google_iam_deny_policy

Represents a collection of denial policies to apply to a given resource.

To get more information about DenyPolicy, see:

Example Usage - Iam Deny Policy Basic

resource "google_project" "project" {
  project_id      = "my-project"
  name            = "my-project"
  org_id          = "123456789"
  billing_account = "000000-0000000-0000000-000000"
}

resource "google_iam_deny_policy" "example" {
  parent   = urlencode("cloudresourcemanager.googleapis.com/projects/${google_project.project.project_id}")
  name     = "my-deny-policy"
  display_name = "A deny rule"
  rules {
    description = "First rule"
    deny_rule {
      denied_principals = ["principalSet://goog/public:all"]
      denial_condition {
        title = "Some expr"
        expression = "!resource.matchTag('12345678/env', 'test')"
      }
      denied_permissions = ["cloudresourcemanager.googleapis.com/projects.update"]
    }
  }
  rules {
    description = "Second rule"
    deny_rule {
      denied_principals = ["principalSet://goog/public:all"]
      denial_condition {
        title = "Some expr"
        expression = "!resource.matchTag('12345678/env', 'test')"
      }
      denied_permissions = ["cloudresourcemanager.googleapis.com/projects.update"]
      exception_principals = ["principal://iam.googleapis.com/projects/-/serviceAccounts/${google_service_account.test-account.email}"]
    }
  }
}

resource "google_service_account" "test-account" {
  account_id   = "svc-acc"
  display_name = "Test Service Account"
  project      = google_project.project.project_id
}

Argument Reference

The following arguments are supported:

The rules block supports:

The deny_rule block supports:

The denial_condition block supports:


Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Timeouts

This resource provides the following Timeouts configuration options:

Import

DenyPolicy can be imported using any of these accepted formats:

In Terraform v1.5.0 and later, use an import block to import DenyPolicy using one of the formats above. For example:

import {
  id = "{{parent}}/{{name}}"
  to = google_iam_deny_policy.default
}

When using the terraform import command, DenyPolicy can be imported using one of the formats above. For example:

$ terraform import google_iam_deny_policy.default {{parent}}/{{name}}