IAM policy for Identity-Aware Proxy WebTypeAppEngine

Three different resources help you manage your IAM policy for Identity-Aware Proxy WebTypeAppEngine. Each of these resources serves a different use case:

A data source can be used to retrieve policy data in advent you do not need creation

google_iap_web_type_app_engine_iam_policy

data "google_iam_policy" "admin" {
  binding {
    role = "roles/iap.httpsResourceAccessor"
    members = [
      "user:jane@example.com",
    ]
  }
}

resource "google_iap_web_type_app_engine_iam_policy" "policy" {
  project = google_app_engine_application.app.project
  app_id = google_app_engine_application.app.app_id
  policy_data = data.google_iam_policy.admin.policy_data
}

With IAM Conditions:

data "google_iam_policy" "admin" {
  binding {
    role = "roles/iap.httpsResourceAccessor"
    members = [
      "user:jane@example.com",
    ]

    condition {
      title       = "expires_after_2019_12_31"
      description = "Expiring at midnight of 2019-12-31"
      expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
    }
  }
}

resource "google_iap_web_type_app_engine_iam_policy" "policy" {
  project = google_app_engine_application.app.project
  app_id = google_app_engine_application.app.app_id
  policy_data = data.google_iam_policy.admin.policy_data
}

google_iap_web_type_app_engine_iam_binding

resource "google_iap_web_type_app_engine_iam_binding" "binding" {
  project = google_app_engine_application.app.project
  app_id = google_app_engine_application.app.app_id
  role = "roles/iap.httpsResourceAccessor"
  members = [
    "user:jane@example.com",
  ]
}

With IAM Conditions:

resource "google_iap_web_type_app_engine_iam_binding" "binding" {
  project = google_app_engine_application.app.project
  app_id = google_app_engine_application.app.app_id
  role = "roles/iap.httpsResourceAccessor"
  members = [
    "user:jane@example.com",
  ]

  condition {
    title       = "expires_after_2019_12_31"
    description = "Expiring at midnight of 2019-12-31"
    expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
  }
}

google_iap_web_type_app_engine_iam_member

resource "google_iap_web_type_app_engine_iam_member" "member" {
  project = google_app_engine_application.app.project
  app_id = google_app_engine_application.app.app_id
  role = "roles/iap.httpsResourceAccessor"
  member = "user:jane@example.com"
}

With IAM Conditions:

resource "google_iap_web_type_app_engine_iam_member" "member" {
  project = google_app_engine_application.app.project
  app_id = google_app_engine_application.app.app_id
  role = "roles/iap.httpsResourceAccessor"
  member = "user:jane@example.com"

  condition {
    title       = "expires_after_2019_12_31"
    description = "Expiring at midnight of 2019-12-31"
    expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
  }
}

Argument Reference

The following arguments are supported:


The condition block supports:

In addition to the arguments listed above, the following computed attributes are exported:

Import

For all import syntaxes, the "resource in question" can take any of the following forms:

Any variables not passed in the import command will be taken from the provider configuration.

Identity-Aware Proxy webtypeappengine IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

$ terraform import google_iap_web_type_app_engine_iam_member.editor "projects/{{project}}/iap_web/appengine-{{appId}} roles/iap.httpsResourceAccessor user:jane@example.com"

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

$ terraform import google_iap_web_type_app_engine_iam_binding.editor "projects/{{project}}/iap_web/appengine-{{appId}} roles/iap.httpsResourceAccessor"

IAM policy imports use the identifier of the resource in question, e.g.

$ terraform import google_iap_web_type_app_engine_iam_policy.editor projects/{{project}}/iap_web/appengine-{{appId}}

User Project Overrides

This resource supports User Project Overrides.