google_iam_access_boundary_policy

Represents a collection of access boundary policies to apply to a given resource. NOTE: This is a private feature and users should contact GCP support if they would like to test it.

Example Usage - Iam Access Boundary Policy Basic

resource "google_project" "project" {
  project_id      = "my-project"
  name            = "my-project"
  org_id          = "123456789"
  billing_account = "000000-0000000-0000000-000000"
}

resource "google_access_context_manager_access_level" "test-access" {
  parent = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}"
  name   = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/accessLevels/chromeos_no_lock"
  title  = "chromeos_no_lock"
  basic {
    conditions {
      device_policy {
        require_screen_lock = true
        os_constraints {
          os_type = "DESKTOP_CHROME_OS"
        }
      }
      regions = [
        "CH",
        "IT",
        "US",
      ]
    }
  }
}

resource "google_access_context_manager_access_policy" "access-policy" {
  parent = "organizations/${google_project.project.org_id}"
  title  = "my policy"
}

resource "google_iam_access_boundary_policy" "example" {
  parent   = urlencode("cloudresourcemanager.googleapis.com/projects/${google_project.project.project_id}")
  name     = "my-ab-policy"
  display_name = "My AB policy"
  rules {
    description = "AB rule"
    access_boundary_rule {
      available_resource = "*"
      available_permissions = ["*"]
      availability_condition {
        title = "Access level expr"
        expression = "request.matchAccessLevels('${google_project.project.org_id}', ['${google_access_context_manager_access_level.test-access.name}'])"
      }
    }
  }
}

Argument Reference

The following arguments are supported:

The rules block supports:

The access_boundary_rule block supports:

The availability_condition block supports:


Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Timeouts

This resource provides the following Timeouts configuration options:

Import

AccessBoundaryPolicy can be imported using any of these accepted formats:

In Terraform v1.5.0 and later, use an import block to import AccessBoundaryPolicy using one of the formats above. For example:

import {
  id = "{{parent}}/{{name}}"
  to = google_iam_access_boundary_policy.default
}

When using the terraform import command, AccessBoundaryPolicy can be imported using one of the formats above. For example:

$ terraform import google_iam_access_boundary_policy.default {{parent}}/{{name}}