An Entitlement defines the eligibility of a set of users to obtain a predefined access for some time possibly after going through an approval workflow.
resource "google_privileged_access_manager_entitlement" "tfentitlement" {
provider = google-beta
entitlement_id = "example-entitlement"
location = "global"
max_request_duration = "43200s"
parent = "projects/my-project-name"
requester_justification_config {
unstructured{}
}
eligible_users {
principals = ["group:test@google.com"]
}
privileged_access{
gcp_iam_access{
role_bindings{
role = "roles/storage.admin"
condition_expression = "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")"
}
resource = "//cloudresourcemanager.googleapis.com/projects/my-project-name"
resource_type = "cloudresourcemanager.googleapis.com/Project"
}
}
additional_notification_targets {
admin_email_recipients = ["user@example.com"]
requester_email_recipients = ["user@example.com"]
}
approval_workflow {
manual_approvals {
require_approver_justification = true
steps {
approvals_needed = 1
approver_email_recipients = ["user@example.com"]
approvers {
principals = ["group:test@google.com"]
}
}
}
}
}
The following arguments are supported:
eligible_users
-
(Required)
Who can create Grants using Entitlement. This list should contain at most one entry
Structure is documented below.
privileged_access
-
(Required)
Privileged access that this service can be used to gate.
Structure is documented below.
max_request_duration
-
(Required)
The maximum amount of time for which access would be granted for a request.
A requester can choose to ask for access for less than this duration but never more.
Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
requester_justification_config
-
(Required)
Defines the ways in which a requester should provide the justification while requesting for access.
Structure is documented below.
location
-
(Required)
The region of the Entitlement resource.
entitlement_id
-
(Required)
The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified parent
.
parent
-
(Required)
Format: project/{project_id} or organization/{organization_number} or folder/{folder_number}
The eligible_users
block supports:
principals
-
(Required)
Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"The privileged_access
block supports:
gcp_iam_access
-
(Required)
GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM.
Structure is documented below.The gcp_iam_access
block supports:
resource_type
-
(Required)
The type of this resource.
resource
-
(Required)
Name of the resource.
role_bindings
-
(Required)
Role bindings to be created on successful grant.
Structure is documented below.
The role_bindings
block supports:
role
-
(Required)
IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
condition_expression
-
(Optional)
The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request.
https://cloud.google.com/iam/docs/conditions-overview#attributes.
The requester_justification_config
block supports:
not_mandatory
-
(Optional)
The justification is not mandatory but can be provided in any of the supported formats.
unstructured
-
(Optional)
The requester has to provide a justification in the form of free flowing text.
approval_workflow
-
(Optional)
The approvals needed before access will be granted to a requester.
No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
Structure is documented below.
additional_notification_targets
-
(Optional)
AdditionalNotificationTargets includes email addresses to be notified.
Structure is documented below.
The approval_workflow
block supports:
manual_approvals
-
(Required)
A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant.
The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step.
This can be used to create approval workflows such as
approvers
ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted.
Structure is documented below.The manual_approvals
block supports:
require_approver_justification
-
(Optional)
Optional. Do the approvers need to provide a justification for their actions?
steps
-
(Required)
List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now.
Structure is documented below.
approvers
-
(Required)
The potential set of approvers in this step. This list should contain at only one entry.
Structure is documented below.
approvals_needed
-
(Optional)
How many users from the above list need to approve.
If there are not enough distinct users in the list above then the workflow
will indefinitely block. Should always be greater than 0. Currently 1 is the only
supported value.
approver_email_recipients
-
(Optional)
Optional. Additional email addresses to be notified when a grant is pending approval.
principals
-
(Required)
Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1The additional_notification_targets
block supports:
admin_email_recipients
-
(Optional)
Optional. Additional email addresses to be notified when a principal(requester) is granted access.
requester_email_recipients
-
(Optional)
Optional. Additional email address to be notified about an eligible entitlement.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format {{parent}}/locations/{{location}}/entitlements/{{entitlement_id}}
name
-
Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID.
Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
create_time
-
Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits.
Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
update_time
-
Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits.
Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
state
-
Output only. The current state of the Entitlement.
etag
-
For Resource freshness validation (https://google.aip.dev/154)
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.Entitlement can be imported using any of these accepted formats:
{{parent}}/locations/{{location}}/entitlements/{{entitlement_id}}
In Terraform v1.5.0 and later, use an import
block to import Entitlement using one of the formats above. For example:
import {
id = "{{parent}}/locations/{{location}}/entitlements/{{entitlement_id}}"
to = google_privileged_access_manager_entitlement.default
}
When using the terraform import
command, Entitlement can be imported using one of the formats above. For example:
$ terraform import google_privileged_access_manager_entitlement.default {{parent}}/locations/{{location}}/entitlements/{{entitlement_id}}