Represents a collection of access boundary policies to apply to a given resource. NOTE: This is a private feature and users should contact GCP support if they would like to test it.
resource "google_project" "project" {
project_id = "my-project"
name = "my-project"
org_id = "123456789"
billing_account = "000000-0000000-0000000-000000"
}
resource "google_access_context_manager_access_level" "test-access" {
parent = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}"
name = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/accessLevels/chromeos_no_lock"
title = "chromeos_no_lock"
basic {
conditions {
device_policy {
require_screen_lock = true
os_constraints {
os_type = "DESKTOP_CHROME_OS"
}
}
regions = [
"CH",
"IT",
"US",
]
}
}
}
resource "google_access_context_manager_access_policy" "access-policy" {
parent = "organizations/${google_project.project.org_id}"
title = "my policy"
}
resource "google_iam_access_boundary_policy" "example" {
parent = urlencode("cloudresourcemanager.googleapis.com/projects/${google_project.project.project_id}")
name = "my-ab-policy"
display_name = "My AB policy"
rules {
description = "AB rule"
access_boundary_rule {
available_resource = "*"
available_permissions = ["*"]
availability_condition {
title = "Access level expr"
expression = "request.matchAccessLevels('${google_project.project.org_id}', ['${google_access_context_manager_access_level.test-access.name}'])"
}
}
}
}
The following arguments are supported:
name
-
(Required)
The name of the policy.
parent
-
(Required)
The attachment point is identified by its URL-encoded full resource name.
rules
-
(Required)
Rules to be applied.
Structure is documented below.
description
-
(Optional)
The description of the rule.
access_boundary_rule
-
(Optional)
An access boundary rule in an IAM policy.
Structure is documented below.
The access_boundary_rule
block supports:
available_resource
-
(Optional)
The full resource name of a Google Cloud resource entity.
available_permissions
-
(Optional)
A list of permissions that may be allowed for use on the specified resource.
availability_condition
-
(Optional)
The availability condition further constrains the access allowed by the access boundary rule.
Structure is documented below.
The availability_condition
block supports:
expression
-
(Required)
Textual representation of an expression in Common Expression Language syntax.
title
-
(Optional)
Title for the expression, i.e. a short string describing its purpose.
This can be used e.g. in UIs which allow to enter the expression.
description
-
(Optional)
Description of the expression. This is a longer text which describes the expression,
e.g. when hovered over it in a UI.
location
-
(Optional)
String indicating the location of the expression for error reporting,
e.g. a file name and a position in the file.
display_name
-
(Optional)
The display name of the rule.In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format {{parent}}/{{name}}
etag
-
The hash of the resource. Used internally during updates.
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.AccessBoundaryPolicy can be imported using any of these accepted formats:
{{parent}}/{{name}}
In Terraform v1.5.0 and later, use an import
block to import AccessBoundaryPolicy using one of the formats above. For example:
import {
id = "{{parent}}/{{name}}"
to = google_iam_access_boundary_policy.default
}
When using the terraform import
command, AccessBoundaryPolicy can be imported using one of the formats above. For example:
$ terraform import google_iam_access_boundary_policy.default {{parent}}/{{name}}