Ensures that a member:role pairing does not exist in a project's IAM policy.
On create, this resource will modify the policy to remove the member
from the
role
. If the membership is ever re-added, the next refresh will clear this
resource from state, proposing re-adding it to correct the membership. Import is
not supported- this resource will acquire the current policy and modify it as
part of creating the resource.
This resource will conflict with google_project_iam_policy
and
google_project_iam_binding
resources that share a role, as well as
google_project_iam_member
resources that target the same membership. When
multiple resources conflict the final state is not guaranteed to include or omit
the membership. Subsequent terraform apply
calls will always show a diff
until the configuration is corrected.
For more information see the official documentation and API reference.
data "google_project" "target_project {}
resource "google_project_iam_member_remove" "foo" {
role = "roles/editor"
project = google_project.target_project.project_id
member = "serviceAccount:${google_project.target_project.number}-compute@developer.gserviceaccount.com"
}
The following arguments are supported:
project
- (Required) The project id of the target project.
role
- (Required) The target role that should be removed.
member
- (Required) The IAM principal that should not have the target role.
Each entry can have one of the following values: