google_privileged_access_manager_entitlement

An Entitlement defines the eligibility of a set of users to obtain a predefined access for some time possibly after going through an approval workflow.

Example Usage - Privileged Access Manager Entitlement Basic

resource "google_privileged_access_manager_entitlement" "tfentitlement" {
    provider =  google-beta
    entitlement_id = "example-entitlement"
    location = "global"
    max_request_duration = "43200s"
    parent = "projects/my-project-name"
    requester_justification_config {    
        unstructured{}
    }
    eligible_users {
        principals = ["group:test@google.com"]
    }
    privileged_access{
        gcp_iam_access{
            role_bindings{
                role = "roles/storage.admin"
                condition_expression = "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")"
            }
            resource = "//cloudresourcemanager.googleapis.com/projects/my-project-name"
            resource_type = "cloudresourcemanager.googleapis.com/Project"
        }
    }
    additional_notification_targets {
    admin_email_recipients     = ["user@example.com"]
    requester_email_recipients = ["user@example.com"]
    }
    approval_workflow {
    manual_approvals {
      require_approver_justification = true
      steps {
        approvals_needed          = 1
        approver_email_recipients = ["user@example.com"]
        approvers {
          principals = ["group:test@google.com"]
        }
      }
    }
  }
}

Argument Reference

The following arguments are supported:

The eligible_users block supports:

The privileged_access block supports:

The gcp_iam_access block supports:

The role_bindings block supports:

The requester_justification_config block supports:


The approval_workflow block supports:

The manual_approvals block supports:

The steps block supports:

The approvers block supports:

The additional_notification_targets block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Timeouts

This resource provides the following Timeouts configuration options:

Import

Entitlement can be imported using any of these accepted formats:

In Terraform v1.5.0 and later, use an import block to import Entitlement using one of the formats above. For example:

import {
  id = "{{parent}}/locations/{{location}}/entitlements/{{entitlement_id}}"
  to = google_privileged_access_manager_entitlement.default
}

When using the terraform import command, Entitlement can be imported using one of the formats above. For example:

$ terraform import google_privileged_access_manager_entitlement.default {{parent}}/locations/{{location}}/entitlements/{{entitlement_id}}