConditionPtrOutput

type WebIamBindingConditionPtrInput 

type WebIamBindingConditionPtrInput interface {
	pulumi.Input

	ToWebIamBindingConditionPtrOutput() WebIamBindingConditionPtrOutput
	ToWebIamBindingConditionPtrOutputWithContext(context.Context) WebIamBindingConditionPtrOutput
}

WebIamBindingConditionPtrInput is an input type that accepts WebIamBindingConditionArgs, WebIamBindingConditionPtr and WebIamBindingConditionPtrOutput values. You can construct a concrete instance of `WebIamBindingConditionPtrInput` via: 

        WebIamBindingConditionArgs{...}

or:

        nil

func WebIamBindingConditionPtr 

func WebIamBindingConditionPtr(v *WebIamBindingConditionArgs) WebIamBindingConditionPtrInput

type WebIamBindingConditionPtrOutput 

type WebIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (WebIamBindingConditionPtrOutput) Description 

func (o WebIamBindingConditionPtrOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebIamBindingConditionPtrOutput) Elem 

func (o WebIamBindingConditionPtrOutput) Elem() WebIamBindingConditionOutput

func (WebIamBindingConditionPtrOutput) ElementType 

func (WebIamBindingConditionPtrOutput) ElementType() reflect.Type

func (WebIamBindingConditionPtrOutput) Expression 

func (o WebIamBindingConditionPtrOutput) Expression() pulumi.StringPtrOutput

Textual representation of an expression in Common Expression Language syntax.

func (WebIamBindingConditionPtrOutput) Title 

func (o WebIamBindingConditionPtrOutput) Title() pulumi.StringPtrOutput

A title for the expression, i.e. a short string describing its purpose.

func (WebIamBindingConditionPtrOutput) ToWebIamBindingConditionPtrOutput 

func (o WebIamBindingConditionPtrOutput) ToWebIamBindingConditionPtrOutput() WebIamBindingConditionPtrOutput

func (WebIamBindingConditionPtrOutput) ToWebIamBindingConditionPtrOutputWithContext 

func (o WebIamBindingConditionPtrOutput) ToWebIamBindingConditionPtrOutputWithContext(ctx context.Context) WebIamBindingConditionPtrOutput

type WebIamBindingInput 

type WebIamBindingInput interface {
	pulumi.Input

	ToWebIamBindingOutput() WebIamBindingOutput
	ToWebIamBindingOutputWithContext(ctx context.Context) WebIamBindingOutput
}

type WebIamBindingMap 

type WebIamBindingMap map[string]WebIamBindingInput

func (WebIamBindingMap) ElementType 

func (WebIamBindingMap) ElementType() reflect.Type

func (WebIamBindingMap) ToWebIamBindingMapOutput 

func (i WebIamBindingMap) ToWebIamBindingMapOutput() WebIamBindingMapOutput

func (WebIamBindingMap) ToWebIamBindingMapOutputWithContext 

func (i WebIamBindingMap) ToWebIamBindingMapOutputWithContext(ctx context.Context) WebIamBindingMapOutput

type WebIamBindingMapInput 

type WebIamBindingMapInput interface {
	pulumi.Input

	ToWebIamBindingMapOutput() WebIamBindingMapOutput
	ToWebIamBindingMapOutputWithContext(context.Context) WebIamBindingMapOutput
}

WebIamBindingMapInput is an input type that accepts WebIamBindingMap and WebIamBindingMapOutput values. You can construct a concrete instance of `WebIamBindingMapInput` via: 

WebIamBindingMap{ "key": WebIamBindingArgs{...} }

type WebIamBindingMapOutput 

type WebIamBindingMapOutput struct{ *pulumi.OutputState }

func (WebIamBindingMapOutput) ElementType 

func (WebIamBindingMapOutput) ElementType() reflect.Type

func (WebIamBindingMapOutput) MapIndex 

func (o WebIamBindingMapOutput) MapIndex(k pulumi.StringInput) WebIamBindingOutput

func (WebIamBindingMapOutput) ToWebIamBindingMapOutput 

func (o WebIamBindingMapOutput) ToWebIamBindingMapOutput() WebIamBindingMapOutput

func (WebIamBindingMapOutput) ToWebIamBindingMapOutputWithContext 

func (o WebIamBindingMapOutput) ToWebIamBindingMapOutputWithContext(ctx context.Context) WebIamBindingMapOutput

type WebIamBindingOutput 

type WebIamBindingOutput struct{ *pulumi.OutputState }

func (WebIamBindingOutput) Condition 

func (o WebIamBindingOutput) Condition() WebIamBindingConditionPtrOutput

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebIamBindingOutput) ElementType 

func (WebIamBindingOutput) ElementType() reflect.Type

func (WebIamBindingOutput) Etag 

func (o WebIamBindingOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (WebIamBindingOutput) Members 

func (o WebIamBindingOutput) Members() pulumi.StringArrayOutput

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebIamBindingOutput) Project 

func (o WebIamBindingOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebIamBindingOutput) Role 

func (o WebIamBindingOutput) Role() pulumi.StringOutput

The role that should be applied. Only one `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebIamBindingOutput) ToWebIamBindingOutput 

func (o WebIamBindingOutput) ToWebIamBindingOutput() WebIamBindingOutput

func (WebIamBindingOutput) ToWebIamBindingOutputWithContext 

func (o WebIamBindingOutput) ToWebIamBindingOutputWithContext(ctx context.Context) WebIamBindingOutput

type WebIamBindingState 

type WebIamBindingState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (WebIamBindingState) ElementType 

func (WebIamBindingState) ElementType() reflect.Type

type WebIamMember 

type WebIamMember struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy Web. Each of these resources serves a different use case:

* `iap.WebIamPolicy`: Authoritative. Sets the IAM policy for the web and replaces any existing policy already attached. * `iap.WebIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the web are preserved. * `iap.WebIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the web are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebIamPolicy`: Retrieves the IAM policy for the web

> **Note:** `iap.WebIamPolicy` **cannot** be used in conjunction with `iap.WebIamBinding` and `iap.WebIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebIamBinding` resources **can be** used in conjunction with `iap.WebIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy Web Three different resources help you manage your IAM policy for Identity-Aware Proxy Web. Each of these resources serves a different use case:

* `iap.WebIamPolicy`: Authoritative. Sets the IAM policy for the web and replaces any existing policy already attached. * `iap.WebIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the web are preserved. * `iap.WebIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the web are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebIamPolicy`: Retrieves the IAM policy for the web

> **Note:** `iap.WebIamPolicy` **cannot** be used in conjunction with `iap.WebIamBinding` and `iap.WebIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebIamBinding` resources **can be** used in conjunction with `iap.WebIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web

* {{project}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy web IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webIamMember:WebIamMember editor "projects/{{project}}/iap_web roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webIamMember:WebIamMember editor "projects/{{project}}/iap_web roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webIamMember:WebIamMember editor projects/{{project}}/iap_web ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebIamMember 

func GetWebIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebIamMemberState, opts ...pulumi.ResourceOption) (*WebIamMember, error)

GetWebIamMember gets an existing WebIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebIamMember 

func NewWebIamMember(ctx *pulumi.Context,
	name string, args *WebIamMemberArgs, opts ...pulumi.ResourceOption) (*WebIamMember, error)

NewWebIamMember registers a new resource with the given unique name, arguments, and options.

func (*WebIamMember) ElementType 

func (*WebIamMember) ElementType() reflect.Type

func (*WebIamMember) ToWebIamMemberOutput 

func (i *WebIamMember) ToWebIamMemberOutput() WebIamMemberOutput

func (*WebIamMember) ToWebIamMemberOutputWithContext 

func (i *WebIamMember) ToWebIamMemberOutputWithContext(ctx context.Context) WebIamMemberOutput

type WebIamMemberArgs 

type WebIamMemberArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebIamMemberConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a WebIamMember resource.

func (WebIamMemberArgs) ElementType 

func (WebIamMemberArgs) ElementType() reflect.Type

type WebIamMemberArray 

type WebIamMemberArray []WebIamMemberInput

func (WebIamMemberArray) ElementType 

func (WebIamMemberArray) ElementType() reflect.Type

func (WebIamMemberArray) ToWebIamMemberArrayOutput 

func (i WebIamMemberArray) ToWebIamMemberArrayOutput() WebIamMemberArrayOutput

func (WebIamMemberArray) ToWebIamMemberArrayOutputWithContext 

func (i WebIamMemberArray) ToWebIamMemberArrayOutputWithContext(ctx context.Context) WebIamMemberArrayOutput

type WebIamMemberArrayInput 

type WebIamMemberArrayInput interface {
	pulumi.Input

	ToWebIamMemberArrayOutput() WebIamMemberArrayOutput
	ToWebIamMemberArrayOutputWithContext(context.Context) WebIamMemberArrayOutput
}

WebIamMemberArrayInput is an input type that accepts WebIamMemberArray and WebIamMemberArrayOutput values. You can construct a concrete instance of `WebIamMemberArrayInput` via: 

WebIamMemberArray{ WebIamMemberArgs{...} }

type WebIamMemberArrayOutput 

type WebIamMemberArrayOutput struct{ *pulumi.OutputState }

func (WebIamMemberArrayOutput) ElementType 

func (WebIamMemberArrayOutput) ElementType() reflect.Type

func (WebIamMemberArrayOutput) Index 

func (o WebIamMemberArrayOutput) Index(i pulumi.IntInput) WebIamMemberOutput

func (WebIamMemberArrayOutput) ToWebIamMemberArrayOutput 

func (o WebIamMemberArrayOutput) ToWebIamMemberArrayOutput() WebIamMemberArrayOutput

func (WebIamMemberArrayOutput) ToWebIamMemberArrayOutputWithContext 

func (o WebIamMemberArrayOutput) ToWebIamMemberArrayOutputWithContext(ctx context.Context) WebIamMemberArrayOutput

type WebIamMemberCondition 

type WebIamMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebIamMemberConditionArgs 

type WebIamMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebIamMemberConditionArgs) ElementType 

func (WebIamMemberConditionArgs) ElementType() reflect.Type

func (WebIamMemberConditionArgs) ToWebIamMemberConditionOutput 

func (i WebIamMemberConditionArgs) ToWebIamMemberConditionOutput() WebIamMemberConditionOutput

func (WebIamMemberConditionArgs) ToWebIamMemberConditionOutputWithContext 

func (i WebIamMemberConditionArgs) ToWebIamMemberConditionOutputWithContext(ctx context.Context) WebIamMemberConditionOutput

func (WebIamMemberConditionArgs) ToWebIamMemberConditionPtrOutput 

func (i WebIamMemberConditionArgs) ToWebIamMemberConditionPtrOutput() WebIamMemberConditionPtrOutput

func (WebIamMemberConditionArgs) ToWebIamMemberConditionPtrOutputWithContext 

func (i WebIamMemberConditionArgs) ToWebIamMemberConditionPtrOutputWithContext(ctx context.Context) WebIamMemberConditionPtrOutput

type WebIamMemberConditionInput 

type WebIamMemberConditionInput interface {
	pulumi.Input

	ToWebIamMemberConditionOutput() WebIamMemberConditionOutput
	ToWebIamMemberConditionOutputWithContext(context.Context) WebIamMemberConditionOutput
}

WebIamMemberConditionInput is an input type that accepts WebIamMemberConditionArgs and WebIamMemberConditionOutput values. You can construct a concrete instance of `WebIamMemberConditionInput` via: 

WebIamMemberConditionArgs{...}

type WebIamMemberConditionOutput 

type WebIamMemberConditionOutput struct{ *pulumi.OutputState }

func (WebIamMemberConditionOutput) Description 

func (o WebIamMemberConditionOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebIamMemberConditionOutput) ElementType 

func (WebIamMemberConditionOutput) ElementType() reflect.Type

func (WebIamMemberConditionOutput) Expression 

func (o WebIamMemberConditionOutput) Expression() pulumi.StringOutput

Textual representation of an expression in Common Expression Language syntax.

func (WebIamMemberConditionOutput) Title 

func (o WebIamMemberConditionOutput) Title() pulumi.StringOutput

A title for the expression, i.e. a short string describing its purpose.

func (WebIamMemberConditionOutput) ToWebIamMemberConditionOutput 

func (o WebIamMemberConditionOutput) ToWebIamMemberConditionOutput() WebIamMemberConditionOutput

func (WebIamMemberConditionOutput) ToWebIamMemberConditionOutputWithContext 

func (o WebIamMemberConditionOutput) ToWebIamMemberConditionOutputWithContext(ctx context.Context) WebIamMemberConditionOutput

func (WebIamMemberConditionOutput) ToWebIamMemberConditionPtrOutput 

func (o WebIamMemberConditionOutput) ToWebIamMemberConditionPtrOutput() WebIamMemberConditionPtrOutput

func (WebIamMemberConditionOutput) ToWebIamMemberConditionPtrOutputWithContext 

func (o WebIamMemberConditionOutput) ToWebIamMemberConditionPtrOutputWithContext(ctx context.Context) WebIamMemberConditionPtrOutput

type WebIamMemberConditionPtrInput 

type WebIamMemberConditionPtrInput interface {
	pulumi.Input

	ToWebIamMemberConditionPtrOutput() WebIamMemberConditionPtrOutput
	ToWebIamMemberConditionPtrOutputWithContext(context.Context) WebIamMemberConditionPtrOutput
}

WebIamMemberConditionPtrInput is an input type that accepts WebIamMemberConditionArgs, WebIamMemberConditionPtr and WebIamMemberConditionPtrOutput values. You can construct a concrete instance of `WebIamMemberConditionPtrInput` via: 

        WebIamMemberConditionArgs{...}

or:

        nil

func WebIamMemberConditionPtr 

func WebIamMemberConditionPtr(v *WebIamMemberConditionArgs) WebIamMemberConditionPtrInput

type WebIamMemberConditionPtrOutput 

type WebIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (WebIamMemberConditionPtrOutput) Description 

func (o WebIamMemberConditionPtrOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebIamMemberConditionPtrOutput) Elem 

func (o WebIamMemberConditionPtrOutput) Elem() WebIamMemberConditionOutput

func (WebIamMemberConditionPtrOutput) ElementType 

func (WebIamMemberConditionPtrOutput) ElementType() reflect.Type

func (WebIamMemberConditionPtrOutput) Expression 

func (o WebIamMemberConditionPtrOutput) Expression() pulumi.StringPtrOutput

Textual representation of an expression in Common Expression Language syntax.

func (WebIamMemberConditionPtrOutput) Title 

func (o WebIamMemberConditionPtrOutput) Title() pulumi.StringPtrOutput

A title for the expression, i.e. a short string describing its purpose.

func (WebIamMemberConditionPtrOutput) ToWebIamMemberConditionPtrOutput 

func (o WebIamMemberConditionPtrOutput) ToWebIamMemberConditionPtrOutput() WebIamMemberConditionPtrOutput

func (WebIamMemberConditionPtrOutput) ToWebIamMemberConditionPtrOutputWithContext 

func (o WebIamMemberConditionPtrOutput) ToWebIamMemberConditionPtrOutputWithContext(ctx context.Context) WebIamMemberConditionPtrOutput

type WebIamMemberInput 

type WebIamMemberInput interface {
	pulumi.Input

	ToWebIamMemberOutput() WebIamMemberOutput
	ToWebIamMemberOutputWithContext(ctx context.Context) WebIamMemberOutput
}

type WebIamMemberMap 

type WebIamMemberMap map[string]WebIamMemberInput

func (WebIamMemberMap) ElementType 

func (WebIamMemberMap) ElementType() reflect.Type

func (WebIamMemberMap) ToWebIamMemberMapOutput 

func (i WebIamMemberMap) ToWebIamMemberMapOutput() WebIamMemberMapOutput

func (WebIamMemberMap) ToWebIamMemberMapOutputWithContext 

func (i WebIamMemberMap) ToWebIamMemberMapOutputWithContext(ctx context.Context) WebIamMemberMapOutput

type WebIamMemberMapInput 

type WebIamMemberMapInput interface {
	pulumi.Input

	ToWebIamMemberMapOutput() WebIamMemberMapOutput
	ToWebIamMemberMapOutputWithContext(context.Context) WebIamMemberMapOutput
}

WebIamMemberMapInput is an input type that accepts WebIamMemberMap and WebIamMemberMapOutput values. You can construct a concrete instance of `WebIamMemberMapInput` via: 

WebIamMemberMap{ "key": WebIamMemberArgs{...} }

type WebIamMemberMapOutput 

type WebIamMemberMapOutput struct{ *pulumi.OutputState }

func (WebIamMemberMapOutput) ElementType 

func (WebIamMemberMapOutput) ElementType() reflect.Type

func (WebIamMemberMapOutput) MapIndex 

func (o WebIamMemberMapOutput) MapIndex(k pulumi.StringInput) WebIamMemberOutput

func (WebIamMemberMapOutput) ToWebIamMemberMapOutput 

func (o WebIamMemberMapOutput) ToWebIamMemberMapOutput() WebIamMemberMapOutput

func (WebIamMemberMapOutput) ToWebIamMemberMapOutputWithContext 

func (o WebIamMemberMapOutput) ToWebIamMemberMapOutputWithContext(ctx context.Context) WebIamMemberMapOutput

type WebIamMemberOutput 

type WebIamMemberOutput struct{ *pulumi.OutputState }

func (WebIamMemberOutput) Condition 

func (o WebIamMemberOutput) Condition() WebIamMemberConditionPtrOutput

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebIamMemberOutput) ElementType 

func (WebIamMemberOutput) ElementType() reflect.Type

func (WebIamMemberOutput) Etag 

func (o WebIamMemberOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (WebIamMemberOutput) Member 

func (o WebIamMemberOutput) Member() pulumi.StringOutput

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebIamMemberOutput) Project 

func (o WebIamMemberOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebIamMemberOutput) Role 

func (o WebIamMemberOutput) Role() pulumi.StringOutput

The role that should be applied. Only one `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebIamMemberOutput) ToWebIamMemberOutput 

func (o WebIamMemberOutput) ToWebIamMemberOutput() WebIamMemberOutput

func (WebIamMemberOutput) ToWebIamMemberOutputWithContext 

func (o WebIamMemberOutput) ToWebIamMemberOutputWithContext(ctx context.Context) WebIamMemberOutput

type WebIamMemberState 

type WebIamMemberState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (WebIamMemberState) ElementType 

func (WebIamMemberState) ElementType() reflect.Type

type WebIamPolicy 

type WebIamPolicy struct {
	pulumi.CustomResourceState

	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy Web. Each of these resources serves a different use case:

* `iap.WebIamPolicy`: Authoritative. Sets the IAM policy for the web and replaces any existing policy already attached. * `iap.WebIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the web are preserved. * `iap.WebIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the web are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebIamPolicy`: Retrieves the IAM policy for the web

> **Note:** `iap.WebIamPolicy` **cannot** be used in conjunction with `iap.WebIamBinding` and `iap.WebIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebIamBinding` resources **can be** used in conjunction with `iap.WebIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy Web Three different resources help you manage your IAM policy for Identity-Aware Proxy Web. Each of these resources serves a different use case:

* `iap.WebIamPolicy`: Authoritative. Sets the IAM policy for the web and replaces any existing policy already attached. * `iap.WebIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the web are preserved. * `iap.WebIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the web are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebIamPolicy`: Retrieves the IAM policy for the web

> **Note:** `iap.WebIamPolicy` **cannot** be used in conjunction with `iap.WebIamBinding` and `iap.WebIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebIamBinding` resources **can be** used in conjunction with `iap.WebIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebIamPolicy(ctx, "policy", &iap.WebIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamBinding(ctx, "binding", &iap.WebIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebIamMember(ctx, "member", &iap.WebIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web

* {{project}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy web IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webIamPolicy:WebIamPolicy editor "projects/{{project}}/iap_web roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webIamPolicy:WebIamPolicy editor "projects/{{project}}/iap_web roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webIamPolicy:WebIamPolicy editor projects/{{project}}/iap_web ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebIamPolicy 

func GetWebIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebIamPolicyState, opts ...pulumi.ResourceOption) (*WebIamPolicy, error)

GetWebIamPolicy gets an existing WebIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebIamPolicy 

func NewWebIamPolicy(ctx *pulumi.Context,
	name string, args *WebIamPolicyArgs, opts ...pulumi.ResourceOption) (*WebIamPolicy, error)

NewWebIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*WebIamPolicy) ElementType 

func (*WebIamPolicy) ElementType() reflect.Type

func (*WebIamPolicy) ToWebIamPolicyOutput 

func (i *WebIamPolicy) ToWebIamPolicyOutput() WebIamPolicyOutput

func (*WebIamPolicy) ToWebIamPolicyOutputWithContext 

func (i *WebIamPolicy) ToWebIamPolicyOutputWithContext(ctx context.Context) WebIamPolicyOutput

type WebIamPolicyArgs 

type WebIamPolicyArgs struct {
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
}

The set of arguments for constructing a WebIamPolicy resource.

func (WebIamPolicyArgs) ElementType 

func (WebIamPolicyArgs) ElementType() reflect.Type

type WebIamPolicyArray 

type WebIamPolicyArray []WebIamPolicyInput

func (WebIamPolicyArray) ElementType 

func (WebIamPolicyArray) ElementType() reflect.Type

func (WebIamPolicyArray) ToWebIamPolicyArrayOutput 

func (i WebIamPolicyArray) ToWebIamPolicyArrayOutput() WebIamPolicyArrayOutput

func (WebIamPolicyArray) ToWebIamPolicyArrayOutputWithContext 

func (i WebIamPolicyArray) ToWebIamPolicyArrayOutputWithContext(ctx context.Context) WebIamPolicyArrayOutput

type WebIamPolicyArrayInput 

type WebIamPolicyArrayInput interface {
	pulumi.Input

	ToWebIamPolicyArrayOutput() WebIamPolicyArrayOutput
	ToWebIamPolicyArrayOutputWithContext(context.Context) WebIamPolicyArrayOutput
}

WebIamPolicyArrayInput is an input type that accepts WebIamPolicyArray and WebIamPolicyArrayOutput values. You can construct a concrete instance of `WebIamPolicyArrayInput` via: 

WebIamPolicyArray{ WebIamPolicyArgs{...} }

type WebIamPolicyArrayOutput 

type WebIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (WebIamPolicyArrayOutput) ElementType 

func (WebIamPolicyArrayOutput) ElementType() reflect.Type

func (WebIamPolicyArrayOutput) Index 

func (o WebIamPolicyArrayOutput) Index(i pulumi.IntInput) WebIamPolicyOutput

func (WebIamPolicyArrayOutput) ToWebIamPolicyArrayOutput 

func (o WebIamPolicyArrayOutput) ToWebIamPolicyArrayOutput() WebIamPolicyArrayOutput

func (WebIamPolicyArrayOutput) ToWebIamPolicyArrayOutputWithContext 

func (o WebIamPolicyArrayOutput) ToWebIamPolicyArrayOutputWithContext(ctx context.Context) WebIamPolicyArrayOutput

type WebIamPolicyInput 

type WebIamPolicyInput interface {
	pulumi.Input

	ToWebIamPolicyOutput() WebIamPolicyOutput
	ToWebIamPolicyOutputWithContext(ctx context.Context) WebIamPolicyOutput
}

type WebIamPolicyMap 

type WebIamPolicyMap map[string]WebIamPolicyInput

func (WebIamPolicyMap) ElementType 

func (WebIamPolicyMap) ElementType() reflect.Type

func (WebIamPolicyMap) ToWebIamPolicyMapOutput 

func (i WebIamPolicyMap) ToWebIamPolicyMapOutput() WebIamPolicyMapOutput

func (WebIamPolicyMap) ToWebIamPolicyMapOutputWithContext 

func (i WebIamPolicyMap) ToWebIamPolicyMapOutputWithContext(ctx context.Context) WebIamPolicyMapOutput

type WebIamPolicyMapInput 

type WebIamPolicyMapInput interface {
	pulumi.Input

	ToWebIamPolicyMapOutput() WebIamPolicyMapOutput
	ToWebIamPolicyMapOutputWithContext(context.Context) WebIamPolicyMapOutput
}

WebIamPolicyMapInput is an input type that accepts WebIamPolicyMap and WebIamPolicyMapOutput values. You can construct a concrete instance of `WebIamPolicyMapInput` via: 

WebIamPolicyMap{ "key": WebIamPolicyArgs{...} }

type WebIamPolicyMapOutput 

type WebIamPolicyMapOutput struct{ *pulumi.OutputState }

func (WebIamPolicyMapOutput) ElementType 

func (WebIamPolicyMapOutput) ElementType() reflect.Type

func (WebIamPolicyMapOutput) MapIndex 

func (o WebIamPolicyMapOutput) MapIndex(k pulumi.StringInput) WebIamPolicyOutput

func (WebIamPolicyMapOutput) ToWebIamPolicyMapOutput 

func (o WebIamPolicyMapOutput) ToWebIamPolicyMapOutput() WebIamPolicyMapOutput

func (WebIamPolicyMapOutput) ToWebIamPolicyMapOutputWithContext 

func (o WebIamPolicyMapOutput) ToWebIamPolicyMapOutputWithContext(ctx context.Context) WebIamPolicyMapOutput

type WebIamPolicyOutput 

type WebIamPolicyOutput struct{ *pulumi.OutputState }

func (WebIamPolicyOutput) ElementType 

func (WebIamPolicyOutput) ElementType() reflect.Type

func (WebIamPolicyOutput) Etag 

func (o WebIamPolicyOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (WebIamPolicyOutput) PolicyData 

func (o WebIamPolicyOutput) PolicyData() pulumi.StringOutput

The policy data generated by a `organizations.getIAMPolicy` data source.

func (WebIamPolicyOutput) Project 

func (o WebIamPolicyOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebIamPolicyOutput) ToWebIamPolicyOutput 

func (o WebIamPolicyOutput) ToWebIamPolicyOutput() WebIamPolicyOutput

func (WebIamPolicyOutput) ToWebIamPolicyOutputWithContext 

func (o WebIamPolicyOutput) ToWebIamPolicyOutputWithContext(ctx context.Context) WebIamPolicyOutput

type WebIamPolicyState 

type WebIamPolicyState struct {
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
}

func (WebIamPolicyState) ElementType 

func (WebIamPolicyState) ElementType() reflect.Type

type WebRegionBackendServiceIamBinding 

type WebRegionBackendServiceIamBinding struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebRegionBackendServiceIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	Region  pulumi.StringOutput `pulumi:"region"`
	// The role that should be applied. Only one
	// `iap.WebRegionBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// Used to find the parent resource to bind the IAM policy to
	WebRegionBackendService pulumi.StringOutput `pulumi:"webRegionBackendService"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebRegionBackendService. Each of these resources serves a different use case:

* `iap.WebRegionBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webregionbackendservice and replaces any existing policy already attached. * `iap.WebRegionBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webregionbackendservice are preserved. * `iap.WebRegionBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webregionbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebRegionBackendServiceIamPolicy`: Retrieves the IAM policy for the webregionbackendservice

> **Note:** `iap.WebRegionBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebRegionBackendServiceIamBinding` and `iap.WebRegionBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebRegionBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebRegionBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebRegionBackendServiceIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebRegionBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebRegionBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebRegionBackendService Three different resources help you manage your IAM policy for Identity-Aware Proxy WebRegionBackendService. Each of these resources serves a different use case:

* `iap.WebRegionBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webregionbackendservice and replaces any existing policy already attached. * `iap.WebRegionBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webregionbackendservice are preserved. * `iap.WebRegionBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webregionbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebRegionBackendServiceIamPolicy`: Retrieves the IAM policy for the webregionbackendservice

> **Note:** `iap.WebRegionBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebRegionBackendServiceIamBinding` and `iap.WebRegionBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebRegionBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebRegionBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebRegionBackendServiceIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebRegionBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebRegionBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/compute-{{region}}/services/{{name}}

* {{project}}/{{region}}/{{name}}

* {{region}}/{{name}}

* {{name}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webregionbackendservice IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webRegionBackendServiceIamBinding:WebRegionBackendServiceIamBinding editor "projects/{{project}}/iap_web/compute-{{region}}/services/{{web_region_backend_service}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webRegionBackendServiceIamBinding:WebRegionBackendServiceIamBinding editor "projects/{{project}}/iap_web/compute-{{region}}/services/{{web_region_backend_service}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webRegionBackendServiceIamBinding:WebRegionBackendServiceIamBinding editor projects/{{project}}/iap_web/compute-{{region}}/services/{{web_region_backend_service}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebRegionBackendServiceIamBinding 

func GetWebRegionBackendServiceIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebRegionBackendServiceIamBindingState, opts ...pulumi.ResourceOption) (*WebRegionBackendServiceIamBinding, error)

GetWebRegionBackendServiceIamBinding gets an existing WebRegionBackendServiceIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebRegionBackendServiceIamBinding 

func NewWebRegionBackendServiceIamBinding(ctx *pulumi.Context,
	name string, args *WebRegionBackendServiceIamBindingArgs, opts ...pulumi.ResourceOption) (*WebRegionBackendServiceIamBinding, error)

NewWebRegionBackendServiceIamBinding registers a new resource with the given unique name, arguments, and options.

func (*WebRegionBackendServiceIamBinding) ElementType 

func (*WebRegionBackendServiceIamBinding) ElementType() reflect.Type

func (*WebRegionBackendServiceIamBinding) ToWebRegionBackendServiceIamBindingOutput 

func (i *WebRegionBackendServiceIamBinding) ToWebRegionBackendServiceIamBindingOutput() WebRegionBackendServiceIamBindingOutput

func (*WebRegionBackendServiceIamBinding) ToWebRegionBackendServiceIamBindingOutputWithContext 

func (i *WebRegionBackendServiceIamBinding) ToWebRegionBackendServiceIamBindingOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingOutput

type WebRegionBackendServiceIamBindingArgs 

type WebRegionBackendServiceIamBindingArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebRegionBackendServiceIamBindingConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	Region  pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebRegionBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// Used to find the parent resource to bind the IAM policy to
	WebRegionBackendService pulumi.StringInput
}

The set of arguments for constructing a WebRegionBackendServiceIamBinding resource.

func (WebRegionBackendServiceIamBindingArgs) ElementType 

func (WebRegionBackendServiceIamBindingArgs) ElementType() reflect.Type

type WebRegionBackendServiceIamBindingArray 

type WebRegionBackendServiceIamBindingArray []WebRegionBackendServiceIamBindingInput

func (WebRegionBackendServiceIamBindingArray) ElementType 

func (WebRegionBackendServiceIamBindingArray) ElementType() reflect.Type

func (WebRegionBackendServiceIamBindingArray) ToWebRegionBackendServiceIamBindingArrayOutput 

func (i WebRegionBackendServiceIamBindingArray) ToWebRegionBackendServiceIamBindingArrayOutput() WebRegionBackendServiceIamBindingArrayOutput

func (WebRegionBackendServiceIamBindingArray) ToWebRegionBackendServiceIamBindingArrayOutputWithContext 

func (i WebRegionBackendServiceIamBindingArray) ToWebRegionBackendServiceIamBindingArrayOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingArrayOutput

type WebRegionBackendServiceIamBindingArrayInput 

type WebRegionBackendServiceIamBindingArrayInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamBindingArrayOutput() WebRegionBackendServiceIamBindingArrayOutput
	ToWebRegionBackendServiceIamBindingArrayOutputWithContext(context.Context) WebRegionBackendServiceIamBindingArrayOutput
}

WebRegionBackendServiceIamBindingArrayInput is an input type that accepts WebRegionBackendServiceIamBindingArray and WebRegionBackendServiceIamBindingArrayOutput values. You can construct a concrete instance of `WebRegionBackendServiceIamBindingArrayInput` via: 

WebRegionBackendServiceIamBindingArray{ WebRegionBackendServiceIamBindingArgs{...} }

type WebRegionBackendServiceIamBindingArrayOutput 

type WebRegionBackendServiceIamBindingArrayOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamBindingArrayOutput) ElementType 

func (WebRegionBackendServiceIamBindingArrayOutput) ElementType() reflect.Type

func (WebRegionBackendServiceIamBindingArrayOutput) Index 

func (o WebRegionBackendServiceIamBindingArrayOutput) Index(i pulumi.IntInput) WebRegionBackendServiceIamBindingOutput

func (WebRegionBackendServiceIamBindingArrayOutput) ToWebRegionBackendServiceIamBindingArrayOutput 

func (o WebRegionBackendServiceIamBindingArrayOutput) ToWebRegionBackendServiceIamBindingArrayOutput() WebRegionBackendServiceIamBindingArrayOutput

func (WebRegionBackendServiceIamBindingArrayOutput) ToWebRegionBackendServiceIamBindingArrayOutputWithContext 

func (o WebRegionBackendServiceIamBindingArrayOutput) ToWebRegionBackendServiceIamBindingArrayOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingArrayOutput

type WebRegionBackendServiceIamBindingCondition 

type WebRegionBackendServiceIamBindingCondition struct {
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebRegionBackendServiceIamBindingConditionArgs 

type WebRegionBackendServiceIamBindingConditionArgs struct {
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebRegionBackendServiceIamBindingConditionArgs) ElementType 

func (WebRegionBackendServiceIamBindingConditionArgs) ElementType() reflect.Type

func (WebRegionBackendServiceIamBindingConditionArgs) ToWebRegionBackendServiceIamBindingConditionOutput 

func (i WebRegionBackendServiceIamBindingConditionArgs) ToWebRegionBackendServiceIamBindingConditionOutput() WebRegionBackendServiceIamBindingConditionOutput

func (WebRegionBackendServiceIamBindingConditionArgs) ToWebRegionBackendServiceIamBindingConditionOutputWithContext 

func (i WebRegionBackendServiceIamBindingConditionArgs) ToWebRegionBackendServiceIamBindingConditionOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingConditionOutput

func (WebRegionBackendServiceIamBindingConditionArgs) ToWebRegionBackendServiceIamBindingConditionPtrOutput 

func (i WebRegionBackendServiceIamBindingConditionArgs) ToWebRegionBackendServiceIamBindingConditionPtrOutput() WebRegionBackendServiceIamBindingConditionPtrOutput

func (WebRegionBackendServiceIamBindingConditionArgs) ToWebRegionBackendServiceIamBindingConditionPtrOutputWithContext 

func (i WebRegionBackendServiceIamBindingConditionArgs) ToWebRegionBackendServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingConditionPtrOutput

type WebRegionBackendServiceIamBindingConditionInput 

type WebRegionBackendServiceIamBindingConditionInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamBindingConditionOutput() WebRegionBackendServiceIamBindingConditionOutput
	ToWebRegionBackendServiceIamBindingConditionOutputWithContext(context.Context) WebRegionBackendServiceIamBindingConditionOutput
}

WebRegionBackendServiceIamBindingConditionInput is an input type that accepts WebRegionBackendServiceIamBindingConditionArgs and WebRegionBackendServiceIamBindingConditionOutput values. You can construct a concrete instance of `WebRegionBackendServiceIamBindingConditionInput` via: 

WebRegionBackendServiceIamBindingConditionArgs{...}

type WebRegionBackendServiceIamBindingConditionOutput 

type WebRegionBackendServiceIamBindingConditionOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamBindingConditionOutput) Description 

func (o WebRegionBackendServiceIamBindingConditionOutput) Description() pulumi.StringPtrOutput

func (WebRegionBackendServiceIamBindingConditionOutput) ElementType 

func (WebRegionBackendServiceIamBindingConditionOutput) ElementType() reflect.Type

func (WebRegionBackendServiceIamBindingConditionOutput) Expression 

func (o WebRegionBackendServiceIamBindingConditionOutput) Expression() pulumi.StringOutput

Textual representation of an expression in Common Expression Language syntax.

func (WebRegionBackendServiceIamBindingConditionOutput) Title 

func (o WebRegionBackendServiceIamBindingConditionOutput) Title() pulumi.StringOutput

A title for the expression, i.e. a short string describing its purpose.

func (WebRegionBackendServiceIamBindingConditionOutput) ToWebRegionBackendServiceIamBindingConditionOutput 

func (o WebRegionBackendServiceIamBindingConditionOutput) ToWebRegionBackendServiceIamBindingConditionOutput() WebRegionBackendServiceIamBindingConditionOutput

func (WebRegionBackendServiceIamBindingConditionOutput) ToWebRegionBackendServiceIamBindingConditionOutputWithContext 

func (o WebRegionBackendServiceIamBindingConditionOutput) ToWebRegionBackendServiceIamBindingConditionOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingConditionOutput

func (WebRegionBackendServiceIamBindingConditionOutput) ToWebRegionBackendServiceIamBindingConditionPtrOutput 

func (o WebRegionBackendServiceIamBindingConditionOutput) ToWebRegionBackendServiceIamBindingConditionPtrOutput() WebRegionBackendServiceIamBindingConditionPtrOutput

func (WebRegionBackendServiceIamBindingConditionOutput) ToWebRegionBackendServiceIamBindingConditionPtrOutputWithContext 

func (o WebRegionBackendServiceIamBindingConditionOutput) ToWebRegionBackendServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingConditionPtrOutput

type WebRegionBackendServiceIamBindingConditionPtrInput 

type WebRegionBackendServiceIamBindingConditionPtrInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamBindingConditionPtrOutput() WebRegionBackendServiceIamBindingConditionPtrOutput
	ToWebRegionBackendServiceIamBindingConditionPtrOutputWithContext(context.Context) WebRegionBackendServiceIamBindingConditionPtrOutput
}

WebRegionBackendServiceIamBindingConditionPtrInput is an input type that accepts WebRegionBackendServiceIamBindingConditionArgs, WebRegionBackendServiceIamBindingConditionPtr and WebRegionBackendServiceIamBindingConditionPtrOutput values. You can construct a concrete instance of `WebRegionBackendServiceIamBindingConditionPtrInput` via: 

        WebRegionBackendServiceIamBindingConditionArgs{...}

or:

        nil

func WebRegionBackendServiceIamBindingConditionPtr 

func WebRegionBackendServiceIamBindingConditionPtr(v *WebRegionBackendServiceIamBindingConditionArgs) WebRegionBackendServiceIamBindingConditionPtrInput

type WebRegionBackendServiceIamBindingConditionPtrOutput 

type WebRegionBackendServiceIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamBindingConditionPtrOutput) Description 

func (o WebRegionBackendServiceIamBindingConditionPtrOutput) Description() pulumi.StringPtrOutput

func (WebRegionBackendServiceIamBindingConditionPtrOutput) Elem 

func (o WebRegionBackendServiceIamBindingConditionPtrOutput) Elem() WebRegionBackendServiceIamBindingConditionOutput

func (WebRegionBackendServiceIamBindingConditionPtrOutput) ElementType 

func (WebRegionBackendServiceIamBindingConditionPtrOutput) ElementType() reflect.Type

func (WebRegionBackendServiceIamBindingConditionPtrOutput) Expression 

func (o WebRegionBackendServiceIamBindingConditionPtrOutput) Expression() pulumi.StringPtrOutput

Textual representation of an expression in Common Expression Language syntax.

func (WebRegionBackendServiceIamBindingConditionPtrOutput) Title 

func (o WebRegionBackendServiceIamBindingConditionPtrOutput) Title() pulumi.StringPtrOutput

A title for the expression, i.e. a short string describing its purpose.

func (WebRegionBackendServiceIamBindingConditionPtrOutput) ToWebRegionBackendServiceIamBindingConditionPtrOutput 

func (o WebRegionBackendServiceIamBindingConditionPtrOutput) ToWebRegionBackendServiceIamBindingConditionPtrOutput() WebRegionBackendServiceIamBindingConditionPtrOutput

func (WebRegionBackendServiceIamBindingConditionPtrOutput) ToWebRegionBackendServiceIamBindingConditionPtrOutputWithContext 

func (o WebRegionBackendServiceIamBindingConditionPtrOutput) ToWebRegionBackendServiceIamBindingConditionPtrOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingConditionPtrOutput

type WebRegionBackendServiceIamBindingInput 

type WebRegionBackendServiceIamBindingInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamBindingOutput() WebRegionBackendServiceIamBindingOutput
	ToWebRegionBackendServiceIamBindingOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingOutput
}

type WebRegionBackendServiceIamBindingMap 

type WebRegionBackendServiceIamBindingMap map[string]WebRegionBackendServiceIamBindingInput

func (WebRegionBackendServiceIamBindingMap) ElementType 

func (WebRegionBackendServiceIamBindingMap) ElementType() reflect.Type

func (WebRegionBackendServiceIamBindingMap) ToWebRegionBackendServiceIamBindingMapOutput 

func (i WebRegionBackendServiceIamBindingMap) ToWebRegionBackendServiceIamBindingMapOutput() WebRegionBackendServiceIamBindingMapOutput

func (WebRegionBackendServiceIamBindingMap) ToWebRegionBackendServiceIamBindingMapOutputWithContext 

func (i WebRegionBackendServiceIamBindingMap) ToWebRegionBackendServiceIamBindingMapOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingMapOutput

type WebRegionBackendServiceIamBindingMapInput 

type WebRegionBackendServiceIamBindingMapInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamBindingMapOutput() WebRegionBackendServiceIamBindingMapOutput
	ToWebRegionBackendServiceIamBindingMapOutputWithContext(context.Context) WebRegionBackendServiceIamBindingMapOutput
}

WebRegionBackendServiceIamBindingMapInput is an input type that accepts WebRegionBackendServiceIamBindingMap and WebRegionBackendServiceIamBindingMapOutput values. You can construct a concrete instance of `WebRegionBackendServiceIamBindingMapInput` via: 

WebRegionBackendServiceIamBindingMap{ "key": WebRegionBackendServiceIamBindingArgs{...} }

type WebRegionBackendServiceIamBindingMapOutput 

type WebRegionBackendServiceIamBindingMapOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamBindingMapOutput) ElementType 

func (WebRegionBackendServiceIamBindingMapOutput) ElementType() reflect.Type

func (WebRegionBackendServiceIamBindingMapOutput) MapIndex 

func (o WebRegionBackendServiceIamBindingMapOutput) MapIndex(k pulumi.StringInput) WebRegionBackendServiceIamBindingOutput

func (WebRegionBackendServiceIamBindingMapOutput) ToWebRegionBackendServiceIamBindingMapOutput 

func (o WebRegionBackendServiceIamBindingMapOutput) ToWebRegionBackendServiceIamBindingMapOutput() WebRegionBackendServiceIamBindingMapOutput

func (WebRegionBackendServiceIamBindingMapOutput) ToWebRegionBackendServiceIamBindingMapOutputWithContext 

func (o WebRegionBackendServiceIamBindingMapOutput) ToWebRegionBackendServiceIamBindingMapOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingMapOutput

type WebRegionBackendServiceIamBindingOutput 

type WebRegionBackendServiceIamBindingOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamBindingOutput) Condition 

func (o WebRegionBackendServiceIamBindingOutput) Condition() WebRegionBackendServiceIamBindingConditionPtrOutput

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebRegionBackendServiceIamBindingOutput) ElementType 

func (WebRegionBackendServiceIamBindingOutput) ElementType() reflect.Type

func (WebRegionBackendServiceIamBindingOutput) Etag 

func (o WebRegionBackendServiceIamBindingOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (WebRegionBackendServiceIamBindingOutput) Members 

func (o WebRegionBackendServiceIamBindingOutput) Members() pulumi.StringArrayOutput

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebRegionBackendServiceIamBindingOutput) Project 

func (o WebRegionBackendServiceIamBindingOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebRegionBackendServiceIamBindingOutput) Region 

func (o WebRegionBackendServiceIamBindingOutput) Region() pulumi.StringOutput

func (WebRegionBackendServiceIamBindingOutput) Role 

func (o WebRegionBackendServiceIamBindingOutput) Role() pulumi.StringOutput

The role that should be applied. Only one `iap.WebRegionBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebRegionBackendServiceIamBindingOutput) ToWebRegionBackendServiceIamBindingOutput 

func (o WebRegionBackendServiceIamBindingOutput) ToWebRegionBackendServiceIamBindingOutput() WebRegionBackendServiceIamBindingOutput

func (WebRegionBackendServiceIamBindingOutput) ToWebRegionBackendServiceIamBindingOutputWithContext 

func (o WebRegionBackendServiceIamBindingOutput) ToWebRegionBackendServiceIamBindingOutputWithContext(ctx context.Context) WebRegionBackendServiceIamBindingOutput

func (WebRegionBackendServiceIamBindingOutput) WebRegionBackendService 

func (o WebRegionBackendServiceIamBindingOutput) WebRegionBackendService() pulumi.StringOutput

Used to find the parent resource to bind the IAM policy to

type WebRegionBackendServiceIamBindingState 

type WebRegionBackendServiceIamBindingState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebRegionBackendServiceIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	Region  pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebRegionBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	WebRegionBackendService pulumi.StringPtrInput
}

func (WebRegionBackendServiceIamBindingState) ElementType 

func (WebRegionBackendServiceIamBindingState) ElementType() reflect.Type

type WebRegionBackendServiceIamMember 

type WebRegionBackendServiceIamMember struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebRegionBackendServiceIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	Region  pulumi.StringOutput `pulumi:"region"`
	// The role that should be applied. Only one
	// `iap.WebRegionBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// Used to find the parent resource to bind the IAM policy to
	WebRegionBackendService pulumi.StringOutput `pulumi:"webRegionBackendService"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebRegionBackendService. Each of these resources serves a different use case:

* `iap.WebRegionBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webregionbackendservice and replaces any existing policy already attached. * `iap.WebRegionBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webregionbackendservice are preserved. * `iap.WebRegionBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webregionbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebRegionBackendServiceIamPolicy`: Retrieves the IAM policy for the webregionbackendservice

> **Note:** `iap.WebRegionBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebRegionBackendServiceIamBinding` and `iap.WebRegionBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebRegionBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebRegionBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebRegionBackendServiceIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebRegionBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebRegionBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebRegionBackendService Three different resources help you manage your IAM policy for Identity-Aware Proxy WebRegionBackendService. Each of these resources serves a different use case:

* `iap.WebRegionBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webregionbackendservice and replaces any existing policy already attached. * `iap.WebRegionBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webregionbackendservice are preserved. * `iap.WebRegionBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webregionbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebRegionBackendServiceIamPolicy`: Retrieves the IAM policy for the webregionbackendservice

> **Note:** `iap.WebRegionBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebRegionBackendServiceIamBinding` and `iap.WebRegionBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebRegionBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebRegionBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebRegionBackendServiceIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebRegionBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebRegionBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/compute-{{region}}/services/{{name}}

* {{project}}/{{region}}/{{name}}

* {{region}}/{{name}}

* {{name}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webregionbackendservice IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webRegionBackendServiceIamMember:WebRegionBackendServiceIamMember editor "projects/{{project}}/iap_web/compute-{{region}}/services/{{web_region_backend_service}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webRegionBackendServiceIamMember:WebRegionBackendServiceIamMember editor "projects/{{project}}/iap_web/compute-{{region}}/services/{{web_region_backend_service}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webRegionBackendServiceIamMember:WebRegionBackendServiceIamMember editor projects/{{project}}/iap_web/compute-{{region}}/services/{{web_region_backend_service}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebRegionBackendServiceIamMember 

func GetWebRegionBackendServiceIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebRegionBackendServiceIamMemberState, opts ...pulumi.ResourceOption) (*WebRegionBackendServiceIamMember, error)

GetWebRegionBackendServiceIamMember gets an existing WebRegionBackendServiceIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebRegionBackendServiceIamMember 

func NewWebRegionBackendServiceIamMember(ctx *pulumi.Context,
	name string, args *WebRegionBackendServiceIamMemberArgs, opts ...pulumi.ResourceOption) (*WebRegionBackendServiceIamMember, error)

NewWebRegionBackendServiceIamMember registers a new resource with the given unique name, arguments, and options.

func (*WebRegionBackendServiceIamMember) ElementType 

func (*WebRegionBackendServiceIamMember) ElementType() reflect.Type

func (*WebRegionBackendServiceIamMember) ToWebRegionBackendServiceIamMemberOutput 

func (i *WebRegionBackendServiceIamMember) ToWebRegionBackendServiceIamMemberOutput() WebRegionBackendServiceIamMemberOutput

func (*WebRegionBackendServiceIamMember) ToWebRegionBackendServiceIamMemberOutputWithContext 

func (i *WebRegionBackendServiceIamMember) ToWebRegionBackendServiceIamMemberOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberOutput

type WebRegionBackendServiceIamMemberArgs 

type WebRegionBackendServiceIamMemberArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebRegionBackendServiceIamMemberConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	Region  pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebRegionBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// Used to find the parent resource to bind the IAM policy to
	WebRegionBackendService pulumi.StringInput
}

The set of arguments for constructing a WebRegionBackendServiceIamMember resource.

func (WebRegionBackendServiceIamMemberArgs) ElementType 

func (WebRegionBackendServiceIamMemberArgs) ElementType() reflect.Type

type WebRegionBackendServiceIamMemberArray 

type WebRegionBackendServiceIamMemberArray []WebRegionBackendServiceIamMemberInput

func (WebRegionBackendServiceIamMemberArray) ElementType 

func (WebRegionBackendServiceIamMemberArray) ElementType() reflect.Type

func (WebRegionBackendServiceIamMemberArray) ToWebRegionBackendServiceIamMemberArrayOutput 

func (i WebRegionBackendServiceIamMemberArray) ToWebRegionBackendServiceIamMemberArrayOutput() WebRegionBackendServiceIamMemberArrayOutput

func (WebRegionBackendServiceIamMemberArray) ToWebRegionBackendServiceIamMemberArrayOutputWithContext 

func (i WebRegionBackendServiceIamMemberArray) ToWebRegionBackendServiceIamMemberArrayOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberArrayOutput

type WebRegionBackendServiceIamMemberArrayInput 

type WebRegionBackendServiceIamMemberArrayInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamMemberArrayOutput() WebRegionBackendServiceIamMemberArrayOutput
	ToWebRegionBackendServiceIamMemberArrayOutputWithContext(context.Context) WebRegionBackendServiceIamMemberArrayOutput
}

WebRegionBackendServiceIamMemberArrayInput is an input type that accepts WebRegionBackendServiceIamMemberArray and WebRegionBackendServiceIamMemberArrayOutput values. You can construct a concrete instance of `WebRegionBackendServiceIamMemberArrayInput` via: 

WebRegionBackendServiceIamMemberArray{ WebRegionBackendServiceIamMemberArgs{...} }

type WebRegionBackendServiceIamMemberArrayOutput 

type WebRegionBackendServiceIamMemberArrayOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamMemberArrayOutput) ElementType 

func (WebRegionBackendServiceIamMemberArrayOutput) ElementType() reflect.Type

func (WebRegionBackendServiceIamMemberArrayOutput) Index 

func (o WebRegionBackendServiceIamMemberArrayOutput) Index(i pulumi.IntInput) WebRegionBackendServiceIamMemberOutput

func (WebRegionBackendServiceIamMemberArrayOutput) ToWebRegionBackendServiceIamMemberArrayOutput 

func (o WebRegionBackendServiceIamMemberArrayOutput) ToWebRegionBackendServiceIamMemberArrayOutput() WebRegionBackendServiceIamMemberArrayOutput

func (WebRegionBackendServiceIamMemberArrayOutput) ToWebRegionBackendServiceIamMemberArrayOutputWithContext 

func (o WebRegionBackendServiceIamMemberArrayOutput) ToWebRegionBackendServiceIamMemberArrayOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberArrayOutput

type WebRegionBackendServiceIamMemberCondition 

type WebRegionBackendServiceIamMemberCondition struct {
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebRegionBackendServiceIamMemberConditionArgs 

type WebRegionBackendServiceIamMemberConditionArgs struct {
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebRegionBackendServiceIamMemberConditionArgs) ElementType 

func (WebRegionBackendServiceIamMemberConditionArgs) ElementType() reflect.Type

func (WebRegionBackendServiceIamMemberConditionArgs) ToWebRegionBackendServiceIamMemberConditionOutput 

func (i WebRegionBackendServiceIamMemberConditionArgs) ToWebRegionBackendServiceIamMemberConditionOutput() WebRegionBackendServiceIamMemberConditionOutput

func (WebRegionBackendServiceIamMemberConditionArgs) ToWebRegionBackendServiceIamMemberConditionOutputWithContext 

func (i WebRegionBackendServiceIamMemberConditionArgs) ToWebRegionBackendServiceIamMemberConditionOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberConditionOutput

func (WebRegionBackendServiceIamMemberConditionArgs) ToWebRegionBackendServiceIamMemberConditionPtrOutput 

func (i WebRegionBackendServiceIamMemberConditionArgs) ToWebRegionBackendServiceIamMemberConditionPtrOutput() WebRegionBackendServiceIamMemberConditionPtrOutput

func (WebRegionBackendServiceIamMemberConditionArgs) ToWebRegionBackendServiceIamMemberConditionPtrOutputWithContext 

func (i WebRegionBackendServiceIamMemberConditionArgs) ToWebRegionBackendServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberConditionPtrOutput

type WebRegionBackendServiceIamMemberConditionInput 

type WebRegionBackendServiceIamMemberConditionInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamMemberConditionOutput() WebRegionBackendServiceIamMemberConditionOutput
	ToWebRegionBackendServiceIamMemberConditionOutputWithContext(context.Context) WebRegionBackendServiceIamMemberConditionOutput
}

WebRegionBackendServiceIamMemberConditionInput is an input type that accepts WebRegionBackendServiceIamMemberConditionArgs and WebRegionBackendServiceIamMemberConditionOutput values. You can construct a concrete instance of `WebRegionBackendServiceIamMemberConditionInput` via: 

WebRegionBackendServiceIamMemberConditionArgs{...}

type WebRegionBackendServiceIamMemberConditionOutput 

type WebRegionBackendServiceIamMemberConditionOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamMemberConditionOutput) Description 

func (o WebRegionBackendServiceIamMemberConditionOutput) Description() pulumi.StringPtrOutput

func (WebRegionBackendServiceIamMemberConditionOutput) ElementType 

func (WebRegionBackendServiceIamMemberConditionOutput) ElementType() reflect.Type

func (WebRegionBackendServiceIamMemberConditionOutput) Expression 

func (o WebRegionBackendServiceIamMemberConditionOutput) Expression() pulumi.StringOutput

Textual representation of an expression in Common Expression Language syntax.

func (WebRegionBackendServiceIamMemberConditionOutput) Title 

func (o WebRegionBackendServiceIamMemberConditionOutput) Title() pulumi.StringOutput

A title for the expression, i.e. a short string describing its purpose.

func (WebRegionBackendServiceIamMemberConditionOutput) ToWebRegionBackendServiceIamMemberConditionOutput 

func (o WebRegionBackendServiceIamMemberConditionOutput) ToWebRegionBackendServiceIamMemberConditionOutput() WebRegionBackendServiceIamMemberConditionOutput

func (WebRegionBackendServiceIamMemberConditionOutput) ToWebRegionBackendServiceIamMemberConditionOutputWithContext 

func (o WebRegionBackendServiceIamMemberConditionOutput) ToWebRegionBackendServiceIamMemberConditionOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberConditionOutput

func (WebRegionBackendServiceIamMemberConditionOutput) ToWebRegionBackendServiceIamMemberConditionPtrOutput 

func (o WebRegionBackendServiceIamMemberConditionOutput) ToWebRegionBackendServiceIamMemberConditionPtrOutput() WebRegionBackendServiceIamMemberConditionPtrOutput

func (WebRegionBackendServiceIamMemberConditionOutput) ToWebRegionBackendServiceIamMemberConditionPtrOutputWithContext 

func (o WebRegionBackendServiceIamMemberConditionOutput) ToWebRegionBackendServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberConditionPtrOutput

type WebRegionBackendServiceIamMemberConditionPtrInput 

type WebRegionBackendServiceIamMemberConditionPtrInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamMemberConditionPtrOutput() WebRegionBackendServiceIamMemberConditionPtrOutput
	ToWebRegionBackendServiceIamMemberConditionPtrOutputWithContext(context.Context) WebRegionBackendServiceIamMemberConditionPtrOutput
}

WebRegionBackendServiceIamMemberConditionPtrInput is an input type that accepts WebRegionBackendServiceIamMemberConditionArgs, WebRegionBackendServiceIamMemberConditionPtr and WebRegionBackendServiceIamMemberConditionPtrOutput values. You can construct a concrete instance of `WebRegionBackendServiceIamMemberConditionPtrInput` via: 

        WebRegionBackendServiceIamMemberConditionArgs{...}

or:

        nil

func WebRegionBackendServiceIamMemberConditionPtr 

func WebRegionBackendServiceIamMemberConditionPtr(v *WebRegionBackendServiceIamMemberConditionArgs) WebRegionBackendServiceIamMemberConditionPtrInput

type WebRegionBackendServiceIamMemberConditionPtrOutput 

type WebRegionBackendServiceIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamMemberConditionPtrOutput) Description 

func (o WebRegionBackendServiceIamMemberConditionPtrOutput) Description() pulumi.StringPtrOutput

func (WebRegionBackendServiceIamMemberConditionPtrOutput) Elem 

func (o WebRegionBackendServiceIamMemberConditionPtrOutput) Elem() WebRegionBackendServiceIamMemberConditionOutput

func (WebRegionBackendServiceIamMemberConditionPtrOutput) ElementType 

func (WebRegionBackendServiceIamMemberConditionPtrOutput) ElementType() reflect.Type

func (WebRegionBackendServiceIamMemberConditionPtrOutput) Expression 

func (o WebRegionBackendServiceIamMemberConditionPtrOutput) Expression() pulumi.StringPtrOutput

Textual representation of an expression in Common Expression Language syntax.

func (WebRegionBackendServiceIamMemberConditionPtrOutput) Title 

func (o WebRegionBackendServiceIamMemberConditionPtrOutput) Title() pulumi.StringPtrOutput

A title for the expression, i.e. a short string describing its purpose.

func (WebRegionBackendServiceIamMemberConditionPtrOutput) ToWebRegionBackendServiceIamMemberConditionPtrOutput 

func (o WebRegionBackendServiceIamMemberConditionPtrOutput) ToWebRegionBackendServiceIamMemberConditionPtrOutput() WebRegionBackendServiceIamMemberConditionPtrOutput

func (WebRegionBackendServiceIamMemberConditionPtrOutput) ToWebRegionBackendServiceIamMemberConditionPtrOutputWithContext 

func (o WebRegionBackendServiceIamMemberConditionPtrOutput) ToWebRegionBackendServiceIamMemberConditionPtrOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberConditionPtrOutput

type WebRegionBackendServiceIamMemberInput 

type WebRegionBackendServiceIamMemberInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamMemberOutput() WebRegionBackendServiceIamMemberOutput
	ToWebRegionBackendServiceIamMemberOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberOutput
}

type WebRegionBackendServiceIamMemberMap 

type WebRegionBackendServiceIamMemberMap map[string]WebRegionBackendServiceIamMemberInput

func (WebRegionBackendServiceIamMemberMap) ElementType 

func (WebRegionBackendServiceIamMemberMap) ElementType() reflect.Type

func (WebRegionBackendServiceIamMemberMap) ToWebRegionBackendServiceIamMemberMapOutput 

func (i WebRegionBackendServiceIamMemberMap) ToWebRegionBackendServiceIamMemberMapOutput() WebRegionBackendServiceIamMemberMapOutput

func (WebRegionBackendServiceIamMemberMap) ToWebRegionBackendServiceIamMemberMapOutputWithContext 

func (i WebRegionBackendServiceIamMemberMap) ToWebRegionBackendServiceIamMemberMapOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberMapOutput

type WebRegionBackendServiceIamMemberMapInput 

type WebRegionBackendServiceIamMemberMapInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamMemberMapOutput() WebRegionBackendServiceIamMemberMapOutput
	ToWebRegionBackendServiceIamMemberMapOutputWithContext(context.Context) WebRegionBackendServiceIamMemberMapOutput
}

WebRegionBackendServiceIamMemberMapInput is an input type that accepts WebRegionBackendServiceIamMemberMap and WebRegionBackendServiceIamMemberMapOutput values. You can construct a concrete instance of `WebRegionBackendServiceIamMemberMapInput` via: 

WebRegionBackendServiceIamMemberMap{ "key": WebRegionBackendServiceIamMemberArgs{...} }

type WebRegionBackendServiceIamMemberMapOutput 

type WebRegionBackendServiceIamMemberMapOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamMemberMapOutput) ElementType 

func (WebRegionBackendServiceIamMemberMapOutput) ElementType() reflect.Type

func (WebRegionBackendServiceIamMemberMapOutput) MapIndex 

func (o WebRegionBackendServiceIamMemberMapOutput) MapIndex(k pulumi.StringInput) WebRegionBackendServiceIamMemberOutput

func (WebRegionBackendServiceIamMemberMapOutput) ToWebRegionBackendServiceIamMemberMapOutput 

func (o WebRegionBackendServiceIamMemberMapOutput) ToWebRegionBackendServiceIamMemberMapOutput() WebRegionBackendServiceIamMemberMapOutput

func (WebRegionBackendServiceIamMemberMapOutput) ToWebRegionBackendServiceIamMemberMapOutputWithContext 

func (o WebRegionBackendServiceIamMemberMapOutput) ToWebRegionBackendServiceIamMemberMapOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberMapOutput

type WebRegionBackendServiceIamMemberOutput 

type WebRegionBackendServiceIamMemberOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamMemberOutput) Condition 

func (o WebRegionBackendServiceIamMemberOutput) Condition() WebRegionBackendServiceIamMemberConditionPtrOutput

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebRegionBackendServiceIamMemberOutput) ElementType 

func (WebRegionBackendServiceIamMemberOutput) ElementType() reflect.Type

func (WebRegionBackendServiceIamMemberOutput) Etag 

func (o WebRegionBackendServiceIamMemberOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (WebRegionBackendServiceIamMemberOutput) Member 

func (o WebRegionBackendServiceIamMemberOutput) Member() pulumi.StringOutput

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebRegionBackendServiceIamMemberOutput) Project 

func (o WebRegionBackendServiceIamMemberOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebRegionBackendServiceIamMemberOutput) Region 

func (o WebRegionBackendServiceIamMemberOutput) Region() pulumi.StringOutput

func (WebRegionBackendServiceIamMemberOutput) Role 

func (o WebRegionBackendServiceIamMemberOutput) Role() pulumi.StringOutput

The role that should be applied. Only one `iap.WebRegionBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebRegionBackendServiceIamMemberOutput) ToWebRegionBackendServiceIamMemberOutput 

func (o WebRegionBackendServiceIamMemberOutput) ToWebRegionBackendServiceIamMemberOutput() WebRegionBackendServiceIamMemberOutput

func (WebRegionBackendServiceIamMemberOutput) ToWebRegionBackendServiceIamMemberOutputWithContext 

func (o WebRegionBackendServiceIamMemberOutput) ToWebRegionBackendServiceIamMemberOutputWithContext(ctx context.Context) WebRegionBackendServiceIamMemberOutput

func (WebRegionBackendServiceIamMemberOutput) WebRegionBackendService 

func (o WebRegionBackendServiceIamMemberOutput) WebRegionBackendService() pulumi.StringOutput

Used to find the parent resource to bind the IAM policy to

type WebRegionBackendServiceIamMemberState 

type WebRegionBackendServiceIamMemberState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebRegionBackendServiceIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	Region  pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebRegionBackendServiceIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	WebRegionBackendService pulumi.StringPtrInput
}

func (WebRegionBackendServiceIamMemberState) ElementType 

func (WebRegionBackendServiceIamMemberState) ElementType() reflect.Type

type WebRegionBackendServiceIamPolicy 

type WebRegionBackendServiceIamPolicy struct {
	pulumi.CustomResourceState

	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	Region  pulumi.StringOutput `pulumi:"region"`
	// Used to find the parent resource to bind the IAM policy to
	WebRegionBackendService pulumi.StringOutput `pulumi:"webRegionBackendService"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebRegionBackendService. Each of these resources serves a different use case:

* `iap.WebRegionBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webregionbackendservice and replaces any existing policy already attached. * `iap.WebRegionBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webregionbackendservice are preserved. * `iap.WebRegionBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webregionbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebRegionBackendServiceIamPolicy`: Retrieves the IAM policy for the webregionbackendservice

> **Note:** `iap.WebRegionBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebRegionBackendServiceIamBinding` and `iap.WebRegionBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebRegionBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebRegionBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebRegionBackendServiceIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebRegionBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebRegionBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebRegionBackendService Three different resources help you manage your IAM policy for Identity-Aware Proxy WebRegionBackendService. Each of these resources serves a different use case:

* `iap.WebRegionBackendServiceIamPolicy`: Authoritative. Sets the IAM policy for the webregionbackendservice and replaces any existing policy already attached. * `iap.WebRegionBackendServiceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webregionbackendservice are preserved. * `iap.WebRegionBackendServiceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webregionbackendservice are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebRegionBackendServiceIamPolicy`: Retrieves the IAM policy for the webregionbackendservice

> **Note:** `iap.WebRegionBackendServiceIamPolicy` **cannot** be used in conjunction with `iap.WebRegionBackendServiceIamBinding` and `iap.WebRegionBackendServiceIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebRegionBackendServiceIamBinding` resources **can be** used in conjunction with `iap.WebRegionBackendServiceIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebRegionBackendServiceIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebRegionBackendServiceIamPolicy(ctx, "policy", &iap.WebRegionBackendServiceIamPolicyArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			PolicyData:              pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamBinding(ctx, "binding", &iap.WebRegionBackendServiceIamBindingArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebRegionBackendServiceIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebRegionBackendServiceIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebRegionBackendServiceIamMember(ctx, "member", &iap.WebRegionBackendServiceIamMemberArgs{
			Project:                 pulumi.Any(_default.Project),
			Region:                  pulumi.Any(_default.Region),
			WebRegionBackendService: pulumi.Any(_default.Name),
			Role:                    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:                  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebRegionBackendServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/compute-{{region}}/services/{{name}}

* {{project}}/{{region}}/{{name}}

* {{region}}/{{name}}

* {{name}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webregionbackendservice IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webRegionBackendServiceIamPolicy:WebRegionBackendServiceIamPolicy editor "projects/{{project}}/iap_web/compute-{{region}}/services/{{web_region_backend_service}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webRegionBackendServiceIamPolicy:WebRegionBackendServiceIamPolicy editor "projects/{{project}}/iap_web/compute-{{region}}/services/{{web_region_backend_service}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webRegionBackendServiceIamPolicy:WebRegionBackendServiceIamPolicy editor projects/{{project}}/iap_web/compute-{{region}}/services/{{web_region_backend_service}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebRegionBackendServiceIamPolicy 

func GetWebRegionBackendServiceIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebRegionBackendServiceIamPolicyState, opts ...pulumi.ResourceOption) (*WebRegionBackendServiceIamPolicy, error)

GetWebRegionBackendServiceIamPolicy gets an existing WebRegionBackendServiceIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebRegionBackendServiceIamPolicy 

func NewWebRegionBackendServiceIamPolicy(ctx *pulumi.Context,
	name string, args *WebRegionBackendServiceIamPolicyArgs, opts ...pulumi.ResourceOption) (*WebRegionBackendServiceIamPolicy, error)

NewWebRegionBackendServiceIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*WebRegionBackendServiceIamPolicy) ElementType 

func (*WebRegionBackendServiceIamPolicy) ElementType() reflect.Type

func (*WebRegionBackendServiceIamPolicy) ToWebRegionBackendServiceIamPolicyOutput 

func (i *WebRegionBackendServiceIamPolicy) ToWebRegionBackendServiceIamPolicyOutput() WebRegionBackendServiceIamPolicyOutput

func (*WebRegionBackendServiceIamPolicy) ToWebRegionBackendServiceIamPolicyOutputWithContext 

func (i *WebRegionBackendServiceIamPolicy) ToWebRegionBackendServiceIamPolicyOutputWithContext(ctx context.Context) WebRegionBackendServiceIamPolicyOutput

type WebRegionBackendServiceIamPolicyArgs 

type WebRegionBackendServiceIamPolicyArgs struct {
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	Region  pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	WebRegionBackendService pulumi.StringInput
}

The set of arguments for constructing a WebRegionBackendServiceIamPolicy resource.

func (WebRegionBackendServiceIamPolicyArgs) ElementType 

func (WebRegionBackendServiceIamPolicyArgs) ElementType() reflect.Type

type WebRegionBackendServiceIamPolicyArray 

type WebRegionBackendServiceIamPolicyArray []WebRegionBackendServiceIamPolicyInput

func (WebRegionBackendServiceIamPolicyArray) ElementType 

func (WebRegionBackendServiceIamPolicyArray) ElementType() reflect.Type

func (WebRegionBackendServiceIamPolicyArray) ToWebRegionBackendServiceIamPolicyArrayOutput 

func (i WebRegionBackendServiceIamPolicyArray) ToWebRegionBackendServiceIamPolicyArrayOutput() WebRegionBackendServiceIamPolicyArrayOutput

func (WebRegionBackendServiceIamPolicyArray) ToWebRegionBackendServiceIamPolicyArrayOutputWithContext 

func (i WebRegionBackendServiceIamPolicyArray) ToWebRegionBackendServiceIamPolicyArrayOutputWithContext(ctx context.Context) WebRegionBackendServiceIamPolicyArrayOutput

type WebRegionBackendServiceIamPolicyArrayInput 

type WebRegionBackendServiceIamPolicyArrayInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamPolicyArrayOutput() WebRegionBackendServiceIamPolicyArrayOutput
	ToWebRegionBackendServiceIamPolicyArrayOutputWithContext(context.Context) WebRegionBackendServiceIamPolicyArrayOutput
}

WebRegionBackendServiceIamPolicyArrayInput is an input type that accepts WebRegionBackendServiceIamPolicyArray and WebRegionBackendServiceIamPolicyArrayOutput values. You can construct a concrete instance of `WebRegionBackendServiceIamPolicyArrayInput` via: 

WebRegionBackendServiceIamPolicyArray{ WebRegionBackendServiceIamPolicyArgs{...} }

type WebRegionBackendServiceIamPolicyArrayOutput 

type WebRegionBackendServiceIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamPolicyArrayOutput) ElementType 

func (WebRegionBackendServiceIamPolicyArrayOutput) ElementType() reflect.Type

func (WebRegionBackendServiceIamPolicyArrayOutput) Index 

func (o WebRegionBackendServiceIamPolicyArrayOutput) Index(i pulumi.IntInput) WebRegionBackendServiceIamPolicyOutput

func (WebRegionBackendServiceIamPolicyArrayOutput) ToWebRegionBackendServiceIamPolicyArrayOutput 

func (o WebRegionBackendServiceIamPolicyArrayOutput) ToWebRegionBackendServiceIamPolicyArrayOutput() WebRegionBackendServiceIamPolicyArrayOutput

func (WebRegionBackendServiceIamPolicyArrayOutput) ToWebRegionBackendServiceIamPolicyArrayOutputWithContext 

func (o WebRegionBackendServiceIamPolicyArrayOutput) ToWebRegionBackendServiceIamPolicyArrayOutputWithContext(ctx context.Context) WebRegionBackendServiceIamPolicyArrayOutput

type WebRegionBackendServiceIamPolicyInput 

type WebRegionBackendServiceIamPolicyInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamPolicyOutput() WebRegionBackendServiceIamPolicyOutput
	ToWebRegionBackendServiceIamPolicyOutputWithContext(ctx context.Context) WebRegionBackendServiceIamPolicyOutput
}

type WebRegionBackendServiceIamPolicyMap 

type WebRegionBackendServiceIamPolicyMap map[string]WebRegionBackendServiceIamPolicyInput

func (WebRegionBackendServiceIamPolicyMap) ElementType 

func (WebRegionBackendServiceIamPolicyMap) ElementType() reflect.Type

func (WebRegionBackendServiceIamPolicyMap) ToWebRegionBackendServiceIamPolicyMapOutput 

func (i WebRegionBackendServiceIamPolicyMap) ToWebRegionBackendServiceIamPolicyMapOutput() WebRegionBackendServiceIamPolicyMapOutput

func (WebRegionBackendServiceIamPolicyMap) ToWebRegionBackendServiceIamPolicyMapOutputWithContext 

func (i WebRegionBackendServiceIamPolicyMap) ToWebRegionBackendServiceIamPolicyMapOutputWithContext(ctx context.Context) WebRegionBackendServiceIamPolicyMapOutput

type WebRegionBackendServiceIamPolicyMapInput 

type WebRegionBackendServiceIamPolicyMapInput interface {
	pulumi.Input

	ToWebRegionBackendServiceIamPolicyMapOutput() WebRegionBackendServiceIamPolicyMapOutput
	ToWebRegionBackendServiceIamPolicyMapOutputWithContext(context.Context) WebRegionBackendServiceIamPolicyMapOutput
}

WebRegionBackendServiceIamPolicyMapInput is an input type that accepts WebRegionBackendServiceIamPolicyMap and WebRegionBackendServiceIamPolicyMapOutput values. You can construct a concrete instance of `WebRegionBackendServiceIamPolicyMapInput` via: 

WebRegionBackendServiceIamPolicyMap{ "key": WebRegionBackendServiceIamPolicyArgs{...} }

type WebRegionBackendServiceIamPolicyMapOutput 

type WebRegionBackendServiceIamPolicyMapOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamPolicyMapOutput) ElementType 

func (WebRegionBackendServiceIamPolicyMapOutput) ElementType() reflect.Type

func (WebRegionBackendServiceIamPolicyMapOutput) MapIndex 

func (o WebRegionBackendServiceIamPolicyMapOutput) MapIndex(k pulumi.StringInput) WebRegionBackendServiceIamPolicyOutput

func (WebRegionBackendServiceIamPolicyMapOutput) ToWebRegionBackendServiceIamPolicyMapOutput 

func (o WebRegionBackendServiceIamPolicyMapOutput) ToWebRegionBackendServiceIamPolicyMapOutput() WebRegionBackendServiceIamPolicyMapOutput

func (WebRegionBackendServiceIamPolicyMapOutput) ToWebRegionBackendServiceIamPolicyMapOutputWithContext 

func (o WebRegionBackendServiceIamPolicyMapOutput) ToWebRegionBackendServiceIamPolicyMapOutputWithContext(ctx context.Context) WebRegionBackendServiceIamPolicyMapOutput

type WebRegionBackendServiceIamPolicyOutput 

type WebRegionBackendServiceIamPolicyOutput struct{ *pulumi.OutputState }

func (WebRegionBackendServiceIamPolicyOutput) ElementType 

func (WebRegionBackendServiceIamPolicyOutput) ElementType() reflect.Type

func (WebRegionBackendServiceIamPolicyOutput) Etag 

func (o WebRegionBackendServiceIamPolicyOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (WebRegionBackendServiceIamPolicyOutput) PolicyData 

func (o WebRegionBackendServiceIamPolicyOutput) PolicyData() pulumi.StringOutput

The policy data generated by a `organizations.getIAMPolicy` data source.

func (WebRegionBackendServiceIamPolicyOutput) Project 

func (o WebRegionBackendServiceIamPolicyOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebRegionBackendServiceIamPolicyOutput) Region 

func (o WebRegionBackendServiceIamPolicyOutput) Region() pulumi.StringOutput

func (WebRegionBackendServiceIamPolicyOutput) ToWebRegionBackendServiceIamPolicyOutput 

func (o WebRegionBackendServiceIamPolicyOutput) ToWebRegionBackendServiceIamPolicyOutput() WebRegionBackendServiceIamPolicyOutput

func (WebRegionBackendServiceIamPolicyOutput) ToWebRegionBackendServiceIamPolicyOutputWithContext 

func (o WebRegionBackendServiceIamPolicyOutput) ToWebRegionBackendServiceIamPolicyOutputWithContext(ctx context.Context) WebRegionBackendServiceIamPolicyOutput

func (WebRegionBackendServiceIamPolicyOutput) WebRegionBackendService 

func (o WebRegionBackendServiceIamPolicyOutput) WebRegionBackendService() pulumi.StringOutput

Used to find the parent resource to bind the IAM policy to

type WebRegionBackendServiceIamPolicyState 

type WebRegionBackendServiceIamPolicyState struct {
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	Region  pulumi.StringPtrInput
	// Used to find the parent resource to bind the IAM policy to
	WebRegionBackendService pulumi.StringPtrInput
}

func (WebRegionBackendServiceIamPolicyState) ElementType 

func (WebRegionBackendServiceIamPolicyState) ElementType() reflect.Type

type WebTypeAppEngingIamBinding 

type WebTypeAppEngingIamBinding struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeAppEngingIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeAppEngine. Each of these resources serves a different use case:

* `iap.WebTypeAppEngingIamPolicy`: Authoritative. Sets the IAM policy for the webtypeappengine and replaces any existing policy already attached. * `iap.WebTypeAppEngingIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypeappengine are preserved. * `iap.WebTypeAppEngingIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypeappengine are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeAppEngingIamPolicy`: Retrieves the IAM policy for the webtypeappengine

> **Note:** `iap.WebTypeAppEngingIamPolicy` **cannot** be used in conjunction with `iap.WebTypeAppEngingIamBinding` and `iap.WebTypeAppEngingIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeAppEngingIamBinding` resources **can be** used in conjunction with `iap.WebTypeAppEngingIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeAppEngingIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeAppEngingIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeAppEngingIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebTypeAppEngine Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeAppEngine. Each of these resources serves a different use case:

* `iap.WebTypeAppEngingIamPolicy`: Authoritative. Sets the IAM policy for the webtypeappengine and replaces any existing policy already attached. * `iap.WebTypeAppEngingIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypeappengine are preserved. * `iap.WebTypeAppEngingIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypeappengine are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeAppEngingIamPolicy`: Retrieves the IAM policy for the webtypeappengine

> **Note:** `iap.WebTypeAppEngingIamPolicy` **cannot** be used in conjunction with `iap.WebTypeAppEngingIamBinding` and `iap.WebTypeAppEngingIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeAppEngingIamBinding` resources **can be** used in conjunction with `iap.WebTypeAppEngingIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeAppEngingIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeAppEngingIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeAppEngingIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/appengine-{{appId}}

* {{project}}/{{appId}}

* {{appId}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webtypeappengine IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webTypeAppEngingIamBinding:WebTypeAppEngingIamBinding editor "projects/{{project}}/iap_web/appengine-{{appId}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webTypeAppEngingIamBinding:WebTypeAppEngingIamBinding editor "projects/{{project}}/iap_web/appengine-{{appId}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webTypeAppEngingIamBinding:WebTypeAppEngingIamBinding editor projects/{{project}}/iap_web/appengine-{{appId}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebTypeAppEngingIamBinding 

func GetWebTypeAppEngingIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebTypeAppEngingIamBindingState, opts ...pulumi.ResourceOption) (*WebTypeAppEngingIamBinding, error)

GetWebTypeAppEngingIamBinding gets an existing WebTypeAppEngingIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebTypeAppEngingIamBinding 

func NewWebTypeAppEngingIamBinding(ctx *pulumi.Context,
	name string, args *WebTypeAppEngingIamBindingArgs, opts ...pulumi.ResourceOption) (*WebTypeAppEngingIamBinding, error)

NewWebTypeAppEngingIamBinding registers a new resource with the given unique name, arguments, and options.

func (*WebTypeAppEngingIamBinding) ElementType 

func (*WebTypeAppEngingIamBinding) ElementType() reflect.Type

func (*WebTypeAppEngingIamBinding) ToWebTypeAppEngingIamBindingOutput 

func (i *WebTypeAppEngingIamBinding) ToWebTypeAppEngingIamBindingOutput() WebTypeAppEngingIamBindingOutput

func (*WebTypeAppEngingIamBinding) ToWebTypeAppEngingIamBindingOutputWithContext 

func (i *WebTypeAppEngingIamBinding) ToWebTypeAppEngingIamBindingOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingOutput

type WebTypeAppEngingIamBindingArgs 

type WebTypeAppEngingIamBindingArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeAppEngingIamBindingConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a WebTypeAppEngingIamBinding resource.

func (WebTypeAppEngingIamBindingArgs) ElementType 

func (WebTypeAppEngingIamBindingArgs) ElementType() reflect.Type

type WebTypeAppEngingIamBindingArray 

type WebTypeAppEngingIamBindingArray []WebTypeAppEngingIamBindingInput

func (WebTypeAppEngingIamBindingArray) ElementType 

func (WebTypeAppEngingIamBindingArray) ElementType() reflect.Type

func (WebTypeAppEngingIamBindingArray) ToWebTypeAppEngingIamBindingArrayOutput 

func (i WebTypeAppEngingIamBindingArray) ToWebTypeAppEngingIamBindingArrayOutput() WebTypeAppEngingIamBindingArrayOutput

func (WebTypeAppEngingIamBindingArray) ToWebTypeAppEngingIamBindingArrayOutputWithContext 

func (i WebTypeAppEngingIamBindingArray) ToWebTypeAppEngingIamBindingArrayOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingArrayOutput

type WebTypeAppEngingIamBindingArrayInput 

type WebTypeAppEngingIamBindingArrayInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamBindingArrayOutput() WebTypeAppEngingIamBindingArrayOutput
	ToWebTypeAppEngingIamBindingArrayOutputWithContext(context.Context) WebTypeAppEngingIamBindingArrayOutput
}

WebTypeAppEngingIamBindingArrayInput is an input type that accepts WebTypeAppEngingIamBindingArray and WebTypeAppEngingIamBindingArrayOutput values. You can construct a concrete instance of `WebTypeAppEngingIamBindingArrayInput` via: 

WebTypeAppEngingIamBindingArray{ WebTypeAppEngingIamBindingArgs{...} }

type WebTypeAppEngingIamBindingArrayOutput 

type WebTypeAppEngingIamBindingArrayOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamBindingArrayOutput) ElementType 

func (WebTypeAppEngingIamBindingArrayOutput) ElementType() reflect.Type

func (WebTypeAppEngingIamBindingArrayOutput) Index 

func (o WebTypeAppEngingIamBindingArrayOutput) Index(i pulumi.IntInput) WebTypeAppEngingIamBindingOutput

func (WebTypeAppEngingIamBindingArrayOutput) ToWebTypeAppEngingIamBindingArrayOutput 

func (o WebTypeAppEngingIamBindingArrayOutput) ToWebTypeAppEngingIamBindingArrayOutput() WebTypeAppEngingIamBindingArrayOutput

func (WebTypeAppEngingIamBindingArrayOutput) ToWebTypeAppEngingIamBindingArrayOutputWithContext 

func (o WebTypeAppEngingIamBindingArrayOutput) ToWebTypeAppEngingIamBindingArrayOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingArrayOutput

type WebTypeAppEngingIamBindingCondition 

type WebTypeAppEngingIamBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebTypeAppEngingIamBindingConditionArgs 

type WebTypeAppEngingIamBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebTypeAppEngingIamBindingConditionArgs) ElementType 

func (WebTypeAppEngingIamBindingConditionArgs) ElementType() reflect.Type

func (WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionOutput 

func (i WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionOutput() WebTypeAppEngingIamBindingConditionOutput

func (WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionOutputWithContext 

func (i WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingConditionOutput

func (WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionPtrOutput 

func (i WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionPtrOutput() WebTypeAppEngingIamBindingConditionPtrOutput

func (WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionPtrOutputWithContext 

func (i WebTypeAppEngingIamBindingConditionArgs) ToWebTypeAppEngingIamBindingConditionPtrOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingConditionPtrOutput

type WebTypeAppEngingIamBindingConditionInput 

type WebTypeAppEngingIamBindingConditionInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamBindingConditionOutput() WebTypeAppEngingIamBindingConditionOutput
	ToWebTypeAppEngingIamBindingConditionOutputWithContext(context.Context) WebTypeAppEngingIamBindingConditionOutput
}

WebTypeAppEngingIamBindingConditionInput is an input type that accepts WebTypeAppEngingIamBindingConditionArgs and WebTypeAppEngingIamBindingConditionOutput values. You can construct a concrete instance of `WebTypeAppEngingIamBindingConditionInput` via: 

WebTypeAppEngingIamBindingConditionArgs{...}

type WebTypeAppEngingIamBindingConditionOutput 

type WebTypeAppEngingIamBindingConditionOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamBindingConditionOutput) Description 

func (o WebTypeAppEngingIamBindingConditionOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeAppEngingIamBindingConditionOutput) ElementType 

func (WebTypeAppEngingIamBindingConditionOutput) ElementType() reflect.Type

func (WebTypeAppEngingIamBindingConditionOutput) Expression 

func (o WebTypeAppEngingIamBindingConditionOutput) Expression() pulumi.StringOutput

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeAppEngingIamBindingConditionOutput) Title 

func (o WebTypeAppEngingIamBindingConditionOutput) Title() pulumi.StringOutput

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionOutput 

func (o WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionOutput() WebTypeAppEngingIamBindingConditionOutput

func (WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionOutputWithContext 

func (o WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingConditionOutput

func (WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionPtrOutput 

func (o WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionPtrOutput() WebTypeAppEngingIamBindingConditionPtrOutput

func (WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionPtrOutputWithContext 

func (o WebTypeAppEngingIamBindingConditionOutput) ToWebTypeAppEngingIamBindingConditionPtrOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingConditionPtrOutput

type WebTypeAppEngingIamBindingConditionPtrInput 

type WebTypeAppEngingIamBindingConditionPtrInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamBindingConditionPtrOutput() WebTypeAppEngingIamBindingConditionPtrOutput
	ToWebTypeAppEngingIamBindingConditionPtrOutputWithContext(context.Context) WebTypeAppEngingIamBindingConditionPtrOutput
}

WebTypeAppEngingIamBindingConditionPtrInput is an input type that accepts WebTypeAppEngingIamBindingConditionArgs, WebTypeAppEngingIamBindingConditionPtr and WebTypeAppEngingIamBindingConditionPtrOutput values. You can construct a concrete instance of `WebTypeAppEngingIamBindingConditionPtrInput` via: 

        WebTypeAppEngingIamBindingConditionArgs{...}

or:

        nil

func WebTypeAppEngingIamBindingConditionPtr 

func WebTypeAppEngingIamBindingConditionPtr(v *WebTypeAppEngingIamBindingConditionArgs) WebTypeAppEngingIamBindingConditionPtrInput

type WebTypeAppEngingIamBindingConditionPtrOutput 

type WebTypeAppEngingIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamBindingConditionPtrOutput) Description 

func (o WebTypeAppEngingIamBindingConditionPtrOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeAppEngingIamBindingConditionPtrOutput) Elem 

func (o WebTypeAppEngingIamBindingConditionPtrOutput) Elem() WebTypeAppEngingIamBindingConditionOutput

func (WebTypeAppEngingIamBindingConditionPtrOutput) ElementType 

func (WebTypeAppEngingIamBindingConditionPtrOutput) ElementType() reflect.Type

func (WebTypeAppEngingIamBindingConditionPtrOutput) Expression 

func (o WebTypeAppEngingIamBindingConditionPtrOutput) Expression() pulumi.StringPtrOutput

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeAppEngingIamBindingConditionPtrOutput) Title 

func (o WebTypeAppEngingIamBindingConditionPtrOutput) Title() pulumi.StringPtrOutput

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeAppEngingIamBindingConditionPtrOutput) ToWebTypeAppEngingIamBindingConditionPtrOutput 

func (o WebTypeAppEngingIamBindingConditionPtrOutput) ToWebTypeAppEngingIamBindingConditionPtrOutput() WebTypeAppEngingIamBindingConditionPtrOutput

func (WebTypeAppEngingIamBindingConditionPtrOutput) ToWebTypeAppEngingIamBindingConditionPtrOutputWithContext 

func (o WebTypeAppEngingIamBindingConditionPtrOutput) ToWebTypeAppEngingIamBindingConditionPtrOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingConditionPtrOutput

type WebTypeAppEngingIamBindingInput 

type WebTypeAppEngingIamBindingInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamBindingOutput() WebTypeAppEngingIamBindingOutput
	ToWebTypeAppEngingIamBindingOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingOutput
}

type WebTypeAppEngingIamBindingMap 

type WebTypeAppEngingIamBindingMap map[string]WebTypeAppEngingIamBindingInput

func (WebTypeAppEngingIamBindingMap) ElementType 

func (WebTypeAppEngingIamBindingMap) ElementType() reflect.Type

func (WebTypeAppEngingIamBindingMap) ToWebTypeAppEngingIamBindingMapOutput 

func (i WebTypeAppEngingIamBindingMap) ToWebTypeAppEngingIamBindingMapOutput() WebTypeAppEngingIamBindingMapOutput

func (WebTypeAppEngingIamBindingMap) ToWebTypeAppEngingIamBindingMapOutputWithContext 

func (i WebTypeAppEngingIamBindingMap) ToWebTypeAppEngingIamBindingMapOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingMapOutput

type WebTypeAppEngingIamBindingMapInput 

type WebTypeAppEngingIamBindingMapInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamBindingMapOutput() WebTypeAppEngingIamBindingMapOutput
	ToWebTypeAppEngingIamBindingMapOutputWithContext(context.Context) WebTypeAppEngingIamBindingMapOutput
}

WebTypeAppEngingIamBindingMapInput is an input type that accepts WebTypeAppEngingIamBindingMap and WebTypeAppEngingIamBindingMapOutput values. You can construct a concrete instance of `WebTypeAppEngingIamBindingMapInput` via: 

WebTypeAppEngingIamBindingMap{ "key": WebTypeAppEngingIamBindingArgs{...} }

type WebTypeAppEngingIamBindingMapOutput 

type WebTypeAppEngingIamBindingMapOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamBindingMapOutput) ElementType 

func (WebTypeAppEngingIamBindingMapOutput) ElementType() reflect.Type

func (WebTypeAppEngingIamBindingMapOutput) MapIndex 

func (o WebTypeAppEngingIamBindingMapOutput) MapIndex(k pulumi.StringInput) WebTypeAppEngingIamBindingOutput

func (WebTypeAppEngingIamBindingMapOutput) ToWebTypeAppEngingIamBindingMapOutput 

func (o WebTypeAppEngingIamBindingMapOutput) ToWebTypeAppEngingIamBindingMapOutput() WebTypeAppEngingIamBindingMapOutput

func (WebTypeAppEngingIamBindingMapOutput) ToWebTypeAppEngingIamBindingMapOutputWithContext 

func (o WebTypeAppEngingIamBindingMapOutput) ToWebTypeAppEngingIamBindingMapOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingMapOutput

type WebTypeAppEngingIamBindingOutput 

type WebTypeAppEngingIamBindingOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamBindingOutput) AppId 

func (o WebTypeAppEngingIamBindingOutput) AppId() pulumi.StringOutput

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (WebTypeAppEngingIamBindingOutput) Condition 

func (o WebTypeAppEngingIamBindingOutput) Condition() WebTypeAppEngingIamBindingConditionPtrOutput

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebTypeAppEngingIamBindingOutput) ElementType 

func (WebTypeAppEngingIamBindingOutput) ElementType() reflect.Type

func (WebTypeAppEngingIamBindingOutput) Etag 

func (o WebTypeAppEngingIamBindingOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (WebTypeAppEngingIamBindingOutput) Members 

func (o WebTypeAppEngingIamBindingOutput) Members() pulumi.StringArrayOutput

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebTypeAppEngingIamBindingOutput) Project 

func (o WebTypeAppEngingIamBindingOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebTypeAppEngingIamBindingOutput) Role 

func (o WebTypeAppEngingIamBindingOutput) Role() pulumi.StringOutput

The role that should be applied. Only one `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebTypeAppEngingIamBindingOutput) ToWebTypeAppEngingIamBindingOutput 

func (o WebTypeAppEngingIamBindingOutput) ToWebTypeAppEngingIamBindingOutput() WebTypeAppEngingIamBindingOutput

func (WebTypeAppEngingIamBindingOutput) ToWebTypeAppEngingIamBindingOutputWithContext 

func (o WebTypeAppEngingIamBindingOutput) ToWebTypeAppEngingIamBindingOutputWithContext(ctx context.Context) WebTypeAppEngingIamBindingOutput

type WebTypeAppEngingIamBindingState 

type WebTypeAppEngingIamBindingState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeAppEngingIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (WebTypeAppEngingIamBindingState) ElementType 

func (WebTypeAppEngingIamBindingState) ElementType() reflect.Type

type WebTypeAppEngingIamMember 

type WebTypeAppEngingIamMember struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeAppEngingIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeAppEngine. Each of these resources serves a different use case:

* `iap.WebTypeAppEngingIamPolicy`: Authoritative. Sets the IAM policy for the webtypeappengine and replaces any existing policy already attached. * `iap.WebTypeAppEngingIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypeappengine are preserved. * `iap.WebTypeAppEngingIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypeappengine are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeAppEngingIamPolicy`: Retrieves the IAM policy for the webtypeappengine

> **Note:** `iap.WebTypeAppEngingIamPolicy` **cannot** be used in conjunction with `iap.WebTypeAppEngingIamBinding` and `iap.WebTypeAppEngingIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeAppEngingIamBinding` resources **can be** used in conjunction with `iap.WebTypeAppEngingIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeAppEngingIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeAppEngingIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeAppEngingIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebTypeAppEngine Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeAppEngine. Each of these resources serves a different use case:

* `iap.WebTypeAppEngingIamPolicy`: Authoritative. Sets the IAM policy for the webtypeappengine and replaces any existing policy already attached. * `iap.WebTypeAppEngingIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypeappengine are preserved. * `iap.WebTypeAppEngingIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypeappengine are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeAppEngingIamPolicy`: Retrieves the IAM policy for the webtypeappengine

> **Note:** `iap.WebTypeAppEngingIamPolicy` **cannot** be used in conjunction with `iap.WebTypeAppEngingIamBinding` and `iap.WebTypeAppEngingIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeAppEngingIamBinding` resources **can be** used in conjunction with `iap.WebTypeAppEngingIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeAppEngingIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeAppEngingIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeAppEngingIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/appengine-{{appId}}

* {{project}}/{{appId}}

* {{appId}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webtypeappengine IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webTypeAppEngingIamMember:WebTypeAppEngingIamMember editor "projects/{{project}}/iap_web/appengine-{{appId}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webTypeAppEngingIamMember:WebTypeAppEngingIamMember editor "projects/{{project}}/iap_web/appengine-{{appId}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webTypeAppEngingIamMember:WebTypeAppEngingIamMember editor projects/{{project}}/iap_web/appengine-{{appId}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebTypeAppEngingIamMember 

func GetWebTypeAppEngingIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebTypeAppEngingIamMemberState, opts ...pulumi.ResourceOption) (*WebTypeAppEngingIamMember, error)

GetWebTypeAppEngingIamMember gets an existing WebTypeAppEngingIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebTypeAppEngingIamMember 

func NewWebTypeAppEngingIamMember(ctx *pulumi.Context,
	name string, args *WebTypeAppEngingIamMemberArgs, opts ...pulumi.ResourceOption) (*WebTypeAppEngingIamMember, error)

NewWebTypeAppEngingIamMember registers a new resource with the given unique name, arguments, and options.

func (*WebTypeAppEngingIamMember) ElementType 

func (*WebTypeAppEngingIamMember) ElementType() reflect.Type

func (*WebTypeAppEngingIamMember) ToWebTypeAppEngingIamMemberOutput 

func (i *WebTypeAppEngingIamMember) ToWebTypeAppEngingIamMemberOutput() WebTypeAppEngingIamMemberOutput

func (*WebTypeAppEngingIamMember) ToWebTypeAppEngingIamMemberOutputWithContext 

func (i *WebTypeAppEngingIamMember) ToWebTypeAppEngingIamMemberOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberOutput

type WebTypeAppEngingIamMemberArgs 

type WebTypeAppEngingIamMemberArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeAppEngingIamMemberConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a WebTypeAppEngingIamMember resource.

func (WebTypeAppEngingIamMemberArgs) ElementType 

func (WebTypeAppEngingIamMemberArgs) ElementType() reflect.Type

type WebTypeAppEngingIamMemberArray 

type WebTypeAppEngingIamMemberArray []WebTypeAppEngingIamMemberInput

func (WebTypeAppEngingIamMemberArray) ElementType 

func (WebTypeAppEngingIamMemberArray) ElementType() reflect.Type

func (WebTypeAppEngingIamMemberArray) ToWebTypeAppEngingIamMemberArrayOutput 

func (i WebTypeAppEngingIamMemberArray) ToWebTypeAppEngingIamMemberArrayOutput() WebTypeAppEngingIamMemberArrayOutput

func (WebTypeAppEngingIamMemberArray) ToWebTypeAppEngingIamMemberArrayOutputWithContext 

func (i WebTypeAppEngingIamMemberArray) ToWebTypeAppEngingIamMemberArrayOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberArrayOutput

type WebTypeAppEngingIamMemberArrayInput 

type WebTypeAppEngingIamMemberArrayInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamMemberArrayOutput() WebTypeAppEngingIamMemberArrayOutput
	ToWebTypeAppEngingIamMemberArrayOutputWithContext(context.Context) WebTypeAppEngingIamMemberArrayOutput
}

WebTypeAppEngingIamMemberArrayInput is an input type that accepts WebTypeAppEngingIamMemberArray and WebTypeAppEngingIamMemberArrayOutput values. You can construct a concrete instance of `WebTypeAppEngingIamMemberArrayInput` via: 

WebTypeAppEngingIamMemberArray{ WebTypeAppEngingIamMemberArgs{...} }

type WebTypeAppEngingIamMemberArrayOutput 

type WebTypeAppEngingIamMemberArrayOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamMemberArrayOutput) ElementType 

func (WebTypeAppEngingIamMemberArrayOutput) ElementType() reflect.Type

func (WebTypeAppEngingIamMemberArrayOutput) Index 

func (o WebTypeAppEngingIamMemberArrayOutput) Index(i pulumi.IntInput) WebTypeAppEngingIamMemberOutput

func (WebTypeAppEngingIamMemberArrayOutput) ToWebTypeAppEngingIamMemberArrayOutput 

func (o WebTypeAppEngingIamMemberArrayOutput) ToWebTypeAppEngingIamMemberArrayOutput() WebTypeAppEngingIamMemberArrayOutput

func (WebTypeAppEngingIamMemberArrayOutput) ToWebTypeAppEngingIamMemberArrayOutputWithContext 

func (o WebTypeAppEngingIamMemberArrayOutput) ToWebTypeAppEngingIamMemberArrayOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberArrayOutput

type WebTypeAppEngingIamMemberCondition 

type WebTypeAppEngingIamMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebTypeAppEngingIamMemberConditionArgs 

type WebTypeAppEngingIamMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebTypeAppEngingIamMemberConditionArgs) ElementType 

func (WebTypeAppEngingIamMemberConditionArgs) ElementType() reflect.Type

func (WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionOutput 

func (i WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionOutput() WebTypeAppEngingIamMemberConditionOutput

func (WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionOutputWithContext 

func (i WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberConditionOutput

func (WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionPtrOutput 

func (i WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionPtrOutput() WebTypeAppEngingIamMemberConditionPtrOutput

func (WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionPtrOutputWithContext 

func (i WebTypeAppEngingIamMemberConditionArgs) ToWebTypeAppEngingIamMemberConditionPtrOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberConditionPtrOutput

type WebTypeAppEngingIamMemberConditionInput 

type WebTypeAppEngingIamMemberConditionInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamMemberConditionOutput() WebTypeAppEngingIamMemberConditionOutput
	ToWebTypeAppEngingIamMemberConditionOutputWithContext(context.Context) WebTypeAppEngingIamMemberConditionOutput
}

WebTypeAppEngingIamMemberConditionInput is an input type that accepts WebTypeAppEngingIamMemberConditionArgs and WebTypeAppEngingIamMemberConditionOutput values. You can construct a concrete instance of `WebTypeAppEngingIamMemberConditionInput` via: 

WebTypeAppEngingIamMemberConditionArgs{...}

type WebTypeAppEngingIamMemberConditionOutput 

type WebTypeAppEngingIamMemberConditionOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamMemberConditionOutput) Description 

func (o WebTypeAppEngingIamMemberConditionOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeAppEngingIamMemberConditionOutput) ElementType 

func (WebTypeAppEngingIamMemberConditionOutput) ElementType() reflect.Type

func (WebTypeAppEngingIamMemberConditionOutput) Expression 

func (o WebTypeAppEngingIamMemberConditionOutput) Expression() pulumi.StringOutput

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeAppEngingIamMemberConditionOutput) Title 

func (o WebTypeAppEngingIamMemberConditionOutput) Title() pulumi.StringOutput

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionOutput 

func (o WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionOutput() WebTypeAppEngingIamMemberConditionOutput

func (WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionOutputWithContext 

func (o WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberConditionOutput

func (WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionPtrOutput 

func (o WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionPtrOutput() WebTypeAppEngingIamMemberConditionPtrOutput

func (WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionPtrOutputWithContext 

func (o WebTypeAppEngingIamMemberConditionOutput) ToWebTypeAppEngingIamMemberConditionPtrOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberConditionPtrOutput

type WebTypeAppEngingIamMemberConditionPtrInput 

type WebTypeAppEngingIamMemberConditionPtrInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamMemberConditionPtrOutput() WebTypeAppEngingIamMemberConditionPtrOutput
	ToWebTypeAppEngingIamMemberConditionPtrOutputWithContext(context.Context) WebTypeAppEngingIamMemberConditionPtrOutput
}

WebTypeAppEngingIamMemberConditionPtrInput is an input type that accepts WebTypeAppEngingIamMemberConditionArgs, WebTypeAppEngingIamMemberConditionPtr and WebTypeAppEngingIamMemberConditionPtrOutput values. You can construct a concrete instance of `WebTypeAppEngingIamMemberConditionPtrInput` via: 

        WebTypeAppEngingIamMemberConditionArgs{...}

or:

        nil

func WebTypeAppEngingIamMemberConditionPtr 

func WebTypeAppEngingIamMemberConditionPtr(v *WebTypeAppEngingIamMemberConditionArgs) WebTypeAppEngingIamMemberConditionPtrInput

type WebTypeAppEngingIamMemberConditionPtrOutput 

type WebTypeAppEngingIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamMemberConditionPtrOutput) Description 

func (o WebTypeAppEngingIamMemberConditionPtrOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeAppEngingIamMemberConditionPtrOutput) Elem 

func (o WebTypeAppEngingIamMemberConditionPtrOutput) Elem() WebTypeAppEngingIamMemberConditionOutput

func (WebTypeAppEngingIamMemberConditionPtrOutput) ElementType 

func (WebTypeAppEngingIamMemberConditionPtrOutput) ElementType() reflect.Type

func (WebTypeAppEngingIamMemberConditionPtrOutput) Expression 

func (o WebTypeAppEngingIamMemberConditionPtrOutput) Expression() pulumi.StringPtrOutput

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeAppEngingIamMemberConditionPtrOutput) Title 

func (o WebTypeAppEngingIamMemberConditionPtrOutput) Title() pulumi.StringPtrOutput

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeAppEngingIamMemberConditionPtrOutput) ToWebTypeAppEngingIamMemberConditionPtrOutput 

func (o WebTypeAppEngingIamMemberConditionPtrOutput) ToWebTypeAppEngingIamMemberConditionPtrOutput() WebTypeAppEngingIamMemberConditionPtrOutput

func (WebTypeAppEngingIamMemberConditionPtrOutput) ToWebTypeAppEngingIamMemberConditionPtrOutputWithContext 

func (o WebTypeAppEngingIamMemberConditionPtrOutput) ToWebTypeAppEngingIamMemberConditionPtrOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberConditionPtrOutput

type WebTypeAppEngingIamMemberInput 

type WebTypeAppEngingIamMemberInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamMemberOutput() WebTypeAppEngingIamMemberOutput
	ToWebTypeAppEngingIamMemberOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberOutput
}

type WebTypeAppEngingIamMemberMap 

type WebTypeAppEngingIamMemberMap map[string]WebTypeAppEngingIamMemberInput

func (WebTypeAppEngingIamMemberMap) ElementType 

func (WebTypeAppEngingIamMemberMap) ElementType() reflect.Type

func (WebTypeAppEngingIamMemberMap) ToWebTypeAppEngingIamMemberMapOutput 

func (i WebTypeAppEngingIamMemberMap) ToWebTypeAppEngingIamMemberMapOutput() WebTypeAppEngingIamMemberMapOutput

func (WebTypeAppEngingIamMemberMap) ToWebTypeAppEngingIamMemberMapOutputWithContext 

func (i WebTypeAppEngingIamMemberMap) ToWebTypeAppEngingIamMemberMapOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberMapOutput

type WebTypeAppEngingIamMemberMapInput 

type WebTypeAppEngingIamMemberMapInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamMemberMapOutput() WebTypeAppEngingIamMemberMapOutput
	ToWebTypeAppEngingIamMemberMapOutputWithContext(context.Context) WebTypeAppEngingIamMemberMapOutput
}

WebTypeAppEngingIamMemberMapInput is an input type that accepts WebTypeAppEngingIamMemberMap and WebTypeAppEngingIamMemberMapOutput values. You can construct a concrete instance of `WebTypeAppEngingIamMemberMapInput` via: 

WebTypeAppEngingIamMemberMap{ "key": WebTypeAppEngingIamMemberArgs{...} }

type WebTypeAppEngingIamMemberMapOutput 

type WebTypeAppEngingIamMemberMapOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamMemberMapOutput) ElementType 

func (WebTypeAppEngingIamMemberMapOutput) ElementType() reflect.Type

func (WebTypeAppEngingIamMemberMapOutput) MapIndex 

func (o WebTypeAppEngingIamMemberMapOutput) MapIndex(k pulumi.StringInput) WebTypeAppEngingIamMemberOutput

func (WebTypeAppEngingIamMemberMapOutput) ToWebTypeAppEngingIamMemberMapOutput 

func (o WebTypeAppEngingIamMemberMapOutput) ToWebTypeAppEngingIamMemberMapOutput() WebTypeAppEngingIamMemberMapOutput

func (WebTypeAppEngingIamMemberMapOutput) ToWebTypeAppEngingIamMemberMapOutputWithContext 

func (o WebTypeAppEngingIamMemberMapOutput) ToWebTypeAppEngingIamMemberMapOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberMapOutput

type WebTypeAppEngingIamMemberOutput 

type WebTypeAppEngingIamMemberOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamMemberOutput) AppId 

func (o WebTypeAppEngingIamMemberOutput) AppId() pulumi.StringOutput

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (WebTypeAppEngingIamMemberOutput) Condition 

func (o WebTypeAppEngingIamMemberOutput) Condition() WebTypeAppEngingIamMemberConditionPtrOutput

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebTypeAppEngingIamMemberOutput) ElementType 

func (WebTypeAppEngingIamMemberOutput) ElementType() reflect.Type

func (WebTypeAppEngingIamMemberOutput) Etag 

func (o WebTypeAppEngingIamMemberOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (WebTypeAppEngingIamMemberOutput) Member 

func (o WebTypeAppEngingIamMemberOutput) Member() pulumi.StringOutput

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebTypeAppEngingIamMemberOutput) Project 

func (o WebTypeAppEngingIamMemberOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebTypeAppEngingIamMemberOutput) Role 

func (o WebTypeAppEngingIamMemberOutput) Role() pulumi.StringOutput

The role that should be applied. Only one `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebTypeAppEngingIamMemberOutput) ToWebTypeAppEngingIamMemberOutput 

func (o WebTypeAppEngingIamMemberOutput) ToWebTypeAppEngingIamMemberOutput() WebTypeAppEngingIamMemberOutput

func (WebTypeAppEngingIamMemberOutput) ToWebTypeAppEngingIamMemberOutputWithContext 

func (o WebTypeAppEngingIamMemberOutput) ToWebTypeAppEngingIamMemberOutputWithContext(ctx context.Context) WebTypeAppEngingIamMemberOutput

type WebTypeAppEngingIamMemberState 

type WebTypeAppEngingIamMemberState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeAppEngingIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeAppEngingIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (WebTypeAppEngingIamMemberState) ElementType 

func (WebTypeAppEngingIamMemberState) ElementType() reflect.Type

type WebTypeAppEngingIamPolicy 

type WebTypeAppEngingIamPolicy struct {
	pulumi.CustomResourceState

	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringOutput `pulumi:"appId"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeAppEngine. Each of these resources serves a different use case:

* `iap.WebTypeAppEngingIamPolicy`: Authoritative. Sets the IAM policy for the webtypeappengine and replaces any existing policy already attached. * `iap.WebTypeAppEngingIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypeappengine are preserved. * `iap.WebTypeAppEngingIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypeappengine are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeAppEngingIamPolicy`: Retrieves the IAM policy for the webtypeappengine

> **Note:** `iap.WebTypeAppEngingIamPolicy` **cannot** be used in conjunction with `iap.WebTypeAppEngingIamBinding` and `iap.WebTypeAppEngingIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeAppEngingIamBinding` resources **can be** used in conjunction with `iap.WebTypeAppEngingIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeAppEngingIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeAppEngingIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeAppEngingIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebTypeAppEngine Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeAppEngine. Each of these resources serves a different use case:

* `iap.WebTypeAppEngingIamPolicy`: Authoritative. Sets the IAM policy for the webtypeappengine and replaces any existing policy already attached. * `iap.WebTypeAppEngingIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypeappengine are preserved. * `iap.WebTypeAppEngingIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypeappengine are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeAppEngingIamPolicy`: Retrieves the IAM policy for the webtypeappengine

> **Note:** `iap.WebTypeAppEngingIamPolicy` **cannot** be used in conjunction with `iap.WebTypeAppEngingIamBinding` and `iap.WebTypeAppEngingIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeAppEngingIamBinding` resources **can be** used in conjunction with `iap.WebTypeAppEngingIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeAppEngingIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
			Project:    pulumi.Any(app.Project),
			AppId:      pulumi.Any(app.AppId),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeAppEngingIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeAppEngingIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
			Project: pulumi.Any(app.Project),
			AppId:   pulumi.Any(app.AppId),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeAppEngingIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/appengine-{{appId}}

* {{project}}/{{appId}}

* {{appId}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webtypeappengine IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webTypeAppEngingIamPolicy:WebTypeAppEngingIamPolicy editor "projects/{{project}}/iap_web/appengine-{{appId}} roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webTypeAppEngingIamPolicy:WebTypeAppEngingIamPolicy editor "projects/{{project}}/iap_web/appengine-{{appId}} roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webTypeAppEngingIamPolicy:WebTypeAppEngingIamPolicy editor projects/{{project}}/iap_web/appengine-{{appId}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebTypeAppEngingIamPolicy 

func GetWebTypeAppEngingIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebTypeAppEngingIamPolicyState, opts ...pulumi.ResourceOption) (*WebTypeAppEngingIamPolicy, error)

GetWebTypeAppEngingIamPolicy gets an existing WebTypeAppEngingIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebTypeAppEngingIamPolicy 

func NewWebTypeAppEngingIamPolicy(ctx *pulumi.Context,
	name string, args *WebTypeAppEngingIamPolicyArgs, opts ...pulumi.ResourceOption) (*WebTypeAppEngingIamPolicy, error)

NewWebTypeAppEngingIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*WebTypeAppEngingIamPolicy) ElementType 

func (*WebTypeAppEngingIamPolicy) ElementType() reflect.Type

func (*WebTypeAppEngingIamPolicy) ToWebTypeAppEngingIamPolicyOutput 

func (i *WebTypeAppEngingIamPolicy) ToWebTypeAppEngingIamPolicyOutput() WebTypeAppEngingIamPolicyOutput

func (*WebTypeAppEngingIamPolicy) ToWebTypeAppEngingIamPolicyOutputWithContext 

func (i *WebTypeAppEngingIamPolicy) ToWebTypeAppEngingIamPolicyOutputWithContext(ctx context.Context) WebTypeAppEngingIamPolicyOutput

type WebTypeAppEngingIamPolicyArgs 

type WebTypeAppEngingIamPolicyArgs struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
}

The set of arguments for constructing a WebTypeAppEngingIamPolicy resource.

func (WebTypeAppEngingIamPolicyArgs) ElementType 

func (WebTypeAppEngingIamPolicyArgs) ElementType() reflect.Type

type WebTypeAppEngingIamPolicyArray 

type WebTypeAppEngingIamPolicyArray []WebTypeAppEngingIamPolicyInput

func (WebTypeAppEngingIamPolicyArray) ElementType 

func (WebTypeAppEngingIamPolicyArray) ElementType() reflect.Type

func (WebTypeAppEngingIamPolicyArray) ToWebTypeAppEngingIamPolicyArrayOutput 

func (i WebTypeAppEngingIamPolicyArray) ToWebTypeAppEngingIamPolicyArrayOutput() WebTypeAppEngingIamPolicyArrayOutput

func (WebTypeAppEngingIamPolicyArray) ToWebTypeAppEngingIamPolicyArrayOutputWithContext 

func (i WebTypeAppEngingIamPolicyArray) ToWebTypeAppEngingIamPolicyArrayOutputWithContext(ctx context.Context) WebTypeAppEngingIamPolicyArrayOutput

type WebTypeAppEngingIamPolicyArrayInput 

type WebTypeAppEngingIamPolicyArrayInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamPolicyArrayOutput() WebTypeAppEngingIamPolicyArrayOutput
	ToWebTypeAppEngingIamPolicyArrayOutputWithContext(context.Context) WebTypeAppEngingIamPolicyArrayOutput
}

WebTypeAppEngingIamPolicyArrayInput is an input type that accepts WebTypeAppEngingIamPolicyArray and WebTypeAppEngingIamPolicyArrayOutput values. You can construct a concrete instance of `WebTypeAppEngingIamPolicyArrayInput` via: 

WebTypeAppEngingIamPolicyArray{ WebTypeAppEngingIamPolicyArgs{...} }

type WebTypeAppEngingIamPolicyArrayOutput 

type WebTypeAppEngingIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamPolicyArrayOutput) ElementType 

func (WebTypeAppEngingIamPolicyArrayOutput) ElementType() reflect.Type

func (WebTypeAppEngingIamPolicyArrayOutput) Index 

func (o WebTypeAppEngingIamPolicyArrayOutput) Index(i pulumi.IntInput) WebTypeAppEngingIamPolicyOutput

func (WebTypeAppEngingIamPolicyArrayOutput) ToWebTypeAppEngingIamPolicyArrayOutput 

func (o WebTypeAppEngingIamPolicyArrayOutput) ToWebTypeAppEngingIamPolicyArrayOutput() WebTypeAppEngingIamPolicyArrayOutput

func (WebTypeAppEngingIamPolicyArrayOutput) ToWebTypeAppEngingIamPolicyArrayOutputWithContext 

func (o WebTypeAppEngingIamPolicyArrayOutput) ToWebTypeAppEngingIamPolicyArrayOutputWithContext(ctx context.Context) WebTypeAppEngingIamPolicyArrayOutput

type WebTypeAppEngingIamPolicyInput 

type WebTypeAppEngingIamPolicyInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamPolicyOutput() WebTypeAppEngingIamPolicyOutput
	ToWebTypeAppEngingIamPolicyOutputWithContext(ctx context.Context) WebTypeAppEngingIamPolicyOutput
}

type WebTypeAppEngingIamPolicyMap 

type WebTypeAppEngingIamPolicyMap map[string]WebTypeAppEngingIamPolicyInput

func (WebTypeAppEngingIamPolicyMap) ElementType 

func (WebTypeAppEngingIamPolicyMap) ElementType() reflect.Type

func (WebTypeAppEngingIamPolicyMap) ToWebTypeAppEngingIamPolicyMapOutput 

func (i WebTypeAppEngingIamPolicyMap) ToWebTypeAppEngingIamPolicyMapOutput() WebTypeAppEngingIamPolicyMapOutput

func (WebTypeAppEngingIamPolicyMap) ToWebTypeAppEngingIamPolicyMapOutputWithContext 

func (i WebTypeAppEngingIamPolicyMap) ToWebTypeAppEngingIamPolicyMapOutputWithContext(ctx context.Context) WebTypeAppEngingIamPolicyMapOutput

type WebTypeAppEngingIamPolicyMapInput 

type WebTypeAppEngingIamPolicyMapInput interface {
	pulumi.Input

	ToWebTypeAppEngingIamPolicyMapOutput() WebTypeAppEngingIamPolicyMapOutput
	ToWebTypeAppEngingIamPolicyMapOutputWithContext(context.Context) WebTypeAppEngingIamPolicyMapOutput
}

WebTypeAppEngingIamPolicyMapInput is an input type that accepts WebTypeAppEngingIamPolicyMap and WebTypeAppEngingIamPolicyMapOutput values. You can construct a concrete instance of `WebTypeAppEngingIamPolicyMapInput` via: 

WebTypeAppEngingIamPolicyMap{ "key": WebTypeAppEngingIamPolicyArgs{...} }

type WebTypeAppEngingIamPolicyMapOutput 

type WebTypeAppEngingIamPolicyMapOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamPolicyMapOutput) ElementType 

func (WebTypeAppEngingIamPolicyMapOutput) ElementType() reflect.Type

func (WebTypeAppEngingIamPolicyMapOutput) MapIndex 

func (o WebTypeAppEngingIamPolicyMapOutput) MapIndex(k pulumi.StringInput) WebTypeAppEngingIamPolicyOutput

func (WebTypeAppEngingIamPolicyMapOutput) ToWebTypeAppEngingIamPolicyMapOutput 

func (o WebTypeAppEngingIamPolicyMapOutput) ToWebTypeAppEngingIamPolicyMapOutput() WebTypeAppEngingIamPolicyMapOutput

func (WebTypeAppEngingIamPolicyMapOutput) ToWebTypeAppEngingIamPolicyMapOutputWithContext 

func (o WebTypeAppEngingIamPolicyMapOutput) ToWebTypeAppEngingIamPolicyMapOutputWithContext(ctx context.Context) WebTypeAppEngingIamPolicyMapOutput

type WebTypeAppEngingIamPolicyOutput 

type WebTypeAppEngingIamPolicyOutput struct{ *pulumi.OutputState }

func (WebTypeAppEngingIamPolicyOutput) AppId 

func (o WebTypeAppEngingIamPolicyOutput) AppId() pulumi.StringOutput

Id of the App Engine application. Used to find the parent resource to bind the IAM policy to

func (WebTypeAppEngingIamPolicyOutput) ElementType 

func (WebTypeAppEngingIamPolicyOutput) ElementType() reflect.Type

func (WebTypeAppEngingIamPolicyOutput) Etag 

func (o WebTypeAppEngingIamPolicyOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (WebTypeAppEngingIamPolicyOutput) PolicyData 

func (o WebTypeAppEngingIamPolicyOutput) PolicyData() pulumi.StringOutput

The policy data generated by a `organizations.getIAMPolicy` data source.

func (WebTypeAppEngingIamPolicyOutput) Project 

func (o WebTypeAppEngingIamPolicyOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebTypeAppEngingIamPolicyOutput) ToWebTypeAppEngingIamPolicyOutput 

func (o WebTypeAppEngingIamPolicyOutput) ToWebTypeAppEngingIamPolicyOutput() WebTypeAppEngingIamPolicyOutput

func (WebTypeAppEngingIamPolicyOutput) ToWebTypeAppEngingIamPolicyOutputWithContext 

func (o WebTypeAppEngingIamPolicyOutput) ToWebTypeAppEngingIamPolicyOutputWithContext(ctx context.Context) WebTypeAppEngingIamPolicyOutput

type WebTypeAppEngingIamPolicyState 

type WebTypeAppEngingIamPolicyState struct {
	// Id of the App Engine application. Used to find the parent resource to bind the IAM policy to
	AppId pulumi.StringPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
}

func (WebTypeAppEngingIamPolicyState) ElementType 

func (WebTypeAppEngingIamPolicyState) ElementType() reflect.Type

type WebTypeComputeIamBinding 

type WebTypeComputeIamBinding struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeComputeIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeCompute. Each of these resources serves a different use case:

* `iap.WebTypeComputeIamPolicy`: Authoritative. Sets the IAM policy for the webtypecompute and replaces any existing policy already attached. * `iap.WebTypeComputeIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypecompute are preserved. * `iap.WebTypeComputeIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypecompute are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeComputeIamPolicy`: Retrieves the IAM policy for the webtypecompute

> **Note:** `iap.WebTypeComputeIamPolicy` **cannot** be used in conjunction with `iap.WebTypeComputeIamBinding` and `iap.WebTypeComputeIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeComputeIamBinding` resources **can be** used in conjunction with `iap.WebTypeComputeIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeComputeIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeComputeIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeComputeIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebTypeCompute Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeCompute. Each of these resources serves a different use case:

* `iap.WebTypeComputeIamPolicy`: Authoritative. Sets the IAM policy for the webtypecompute and replaces any existing policy already attached. * `iap.WebTypeComputeIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypecompute are preserved. * `iap.WebTypeComputeIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypecompute are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeComputeIamPolicy`: Retrieves the IAM policy for the webtypecompute

> **Note:** `iap.WebTypeComputeIamPolicy` **cannot** be used in conjunction with `iap.WebTypeComputeIamBinding` and `iap.WebTypeComputeIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeComputeIamBinding` resources **can be** used in conjunction with `iap.WebTypeComputeIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeComputeIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeComputeIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeComputeIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/compute

* {{project}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webtypecompute IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webTypeComputeIamBinding:WebTypeComputeIamBinding editor "projects/{{project}}/iap_web/compute roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webTypeComputeIamBinding:WebTypeComputeIamBinding editor "projects/{{project}}/iap_web/compute roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webTypeComputeIamBinding:WebTypeComputeIamBinding editor projects/{{project}}/iap_web/compute ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebTypeComputeIamBinding 

func GetWebTypeComputeIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebTypeComputeIamBindingState, opts ...pulumi.ResourceOption) (*WebTypeComputeIamBinding, error)

GetWebTypeComputeIamBinding gets an existing WebTypeComputeIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebTypeComputeIamBinding 

func NewWebTypeComputeIamBinding(ctx *pulumi.Context,
	name string, args *WebTypeComputeIamBindingArgs, opts ...pulumi.ResourceOption) (*WebTypeComputeIamBinding, error)

NewWebTypeComputeIamBinding registers a new resource with the given unique name, arguments, and options.

func (*WebTypeComputeIamBinding) ElementType 

func (*WebTypeComputeIamBinding) ElementType() reflect.Type

func (*WebTypeComputeIamBinding) ToWebTypeComputeIamBindingOutput 

func (i *WebTypeComputeIamBinding) ToWebTypeComputeIamBindingOutput() WebTypeComputeIamBindingOutput

func (*WebTypeComputeIamBinding) ToWebTypeComputeIamBindingOutputWithContext 

func (i *WebTypeComputeIamBinding) ToWebTypeComputeIamBindingOutputWithContext(ctx context.Context) WebTypeComputeIamBindingOutput

type WebTypeComputeIamBindingArgs 

type WebTypeComputeIamBindingArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeComputeIamBindingConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a WebTypeComputeIamBinding resource.

func (WebTypeComputeIamBindingArgs) ElementType 

func (WebTypeComputeIamBindingArgs) ElementType() reflect.Type

type WebTypeComputeIamBindingArray 

type WebTypeComputeIamBindingArray []WebTypeComputeIamBindingInput

func (WebTypeComputeIamBindingArray) ElementType 

func (WebTypeComputeIamBindingArray) ElementType() reflect.Type

func (WebTypeComputeIamBindingArray) ToWebTypeComputeIamBindingArrayOutput 

func (i WebTypeComputeIamBindingArray) ToWebTypeComputeIamBindingArrayOutput() WebTypeComputeIamBindingArrayOutput

func (WebTypeComputeIamBindingArray) ToWebTypeComputeIamBindingArrayOutputWithContext 

func (i WebTypeComputeIamBindingArray) ToWebTypeComputeIamBindingArrayOutputWithContext(ctx context.Context) WebTypeComputeIamBindingArrayOutput

type WebTypeComputeIamBindingArrayInput 

type WebTypeComputeIamBindingArrayInput interface {
	pulumi.Input

	ToWebTypeComputeIamBindingArrayOutput() WebTypeComputeIamBindingArrayOutput
	ToWebTypeComputeIamBindingArrayOutputWithContext(context.Context) WebTypeComputeIamBindingArrayOutput
}

WebTypeComputeIamBindingArrayInput is an input type that accepts WebTypeComputeIamBindingArray and WebTypeComputeIamBindingArrayOutput values. You can construct a concrete instance of `WebTypeComputeIamBindingArrayInput` via: 

WebTypeComputeIamBindingArray{ WebTypeComputeIamBindingArgs{...} }

type WebTypeComputeIamBindingArrayOutput 

type WebTypeComputeIamBindingArrayOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamBindingArrayOutput) ElementType 

func (WebTypeComputeIamBindingArrayOutput) ElementType() reflect.Type

func (WebTypeComputeIamBindingArrayOutput) Index 

func (o WebTypeComputeIamBindingArrayOutput) Index(i pulumi.IntInput) WebTypeComputeIamBindingOutput

func (WebTypeComputeIamBindingArrayOutput) ToWebTypeComputeIamBindingArrayOutput 

func (o WebTypeComputeIamBindingArrayOutput) ToWebTypeComputeIamBindingArrayOutput() WebTypeComputeIamBindingArrayOutput

func (WebTypeComputeIamBindingArrayOutput) ToWebTypeComputeIamBindingArrayOutputWithContext 

func (o WebTypeComputeIamBindingArrayOutput) ToWebTypeComputeIamBindingArrayOutputWithContext(ctx context.Context) WebTypeComputeIamBindingArrayOutput

type WebTypeComputeIamBindingCondition 

type WebTypeComputeIamBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebTypeComputeIamBindingConditionArgs 

type WebTypeComputeIamBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebTypeComputeIamBindingConditionArgs) ElementType 

func (WebTypeComputeIamBindingConditionArgs) ElementType() reflect.Type

func (WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionOutput 

func (i WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionOutput() WebTypeComputeIamBindingConditionOutput

func (WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionOutputWithContext 

func (i WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionOutputWithContext(ctx context.Context) WebTypeComputeIamBindingConditionOutput

func (WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionPtrOutput 

func (i WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionPtrOutput() WebTypeComputeIamBindingConditionPtrOutput

func (WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionPtrOutputWithContext 

func (i WebTypeComputeIamBindingConditionArgs) ToWebTypeComputeIamBindingConditionPtrOutputWithContext(ctx context.Context) WebTypeComputeIamBindingConditionPtrOutput

type WebTypeComputeIamBindingConditionInput 

type WebTypeComputeIamBindingConditionInput interface {
	pulumi.Input

	ToWebTypeComputeIamBindingConditionOutput() WebTypeComputeIamBindingConditionOutput
	ToWebTypeComputeIamBindingConditionOutputWithContext(context.Context) WebTypeComputeIamBindingConditionOutput
}

WebTypeComputeIamBindingConditionInput is an input type that accepts WebTypeComputeIamBindingConditionArgs and WebTypeComputeIamBindingConditionOutput values. You can construct a concrete instance of `WebTypeComputeIamBindingConditionInput` via: 

WebTypeComputeIamBindingConditionArgs{...}

type WebTypeComputeIamBindingConditionOutput 

type WebTypeComputeIamBindingConditionOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamBindingConditionOutput) Description 

func (o WebTypeComputeIamBindingConditionOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeComputeIamBindingConditionOutput) ElementType 

func (WebTypeComputeIamBindingConditionOutput) ElementType() reflect.Type

func (WebTypeComputeIamBindingConditionOutput) Expression 

func (o WebTypeComputeIamBindingConditionOutput) Expression() pulumi.StringOutput

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeComputeIamBindingConditionOutput) Title 

func (o WebTypeComputeIamBindingConditionOutput) Title() pulumi.StringOutput

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionOutput 

func (o WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionOutput() WebTypeComputeIamBindingConditionOutput

func (WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionOutputWithContext 

func (o WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionOutputWithContext(ctx context.Context) WebTypeComputeIamBindingConditionOutput

func (WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionPtrOutput 

func (o WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionPtrOutput() WebTypeComputeIamBindingConditionPtrOutput

func (WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionPtrOutputWithContext 

func (o WebTypeComputeIamBindingConditionOutput) ToWebTypeComputeIamBindingConditionPtrOutputWithContext(ctx context.Context) WebTypeComputeIamBindingConditionPtrOutput

type WebTypeComputeIamBindingConditionPtrInput 

type WebTypeComputeIamBindingConditionPtrInput interface {
	pulumi.Input

	ToWebTypeComputeIamBindingConditionPtrOutput() WebTypeComputeIamBindingConditionPtrOutput
	ToWebTypeComputeIamBindingConditionPtrOutputWithContext(context.Context) WebTypeComputeIamBindingConditionPtrOutput
}

WebTypeComputeIamBindingConditionPtrInput is an input type that accepts WebTypeComputeIamBindingConditionArgs, WebTypeComputeIamBindingConditionPtr and WebTypeComputeIamBindingConditionPtrOutput values. You can construct a concrete instance of `WebTypeComputeIamBindingConditionPtrInput` via: 

        WebTypeComputeIamBindingConditionArgs{...}

or:

        nil

func WebTypeComputeIamBindingConditionPtr 

func WebTypeComputeIamBindingConditionPtr(v *WebTypeComputeIamBindingConditionArgs) WebTypeComputeIamBindingConditionPtrInput

type WebTypeComputeIamBindingConditionPtrOutput 

type WebTypeComputeIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamBindingConditionPtrOutput) Description 

func (o WebTypeComputeIamBindingConditionPtrOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeComputeIamBindingConditionPtrOutput) Elem 

func (o WebTypeComputeIamBindingConditionPtrOutput) Elem() WebTypeComputeIamBindingConditionOutput

func (WebTypeComputeIamBindingConditionPtrOutput) ElementType 

func (WebTypeComputeIamBindingConditionPtrOutput) ElementType() reflect.Type

func (WebTypeComputeIamBindingConditionPtrOutput) Expression 

func (o WebTypeComputeIamBindingConditionPtrOutput) Expression() pulumi.StringPtrOutput

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeComputeIamBindingConditionPtrOutput) Title 

func (o WebTypeComputeIamBindingConditionPtrOutput) Title() pulumi.StringPtrOutput

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeComputeIamBindingConditionPtrOutput) ToWebTypeComputeIamBindingConditionPtrOutput 

func (o WebTypeComputeIamBindingConditionPtrOutput) ToWebTypeComputeIamBindingConditionPtrOutput() WebTypeComputeIamBindingConditionPtrOutput

func (WebTypeComputeIamBindingConditionPtrOutput) ToWebTypeComputeIamBindingConditionPtrOutputWithContext 

func (o WebTypeComputeIamBindingConditionPtrOutput) ToWebTypeComputeIamBindingConditionPtrOutputWithContext(ctx context.Context) WebTypeComputeIamBindingConditionPtrOutput

type WebTypeComputeIamBindingInput 

type WebTypeComputeIamBindingInput interface {
	pulumi.Input

	ToWebTypeComputeIamBindingOutput() WebTypeComputeIamBindingOutput
	ToWebTypeComputeIamBindingOutputWithContext(ctx context.Context) WebTypeComputeIamBindingOutput
}

type WebTypeComputeIamBindingMap 

type WebTypeComputeIamBindingMap map[string]WebTypeComputeIamBindingInput

func (WebTypeComputeIamBindingMap) ElementType 

func (WebTypeComputeIamBindingMap) ElementType() reflect.Type

func (WebTypeComputeIamBindingMap) ToWebTypeComputeIamBindingMapOutput 

func (i WebTypeComputeIamBindingMap) ToWebTypeComputeIamBindingMapOutput() WebTypeComputeIamBindingMapOutput

func (WebTypeComputeIamBindingMap) ToWebTypeComputeIamBindingMapOutputWithContext 

func (i WebTypeComputeIamBindingMap) ToWebTypeComputeIamBindingMapOutputWithContext(ctx context.Context) WebTypeComputeIamBindingMapOutput

type WebTypeComputeIamBindingMapInput 

type WebTypeComputeIamBindingMapInput interface {
	pulumi.Input

	ToWebTypeComputeIamBindingMapOutput() WebTypeComputeIamBindingMapOutput
	ToWebTypeComputeIamBindingMapOutputWithContext(context.Context) WebTypeComputeIamBindingMapOutput
}

WebTypeComputeIamBindingMapInput is an input type that accepts WebTypeComputeIamBindingMap and WebTypeComputeIamBindingMapOutput values. You can construct a concrete instance of `WebTypeComputeIamBindingMapInput` via: 

WebTypeComputeIamBindingMap{ "key": WebTypeComputeIamBindingArgs{...} }

type WebTypeComputeIamBindingMapOutput 

type WebTypeComputeIamBindingMapOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamBindingMapOutput) ElementType 

func (WebTypeComputeIamBindingMapOutput) ElementType() reflect.Type

func (WebTypeComputeIamBindingMapOutput) MapIndex 

func (o WebTypeComputeIamBindingMapOutput) MapIndex(k pulumi.StringInput) WebTypeComputeIamBindingOutput

func (WebTypeComputeIamBindingMapOutput) ToWebTypeComputeIamBindingMapOutput 

func (o WebTypeComputeIamBindingMapOutput) ToWebTypeComputeIamBindingMapOutput() WebTypeComputeIamBindingMapOutput

func (WebTypeComputeIamBindingMapOutput) ToWebTypeComputeIamBindingMapOutputWithContext 

func (o WebTypeComputeIamBindingMapOutput) ToWebTypeComputeIamBindingMapOutputWithContext(ctx context.Context) WebTypeComputeIamBindingMapOutput

type WebTypeComputeIamBindingOutput 

type WebTypeComputeIamBindingOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamBindingOutput) Condition 

func (o WebTypeComputeIamBindingOutput) Condition() WebTypeComputeIamBindingConditionPtrOutput

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebTypeComputeIamBindingOutput) ElementType 

func (WebTypeComputeIamBindingOutput) ElementType() reflect.Type

func (WebTypeComputeIamBindingOutput) Etag 

func (o WebTypeComputeIamBindingOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (WebTypeComputeIamBindingOutput) Members 

func (o WebTypeComputeIamBindingOutput) Members() pulumi.StringArrayOutput

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebTypeComputeIamBindingOutput) Project 

func (o WebTypeComputeIamBindingOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebTypeComputeIamBindingOutput) Role 

func (o WebTypeComputeIamBindingOutput) Role() pulumi.StringOutput

The role that should be applied. Only one `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebTypeComputeIamBindingOutput) ToWebTypeComputeIamBindingOutput 

func (o WebTypeComputeIamBindingOutput) ToWebTypeComputeIamBindingOutput() WebTypeComputeIamBindingOutput

func (WebTypeComputeIamBindingOutput) ToWebTypeComputeIamBindingOutputWithContext 

func (o WebTypeComputeIamBindingOutput) ToWebTypeComputeIamBindingOutputWithContext(ctx context.Context) WebTypeComputeIamBindingOutput

type WebTypeComputeIamBindingState 

type WebTypeComputeIamBindingState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeComputeIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (WebTypeComputeIamBindingState) ElementType 

func (WebTypeComputeIamBindingState) ElementType() reflect.Type

type WebTypeComputeIamMember 

type WebTypeComputeIamMember struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeComputeIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeCompute. Each of these resources serves a different use case:

* `iap.WebTypeComputeIamPolicy`: Authoritative. Sets the IAM policy for the webtypecompute and replaces any existing policy already attached. * `iap.WebTypeComputeIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypecompute are preserved. * `iap.WebTypeComputeIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypecompute are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeComputeIamPolicy`: Retrieves the IAM policy for the webtypecompute

> **Note:** `iap.WebTypeComputeIamPolicy` **cannot** be used in conjunction with `iap.WebTypeComputeIamBinding` and `iap.WebTypeComputeIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeComputeIamBinding` resources **can be** used in conjunction with `iap.WebTypeComputeIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeComputeIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeComputeIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeComputeIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebTypeCompute Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeCompute. Each of these resources serves a different use case:

* `iap.WebTypeComputeIamPolicy`: Authoritative. Sets the IAM policy for the webtypecompute and replaces any existing policy already attached. * `iap.WebTypeComputeIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypecompute are preserved. * `iap.WebTypeComputeIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypecompute are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeComputeIamPolicy`: Retrieves the IAM policy for the webtypecompute

> **Note:** `iap.WebTypeComputeIamPolicy` **cannot** be used in conjunction with `iap.WebTypeComputeIamBinding` and `iap.WebTypeComputeIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeComputeIamBinding` resources **can be** used in conjunction with `iap.WebTypeComputeIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeComputeIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeComputeIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeComputeIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/compute

* {{project}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webtypecompute IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webTypeComputeIamMember:WebTypeComputeIamMember editor "projects/{{project}}/iap_web/compute roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webTypeComputeIamMember:WebTypeComputeIamMember editor "projects/{{project}}/iap_web/compute roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webTypeComputeIamMember:WebTypeComputeIamMember editor projects/{{project}}/iap_web/compute ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebTypeComputeIamMember 

func GetWebTypeComputeIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebTypeComputeIamMemberState, opts ...pulumi.ResourceOption) (*WebTypeComputeIamMember, error)

GetWebTypeComputeIamMember gets an existing WebTypeComputeIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebTypeComputeIamMember 

func NewWebTypeComputeIamMember(ctx *pulumi.Context,
	name string, args *WebTypeComputeIamMemberArgs, opts ...pulumi.ResourceOption) (*WebTypeComputeIamMember, error)

NewWebTypeComputeIamMember registers a new resource with the given unique name, arguments, and options.

func (*WebTypeComputeIamMember) ElementType 

func (*WebTypeComputeIamMember) ElementType() reflect.Type

func (*WebTypeComputeIamMember) ToWebTypeComputeIamMemberOutput 

func (i *WebTypeComputeIamMember) ToWebTypeComputeIamMemberOutput() WebTypeComputeIamMemberOutput

func (*WebTypeComputeIamMember) ToWebTypeComputeIamMemberOutputWithContext 

func (i *WebTypeComputeIamMember) ToWebTypeComputeIamMemberOutputWithContext(ctx context.Context) WebTypeComputeIamMemberOutput

type WebTypeComputeIamMemberArgs 

type WebTypeComputeIamMemberArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeComputeIamMemberConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a WebTypeComputeIamMember resource.

func (WebTypeComputeIamMemberArgs) ElementType 

func (WebTypeComputeIamMemberArgs) ElementType() reflect.Type

type WebTypeComputeIamMemberArray 

type WebTypeComputeIamMemberArray []WebTypeComputeIamMemberInput

func (WebTypeComputeIamMemberArray) ElementType 

func (WebTypeComputeIamMemberArray) ElementType() reflect.Type

func (WebTypeComputeIamMemberArray) ToWebTypeComputeIamMemberArrayOutput 

func (i WebTypeComputeIamMemberArray) ToWebTypeComputeIamMemberArrayOutput() WebTypeComputeIamMemberArrayOutput

func (WebTypeComputeIamMemberArray) ToWebTypeComputeIamMemberArrayOutputWithContext 

func (i WebTypeComputeIamMemberArray) ToWebTypeComputeIamMemberArrayOutputWithContext(ctx context.Context) WebTypeComputeIamMemberArrayOutput

type WebTypeComputeIamMemberArrayInput 

type WebTypeComputeIamMemberArrayInput interface {
	pulumi.Input

	ToWebTypeComputeIamMemberArrayOutput() WebTypeComputeIamMemberArrayOutput
	ToWebTypeComputeIamMemberArrayOutputWithContext(context.Context) WebTypeComputeIamMemberArrayOutput
}

WebTypeComputeIamMemberArrayInput is an input type that accepts WebTypeComputeIamMemberArray and WebTypeComputeIamMemberArrayOutput values. You can construct a concrete instance of `WebTypeComputeIamMemberArrayInput` via: 

WebTypeComputeIamMemberArray{ WebTypeComputeIamMemberArgs{...} }

type WebTypeComputeIamMemberArrayOutput 

type WebTypeComputeIamMemberArrayOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamMemberArrayOutput) ElementType 

func (WebTypeComputeIamMemberArrayOutput) ElementType() reflect.Type

func (WebTypeComputeIamMemberArrayOutput) Index 

func (o WebTypeComputeIamMemberArrayOutput) Index(i pulumi.IntInput) WebTypeComputeIamMemberOutput

func (WebTypeComputeIamMemberArrayOutput) ToWebTypeComputeIamMemberArrayOutput 

func (o WebTypeComputeIamMemberArrayOutput) ToWebTypeComputeIamMemberArrayOutput() WebTypeComputeIamMemberArrayOutput

func (WebTypeComputeIamMemberArrayOutput) ToWebTypeComputeIamMemberArrayOutputWithContext 

func (o WebTypeComputeIamMemberArrayOutput) ToWebTypeComputeIamMemberArrayOutputWithContext(ctx context.Context) WebTypeComputeIamMemberArrayOutput

type WebTypeComputeIamMemberCondition 

type WebTypeComputeIamMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type WebTypeComputeIamMemberConditionArgs 

type WebTypeComputeIamMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (WebTypeComputeIamMemberConditionArgs) ElementType 

func (WebTypeComputeIamMemberConditionArgs) ElementType() reflect.Type

func (WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionOutput 

func (i WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionOutput() WebTypeComputeIamMemberConditionOutput

func (WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionOutputWithContext 

func (i WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionOutputWithContext(ctx context.Context) WebTypeComputeIamMemberConditionOutput

func (WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionPtrOutput 

func (i WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionPtrOutput() WebTypeComputeIamMemberConditionPtrOutput

func (WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionPtrOutputWithContext 

func (i WebTypeComputeIamMemberConditionArgs) ToWebTypeComputeIamMemberConditionPtrOutputWithContext(ctx context.Context) WebTypeComputeIamMemberConditionPtrOutput

type WebTypeComputeIamMemberConditionInput 

type WebTypeComputeIamMemberConditionInput interface {
	pulumi.Input

	ToWebTypeComputeIamMemberConditionOutput() WebTypeComputeIamMemberConditionOutput
	ToWebTypeComputeIamMemberConditionOutputWithContext(context.Context) WebTypeComputeIamMemberConditionOutput
}

WebTypeComputeIamMemberConditionInput is an input type that accepts WebTypeComputeIamMemberConditionArgs and WebTypeComputeIamMemberConditionOutput values. You can construct a concrete instance of `WebTypeComputeIamMemberConditionInput` via: 

WebTypeComputeIamMemberConditionArgs{...}

type WebTypeComputeIamMemberConditionOutput 

type WebTypeComputeIamMemberConditionOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamMemberConditionOutput) Description 

func (o WebTypeComputeIamMemberConditionOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeComputeIamMemberConditionOutput) ElementType 

func (WebTypeComputeIamMemberConditionOutput) ElementType() reflect.Type

func (WebTypeComputeIamMemberConditionOutput) Expression 

func (o WebTypeComputeIamMemberConditionOutput) Expression() pulumi.StringOutput

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeComputeIamMemberConditionOutput) Title 

func (o WebTypeComputeIamMemberConditionOutput) Title() pulumi.StringOutput

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionOutput 

func (o WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionOutput() WebTypeComputeIamMemberConditionOutput

func (WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionOutputWithContext 

func (o WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionOutputWithContext(ctx context.Context) WebTypeComputeIamMemberConditionOutput

func (WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionPtrOutput 

func (o WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionPtrOutput() WebTypeComputeIamMemberConditionPtrOutput

func (WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionPtrOutputWithContext 

func (o WebTypeComputeIamMemberConditionOutput) ToWebTypeComputeIamMemberConditionPtrOutputWithContext(ctx context.Context) WebTypeComputeIamMemberConditionPtrOutput

type WebTypeComputeIamMemberConditionPtrInput 

type WebTypeComputeIamMemberConditionPtrInput interface {
	pulumi.Input

	ToWebTypeComputeIamMemberConditionPtrOutput() WebTypeComputeIamMemberConditionPtrOutput
	ToWebTypeComputeIamMemberConditionPtrOutputWithContext(context.Context) WebTypeComputeIamMemberConditionPtrOutput
}

WebTypeComputeIamMemberConditionPtrInput is an input type that accepts WebTypeComputeIamMemberConditionArgs, WebTypeComputeIamMemberConditionPtr and WebTypeComputeIamMemberConditionPtrOutput values. You can construct a concrete instance of `WebTypeComputeIamMemberConditionPtrInput` via: 

        WebTypeComputeIamMemberConditionArgs{...}

or:

        nil

func WebTypeComputeIamMemberConditionPtr 

func WebTypeComputeIamMemberConditionPtr(v *WebTypeComputeIamMemberConditionArgs) WebTypeComputeIamMemberConditionPtrInput

type WebTypeComputeIamMemberConditionPtrOutput 

type WebTypeComputeIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamMemberConditionPtrOutput) Description 

func (o WebTypeComputeIamMemberConditionPtrOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (WebTypeComputeIamMemberConditionPtrOutput) Elem 

func (o WebTypeComputeIamMemberConditionPtrOutput) Elem() WebTypeComputeIamMemberConditionOutput

func (WebTypeComputeIamMemberConditionPtrOutput) ElementType 

func (WebTypeComputeIamMemberConditionPtrOutput) ElementType() reflect.Type

func (WebTypeComputeIamMemberConditionPtrOutput) Expression 

func (o WebTypeComputeIamMemberConditionPtrOutput) Expression() pulumi.StringPtrOutput

Textual representation of an expression in Common Expression Language syntax.

func (WebTypeComputeIamMemberConditionPtrOutput) Title 

func (o WebTypeComputeIamMemberConditionPtrOutput) Title() pulumi.StringPtrOutput

A title for the expression, i.e. a short string describing its purpose.

func (WebTypeComputeIamMemberConditionPtrOutput) ToWebTypeComputeIamMemberConditionPtrOutput 

func (o WebTypeComputeIamMemberConditionPtrOutput) ToWebTypeComputeIamMemberConditionPtrOutput() WebTypeComputeIamMemberConditionPtrOutput

func (WebTypeComputeIamMemberConditionPtrOutput) ToWebTypeComputeIamMemberConditionPtrOutputWithContext 

func (o WebTypeComputeIamMemberConditionPtrOutput) ToWebTypeComputeIamMemberConditionPtrOutputWithContext(ctx context.Context) WebTypeComputeIamMemberConditionPtrOutput

type WebTypeComputeIamMemberInput 

type WebTypeComputeIamMemberInput interface {
	pulumi.Input

	ToWebTypeComputeIamMemberOutput() WebTypeComputeIamMemberOutput
	ToWebTypeComputeIamMemberOutputWithContext(ctx context.Context) WebTypeComputeIamMemberOutput
}

type WebTypeComputeIamMemberMap 

type WebTypeComputeIamMemberMap map[string]WebTypeComputeIamMemberInput

func (WebTypeComputeIamMemberMap) ElementType 

func (WebTypeComputeIamMemberMap) ElementType() reflect.Type

func (WebTypeComputeIamMemberMap) ToWebTypeComputeIamMemberMapOutput 

func (i WebTypeComputeIamMemberMap) ToWebTypeComputeIamMemberMapOutput() WebTypeComputeIamMemberMapOutput

func (WebTypeComputeIamMemberMap) ToWebTypeComputeIamMemberMapOutputWithContext 

func (i WebTypeComputeIamMemberMap) ToWebTypeComputeIamMemberMapOutputWithContext(ctx context.Context) WebTypeComputeIamMemberMapOutput

type WebTypeComputeIamMemberMapInput 

type WebTypeComputeIamMemberMapInput interface {
	pulumi.Input

	ToWebTypeComputeIamMemberMapOutput() WebTypeComputeIamMemberMapOutput
	ToWebTypeComputeIamMemberMapOutputWithContext(context.Context) WebTypeComputeIamMemberMapOutput
}

WebTypeComputeIamMemberMapInput is an input type that accepts WebTypeComputeIamMemberMap and WebTypeComputeIamMemberMapOutput values. You can construct a concrete instance of `WebTypeComputeIamMemberMapInput` via: 

WebTypeComputeIamMemberMap{ "key": WebTypeComputeIamMemberArgs{...} }

type WebTypeComputeIamMemberMapOutput 

type WebTypeComputeIamMemberMapOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamMemberMapOutput) ElementType 

func (WebTypeComputeIamMemberMapOutput) ElementType() reflect.Type

func (WebTypeComputeIamMemberMapOutput) MapIndex 

func (o WebTypeComputeIamMemberMapOutput) MapIndex(k pulumi.StringInput) WebTypeComputeIamMemberOutput

func (WebTypeComputeIamMemberMapOutput) ToWebTypeComputeIamMemberMapOutput 

func (o WebTypeComputeIamMemberMapOutput) ToWebTypeComputeIamMemberMapOutput() WebTypeComputeIamMemberMapOutput

func (WebTypeComputeIamMemberMapOutput) ToWebTypeComputeIamMemberMapOutputWithContext 

func (o WebTypeComputeIamMemberMapOutput) ToWebTypeComputeIamMemberMapOutputWithContext(ctx context.Context) WebTypeComputeIamMemberMapOutput

type WebTypeComputeIamMemberOutput 

type WebTypeComputeIamMemberOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamMemberOutput) Condition 

func (o WebTypeComputeIamMemberOutput) Condition() WebTypeComputeIamMemberConditionPtrOutput

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (WebTypeComputeIamMemberOutput) ElementType 

func (WebTypeComputeIamMemberOutput) ElementType() reflect.Type

func (WebTypeComputeIamMemberOutput) Etag 

func (o WebTypeComputeIamMemberOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (WebTypeComputeIamMemberOutput) Member 

func (o WebTypeComputeIamMemberOutput) Member() pulumi.StringOutput

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (WebTypeComputeIamMemberOutput) Project 

func (o WebTypeComputeIamMemberOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebTypeComputeIamMemberOutput) Role 

func (o WebTypeComputeIamMemberOutput) Role() pulumi.StringOutput

The role that should be applied. Only one `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (WebTypeComputeIamMemberOutput) ToWebTypeComputeIamMemberOutput 

func (o WebTypeComputeIamMemberOutput) ToWebTypeComputeIamMemberOutput() WebTypeComputeIamMemberOutput

func (WebTypeComputeIamMemberOutput) ToWebTypeComputeIamMemberOutputWithContext 

func (o WebTypeComputeIamMemberOutput) ToWebTypeComputeIamMemberOutputWithContext(ctx context.Context) WebTypeComputeIamMemberOutput

type WebTypeComputeIamMemberState 

type WebTypeComputeIamMemberState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition WebTypeComputeIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `iap.WebTypeComputeIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (WebTypeComputeIamMemberState) ElementType 

func (WebTypeComputeIamMemberState) ElementType() reflect.Type

type WebTypeComputeIamPolicy 

type WebTypeComputeIamPolicy struct {
	pulumi.CustomResourceState

	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
}

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeCompute. Each of these resources serves a different use case:

* `iap.WebTypeComputeIamPolicy`: Authoritative. Sets the IAM policy for the webtypecompute and replaces any existing policy already attached. * `iap.WebTypeComputeIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypecompute are preserved. * `iap.WebTypeComputeIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypecompute are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeComputeIamPolicy`: Retrieves the IAM policy for the webtypecompute

> **Note:** `iap.WebTypeComputeIamPolicy` **cannot** be used in conjunction with `iap.WebTypeComputeIamBinding` and `iap.WebTypeComputeIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeComputeIamBinding` resources **can be** used in conjunction with `iap.WebTypeComputeIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeComputeIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeComputeIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeComputeIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Identity-Aware Proxy WebTypeCompute Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeCompute. Each of these resources serves a different use case:

* `iap.WebTypeComputeIamPolicy`: Authoritative. Sets the IAM policy for the webtypecompute and replaces any existing policy already attached. * `iap.WebTypeComputeIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the webtypecompute are preserved. * `iap.WebTypeComputeIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the webtypecompute are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `iap.WebTypeComputeIamPolicy`: Retrieves the IAM policy for the webtypecompute

> **Note:** `iap.WebTypeComputeIamPolicy` **cannot** be used in conjunction with `iap.WebTypeComputeIamBinding` and `iap.WebTypeComputeIamMember` or they will fight over what your policy should be.

> **Note:** `iap.WebTypeComputeIamBinding` resources **can be** used in conjunction with `iap.WebTypeComputeIamMember` resources **only if** they do not grant privilege to the same role.

> **Note:** This resource supports IAM Conditions but they have some known limitations which can be found [here](https://cloud.google.com/iam/docs/conditions-overview#limitations). Please review this article if you are having issues with IAM Conditions.

## iap.WebTypeComputeIamPolicy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iap.httpsResourceAccessor",
					Members: []string{
						"user:jane@example.com",
					},
					Condition: {
						Title:       "expires_after_2019_12_31",
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iap.NewWebTypeComputeIamPolicy(ctx, "policy", &iap.WebTypeComputeIamPolicyArgs{
			Project:    pulumi.Any(projectService.Project),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamBinding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamBinding(ctx, "binding", &iap.WebTypeComputeIamBindingArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.WebTypeComputeIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ## iap.WebTypeComputeIamMember

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebTypeComputeIamMember(ctx, "member", &iap.WebTypeComputeIamMemberArgs{
			Project: pulumi.Any(projectService.Project),
			Role:    pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:  pulumi.String("user:jane@example.com"),
			Condition: &iap.WebTypeComputeIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/iap_web/compute

* {{project}}

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webtypecompute IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:iap/webTypeComputeIamPolicy:WebTypeComputeIamPolicy editor "projects/{{project}}/iap_web/compute roles/iap.httpsResourceAccessor user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:iap/webTypeComputeIamPolicy:WebTypeComputeIamPolicy editor "projects/{{project}}/iap_web/compute roles/iap.httpsResourceAccessor" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:iap/webTypeComputeIamPolicy:WebTypeComputeIamPolicy editor projects/{{project}}/iap_web/compute ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the 

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetWebTypeComputeIamPolicy 

func GetWebTypeComputeIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *WebTypeComputeIamPolicyState, opts ...pulumi.ResourceOption) (*WebTypeComputeIamPolicy, error)

GetWebTypeComputeIamPolicy gets an existing WebTypeComputeIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewWebTypeComputeIamPolicy 

func NewWebTypeComputeIamPolicy(ctx *pulumi.Context,
	name string, args *WebTypeComputeIamPolicyArgs, opts ...pulumi.ResourceOption) (*WebTypeComputeIamPolicy, error)

NewWebTypeComputeIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*WebTypeComputeIamPolicy) ElementType 

func (*WebTypeComputeIamPolicy) ElementType() reflect.Type

func (*WebTypeComputeIamPolicy) ToWebTypeComputeIamPolicyOutput 

func (i *WebTypeComputeIamPolicy) ToWebTypeComputeIamPolicyOutput() WebTypeComputeIamPolicyOutput

func (*WebTypeComputeIamPolicy) ToWebTypeComputeIamPolicyOutputWithContext 

func (i *WebTypeComputeIamPolicy) ToWebTypeComputeIamPolicyOutputWithContext(ctx context.Context) WebTypeComputeIamPolicyOutput

type WebTypeComputeIamPolicyArgs 

type WebTypeComputeIamPolicyArgs struct {
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
}

The set of arguments for constructing a WebTypeComputeIamPolicy resource.

func (WebTypeComputeIamPolicyArgs) ElementType 

func (WebTypeComputeIamPolicyArgs) ElementType() reflect.Type

type WebTypeComputeIamPolicyArray 

type WebTypeComputeIamPolicyArray []WebTypeComputeIamPolicyInput

func (WebTypeComputeIamPolicyArray) ElementType 

func (WebTypeComputeIamPolicyArray) ElementType() reflect.Type

func (WebTypeComputeIamPolicyArray) ToWebTypeComputeIamPolicyArrayOutput 

func (i WebTypeComputeIamPolicyArray) ToWebTypeComputeIamPolicyArrayOutput() WebTypeComputeIamPolicyArrayOutput

func (WebTypeComputeIamPolicyArray) ToWebTypeComputeIamPolicyArrayOutputWithContext 

func (i WebTypeComputeIamPolicyArray) ToWebTypeComputeIamPolicyArrayOutputWithContext(ctx context.Context) WebTypeComputeIamPolicyArrayOutput

type WebTypeComputeIamPolicyArrayInput 

type WebTypeComputeIamPolicyArrayInput interface {
	pulumi.Input

	ToWebTypeComputeIamPolicyArrayOutput() WebTypeComputeIamPolicyArrayOutput
	ToWebTypeComputeIamPolicyArrayOutputWithContext(context.Context) WebTypeComputeIamPolicyArrayOutput
}

WebTypeComputeIamPolicyArrayInput is an input type that accepts WebTypeComputeIamPolicyArray and WebTypeComputeIamPolicyArrayOutput values. You can construct a concrete instance of `WebTypeComputeIamPolicyArrayInput` via: 

WebTypeComputeIamPolicyArray{ WebTypeComputeIamPolicyArgs{...} }

type WebTypeComputeIamPolicyArrayOutput 

type WebTypeComputeIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamPolicyArrayOutput) ElementType 

func (WebTypeComputeIamPolicyArrayOutput) ElementType() reflect.Type

func (WebTypeComputeIamPolicyArrayOutput) Index 

func (o WebTypeComputeIamPolicyArrayOutput) Index(i pulumi.IntInput) WebTypeComputeIamPolicyOutput

func (WebTypeComputeIamPolicyArrayOutput) ToWebTypeComputeIamPolicyArrayOutput 

func (o WebTypeComputeIamPolicyArrayOutput) ToWebTypeComputeIamPolicyArrayOutput() WebTypeComputeIamPolicyArrayOutput

func (WebTypeComputeIamPolicyArrayOutput) ToWebTypeComputeIamPolicyArrayOutputWithContext 

func (o WebTypeComputeIamPolicyArrayOutput) ToWebTypeComputeIamPolicyArrayOutputWithContext(ctx context.Context) WebTypeComputeIamPolicyArrayOutput

type WebTypeComputeIamPolicyInput 

type WebTypeComputeIamPolicyInput interface {
	pulumi.Input

	ToWebTypeComputeIamPolicyOutput() WebTypeComputeIamPolicyOutput
	ToWebTypeComputeIamPolicyOutputWithContext(ctx context.Context) WebTypeComputeIamPolicyOutput
}

type WebTypeComputeIamPolicyMap 

type WebTypeComputeIamPolicyMap map[string]WebTypeComputeIamPolicyInput

func (WebTypeComputeIamPolicyMap) ElementType 

func (WebTypeComputeIamPolicyMap) ElementType() reflect.Type

func (WebTypeComputeIamPolicyMap) ToWebTypeComputeIamPolicyMapOutput 

func (i WebTypeComputeIamPolicyMap) ToWebTypeComputeIamPolicyMapOutput() WebTypeComputeIamPolicyMapOutput

func (WebTypeComputeIamPolicyMap) ToWebTypeComputeIamPolicyMapOutputWithContext 

func (i WebTypeComputeIamPolicyMap) ToWebTypeComputeIamPolicyMapOutputWithContext(ctx context.Context) WebTypeComputeIamPolicyMapOutput

type WebTypeComputeIamPolicyMapInput 

type WebTypeComputeIamPolicyMapInput interface {
	pulumi.Input

	ToWebTypeComputeIamPolicyMapOutput() WebTypeComputeIamPolicyMapOutput
	ToWebTypeComputeIamPolicyMapOutputWithContext(context.Context) WebTypeComputeIamPolicyMapOutput
}

WebTypeComputeIamPolicyMapInput is an input type that accepts WebTypeComputeIamPolicyMap and WebTypeComputeIamPolicyMapOutput values. You can construct a concrete instance of `WebTypeComputeIamPolicyMapInput` via: 

WebTypeComputeIamPolicyMap{ "key": WebTypeComputeIamPolicyArgs{...} }

type WebTypeComputeIamPolicyMapOutput 

type WebTypeComputeIamPolicyMapOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamPolicyMapOutput) ElementType 

func (WebTypeComputeIamPolicyMapOutput) ElementType() reflect.Type

func (WebTypeComputeIamPolicyMapOutput) MapIndex 

func (o WebTypeComputeIamPolicyMapOutput) MapIndex(k pulumi.StringInput) WebTypeComputeIamPolicyOutput

func (WebTypeComputeIamPolicyMapOutput) ToWebTypeComputeIamPolicyMapOutput 

func (o WebTypeComputeIamPolicyMapOutput) ToWebTypeComputeIamPolicyMapOutput() WebTypeComputeIamPolicyMapOutput

func (WebTypeComputeIamPolicyMapOutput) ToWebTypeComputeIamPolicyMapOutputWithContext 

func (o WebTypeComputeIamPolicyMapOutput) ToWebTypeComputeIamPolicyMapOutputWithContext(ctx context.Context) WebTypeComputeIamPolicyMapOutput

type WebTypeComputeIamPolicyOutput 

type WebTypeComputeIamPolicyOutput struct{ *pulumi.OutputState }

func (WebTypeComputeIamPolicyOutput) ElementType 

func (WebTypeComputeIamPolicyOutput) ElementType() reflect.Type

func (WebTypeComputeIamPolicyOutput) Etag 

func (o WebTypeComputeIamPolicyOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (WebTypeComputeIamPolicyOutput) PolicyData 

func (o WebTypeComputeIamPolicyOutput) PolicyData() pulumi.StringOutput

The policy data generated by a `organizations.getIAMPolicy` data source.

func (WebTypeComputeIamPolicyOutput) Project 

func (o WebTypeComputeIamPolicyOutput) Project() pulumi.StringOutput

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (WebTypeComputeIamPolicyOutput) ToWebTypeComputeIamPolicyOutput 

func (o WebTypeComputeIamPolicyOutput) ToWebTypeComputeIamPolicyOutput() WebTypeComputeIamPolicyOutput

func (WebTypeComputeIamPolicyOutput) ToWebTypeComputeIamPolicyOutputWithContext 

func (o WebTypeComputeIamPolicyOutput) ToWebTypeComputeIamPolicyOutputWithContext(ctx context.Context) WebTypeComputeIamPolicyOutput

type WebTypeComputeIamPolicyState 

type WebTypeComputeIamPolicyState struct {
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
}

func (WebTypeComputeIamPolicyState) ElementType 

func (WebTypeComputeIamPolicyState) ElementType() reflect.Type

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.