| subcategory | description |
|---|---|
Cloud IAM |
An IAM Principal Access Boundary Policy resource. |
An IAM Principal Access Boundary Policy resource. This resource has no effect on accesses until is bound to a target through policy bindings. You can see further documentation on policy bindings in:
To get more information about PrincipalAccessBoundaryPolicy, see:
resource "google_iam_principal_access_boundary_policy" "pab-policy-for-org" {
organization = "123456789"
location = "global"
display_name = "PAB policy for Organization"
principal_access_boundary_policy_id = "pab-policy-for-org"
}resource "google_iam_principal_access_boundary_policy" "pab_policy" {
organization = "123456789"
location = "global"
display_name = "Binding for all principals in the Organization"
principal_access_boundary_policy_id = "my-pab-policy"
}
resource "time_sleep" "wait_60_seconds" {
create_duration = "60s"
depends_on = [google_iam_principal_access_boundary_policy.pab_policy]
}
resource "google_iam_organizations_policy_binding" "my-pab-policy" {
depends_on = [time_sleep.wait_60_seconds]
organization = "123456789"
location = "global"
display_name = "Binding for all principals in the Organization"
policy_kind = "PRINCIPAL_ACCESS_BOUNDARY"
policy_binding_id = "binding-for-all-org-principals"
policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/${google_iam_principal_access_boundary_policy.pab_policy.principal_access_boundary_policy_id}"
target {
principal_set = "//cloudresourcemanager.googleapis.com/organizations/123456789"
}
}The following arguments are supported:
-
organization- (Required) The parent organization of the principal access boundary policy. -
location- (Required) The location the principal access boundary policy is in. -
principal_access_boundary_policy_id- (Required) The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/.
-
display_name- (Optional) The description of the principal access boundary policy. Must be less than or equal to 63 characters. -
annotations- (Optional) User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitationsNote: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field
effective_annotationsfor all of the annotations present on the resource. -
details- (Optional) Principal access boundary policy details Structure is documented below.
-
rules- (Required) A list of principal access boundary policy rules. The number of rules in a policy is limited to 500. Structure is documented below. -
enforcement_version- (Optional) The version number that indicates which Google Cloud services are included in the enforcement (e.g. "latest", "1", ...). If empty, the PAB policy version will be set to the current latest version, and this version won't get updated when new versions are released.
-
description- (Optional) The description of the principal access boundary policy rule. Must be less than or equal to 256 characters. -
resources- (Required) A list of Cloud Resource Manager resources. The resource and all the descendants are included. The number of resources in a policy is limited to 500 across all rules. The following resource types are supported:- Organizations, such as
//cloudresourcemanager.googleapis.com/organizations/123. - Folders, such as
//cloudresourcemanager.googleapis.com/folders/123. - Projects, such as
//cloudresourcemanager.googleapis.com/projects/123or//cloudresourcemanager.googleapis.com/projects/my-project-id.
- Organizations, such as
-
effect- (Required) The access relationship of principals to the resources in this rule. Possible values: ALLOW
In addition to the arguments listed above, the following computed attributes are exported:
-
id- an identifier for the resource with formatorganizations/{{organization}}/locations/{{location}}/principalAccessBoundaryPolicies/{{principal_access_boundary_policy_id}} -
name- Identifier. The resource name of the principal access boundary policy. The following format is supported:organizations/{organization_id}/locations/{location}/principalAccessBoundaryPolicies/{policy_id} -
uid- Output only. The globally unique ID of the principal access boundary policy. -
etag- The etag for the principal access boundary. If this is provided on update, it must match the server's etag. -
create_time- Output only. The time when the principal access boundary policy was created. -
update_time- Output only. The time when the principal access boundary policy was most recently updated. -
effective_annotations- All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.
This resource provides the following Timeouts configuration options:
create- Default is 20 minutes.update- Default is 20 minutes.delete- Default is 20 minutes.
PrincipalAccessBoundaryPolicy can be imported using any of these accepted formats:
organizations/{{organization}}/locations/{{location}}/principalAccessBoundaryPolicies/{{principal_access_boundary_policy_id}}{{organization}}/{{location}}/{{principal_access_boundary_policy_id}}
In Terraform v1.5.0 and later, use an import block to import PrincipalAccessBoundaryPolicy using one of the formats above. For example:
import {
id = "organizations/{{organization}}/locations/{{location}}/principalAccessBoundaryPolicies/{{principal_access_boundary_policy_id}}"
to = google_iam_principal_access_boundary_policy.default
}When using the terraform import command, PrincipalAccessBoundaryPolicy can be imported using one of the formats above. For example:
$ terraform import google_iam_principal_access_boundary_policy.default organizations/{{organization}}/locations/{{location}}/principalAccessBoundaryPolicies/{{principal_access_boundary_policy_id}}
$ terraform import google_iam_principal_access_boundary_policy.default {{organization}}/{{location}}/{{principal_access_boundary_policy_id}}