IAM policy for folders

Four different resources help you manage your IAM policy for a folder. Each of these resources serves a different use case:

google_folder_iam_policy

resource "google_folder_iam_policy" "folder" {
  folder      = "folders/1234567"
  policy_data = data.google_iam_policy.admin.policy_data
}

data "google_iam_policy" "admin" {
  binding {
    role = "roles/editor"

    members = [
      "user:jane@example.com",
    ]
  }
}

With IAM Conditions:

resource "google_folder_iam_policy" "folder" {
  folder      = "folders/1234567"
  policy_data = "${data.google_iam_policy.admin.policy_data}"
}

data "google_iam_policy" "admin" {
  binding {
    role = "roles/compute.admin"

    members = [
      "user:jane@example.com",
    ]

    condition {
      title       = "expires_after_2019_12_31"
      description = "Expiring at midnight of 2019-12-31"
      expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
    }
  }
}

google_folder_iam_binding

resource "google_folder_iam_binding" "folder" {
  folder  = "folders/1234567"
  role    = "roles/editor"

  members = [
    "user:jane@example.com",
  ]
}

With IAM Conditions:

resource "google_folder_iam_binding" "folder" {
  folder  = "folders/1234567"
  role    = "roles/container.admin"

  members = [
    "user:jane@example.com",
  ]

  condition {
    title       = "expires_after_2019_12_31"
    description = "Expiring at midnight of 2019-12-31"
    expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
  }
}

google_folder_iam_member

resource "google_folder_iam_member" "folder" {
  folder  = "folders/1234567"
  role    = "roles/editor"
  member  = "user:jane@example.com"
}

With IAM Conditions:

resource "google_folder_iam_member" "folder" {
  folder  = "folders/1234567"
  role    = "roles/firebase.admin"
  member  = "user:jane@example.com"

  condition {
    title       = "expires_after_2019_12_31"
    description = "Expiring at midnight of 2019-12-31"
    expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
  }
}

google_folder_iam_audit_config

resource "google_folder_iam_audit_config" "folder" {
  folder  = "folders/1234567"
  service = "allServices"
  audit_log_config {
    log_type = "ADMIN_READ"
  }
  audit_log_config {
    log_type = "DATA_READ"
    exempted_members = [
      "user:joebloggs@hashicorp.com",
    ]
  }
}

Argument Reference

The following arguments are supported:


The audit_log_config block supports:

The condition block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Import

Importing IAM members

IAM member imports use space-delimited identifiers that contain the resource's folder_id, role, and member e.g.

An import block (Terraform v1.5.0 and later) can be used to import IAM members:

import {
  id = "folders/{{folder_id}} roles/viewer user:foo@example.com"
  to = google_folder_iam_member.default
}

The terraform import command can also be used:

$ terraform import google_folder_iam_member.default "folder roles/viewer user:foo@example.com"

Importing IAM bindings

IAM binding imports use space-delimited identifiers that contain the resource's folder_id and role, e.g.

An import block (Terraform v1.5.0 and later) can be used to import IAM bindings:

import {
  id = "folders/{{folder_id}} roles/viewer"
  to = google_folder_iam_binding.default
}

The terraform import command can also be used:

$ terraform import google_folder_iam_binding.default "folder roles/viewer"

Importing IAM policies

IAM policy imports use the identifier of the Folder only. For example:

An import block (Terraform v1.5.0 and later) can be used to import IAM policies:

import {
  id = "folders/{{folder_id}}"
  to = google_folder_iam_policy.default
}

The terraform import command can also be used:

$ terraform import google_folder_iam_policy.default folders/{{folder_id}}

Importing Audit Configs

An audit config can be imported into a google_folder_iam_audit_config resource using the resource's folder_id and the service, e.g:

An import block (Terraform v1.5.0 and later) can be used to import audit configs:

import {
  id = "folder/{{folder_id}} foo.googleapis.com"
  to = google_folder_iam_audit_config.default
}

The terraform import command can also be used:

terraform import google_folder_iam_audit_config.default "folder/{{folder_id}} foo.googleapis.com"