Restricts access to Cloud Console and Google Cloud APIs for a set of users using Context-Aware Access.
To get more information about GcpUserAccessBinding, see:
resource "google_cloud_identity_group" "group" {
display_name = "my-identity-group"
parent = "customers/A01b123xz"
group_key {
id = "my-identity-group@example.com"
}
labels = {
"cloudidentity.googleapis.com/groups.discussion_forum" = ""
}
}
resource "google_access_context_manager_access_level" "access_level_id_for_user_access_binding" {
parent = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}"
name = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/accessLevels/chromeos_no_lock"
title = "chromeos_no_lock"
basic {
conditions {
device_policy {
require_screen_lock = true
os_constraints {
os_type = "DESKTOP_CHROME_OS"
}
}
regions = [
"US",
]
}
}
}
resource "google_access_context_manager_access_policy" "access-policy" {
parent = "organizations/123456789"
title = "my policy"
}
resource "google_access_context_manager_gcp_user_access_binding" "gcp_user_access_binding" {
organization_id = "123456789"
group_key = trimprefix(google_cloud_identity_group.group.id, "groups/")
access_levels = [
google_access_context_manager_access_level.access_level_id_for_user_access_binding.name,
]
}
The following arguments are supported:
group_key
-
(Required)
Required. Immutable. Google Group id whose members are subject to this binding's restrictions. See "id" in the G Suite Directory API's Groups resource. If a group's email address/alias is changed, this resource will continue to point at the changed group. This field does not accept group email addresses or aliases. Example: "01d520gv4vjcrht"
access_levels
-
(Required)
Required. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted"
organization_id
-
(Required)
Required. ID of the parent organization.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format {{name}}
name
-
Immutable. Assigned by the server during creation. The last segment has an arbitrary length and has only URI unreserved characters (as defined by RFC 3986 Section 2.3). Should not be specified by the client during creation. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N"
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.GcpUserAccessBinding can be imported using any of these accepted formats:
{{name}}
In Terraform v1.5.0 and later, use an import
block to import GcpUserAccessBinding using one of the formats above. For example:
import {
id = "{{name}}"
to = google_access_context_manager_gcp_user_access_binding.default
}
When using the terraform import
command, GcpUserAccessBinding can be imported using one of the formats above. For example:
$ terraform import google_access_context_manager_gcp_user_access_binding.default {{name}}