Represents a collection of denial policies to apply to a given resource.
To get more information about DenyPolicy, see:
resource "google_project" "project" {
project_id = "my-project"
name = "my-project"
org_id = "123456789"
billing_account = "000000-0000000-0000000-000000"
}
resource "google_iam_deny_policy" "example" {
parent = urlencode("cloudresourcemanager.googleapis.com/projects/${google_project.project.project_id}")
name = "my-deny-policy"
display_name = "A deny rule"
rules {
description = "First rule"
deny_rule {
denied_principals = ["principalSet://goog/public:all"]
denial_condition {
title = "Some expr"
expression = "!resource.matchTag('12345678/env', 'test')"
}
denied_permissions = ["cloudresourcemanager.googleapis.com/projects.update"]
}
}
rules {
description = "Second rule"
deny_rule {
denied_principals = ["principalSet://goog/public:all"]
denial_condition {
title = "Some expr"
expression = "!resource.matchTag('12345678/env', 'test')"
}
denied_permissions = ["cloudresourcemanager.googleapis.com/projects.update"]
exception_principals = ["principal://iam.googleapis.com/projects/-/serviceAccounts/${google_service_account.test-account.email}"]
}
}
}
resource "google_service_account" "test-account" {
account_id = "svc-acc"
display_name = "Test Service Account"
project = google_project.project.project_id
}
The following arguments are supported:
name
-
(Required)
The name of the policy.
parent
-
(Required)
The attachment point is identified by its URL-encoded full resource name.
rules
-
(Required)
Rules to be applied.
Structure is documented below.
description
-
(Optional)
The description of the rule.
deny_rule
-
(Optional)
A deny rule in an IAM deny policy.
Structure is documented below.
denied_principals
-
(Optional)
The identities that are prevented from using one or more permissions on Google Cloud resources.
exception_principals
-
(Optional)
The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals.
For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.
denied_permissions
-
(Optional)
The permissions that are explicitly denied by this rule. Each permission uses the format {service-fqdn}/{resource}.{verb}
,
where {service-fqdn}
is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list
.
exception_permissions
-
(Optional)
Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions.
If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied.
The excluded permissions can be specified using the same syntax as deniedPermissions.
denial_condition
-
(Optional)
User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header.
Structure is documented below.
The denial_condition
block supports:
expression
-
(Required)
Textual representation of an expression in Common Expression Language syntax.
title
-
(Optional)
Title for the expression, i.e. a short string describing its purpose.
This can be used e.g. in UIs which allow to enter the expression.
description
-
(Optional)
Description of the expression. This is a longer text which describes the expression,
e.g. when hovered over it in a UI.
location
-
(Optional)
String indicating the location of the expression for error reporting,
e.g. a file name and a position in the file.
display_name
-
(Optional)
The display name of the rule.In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format {{parent}}/{{name}}
etag
-
The hash of the resource. Used internally during updates.
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.DenyPolicy can be imported using any of these accepted formats:
{{parent}}/{{name}}
In Terraform v1.5.0 and later, use an import
block to import DenyPolicy using one of the formats above. For example:
import {
id = "{{parent}}/{{name}}"
to = google_iam_deny_policy.default
}
When using the terraform import
command, DenyPolicy can be imported using one of the formats above. For example:
$ terraform import google_iam_deny_policy.default {{parent}}/{{name}}