This page documents the language specification for the gcp package. If you're looking for help working with the inputs, outputs, or functions of gcp resources in a Pulumi program, please see the resource documentation for examples and API reference.

pubsub

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-gcp repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-google repo.

class pulumi_gcp.pubsub.Subscription(resource_name, opts=None, ack_deadline_seconds=None, dead_letter_policy=None, expiration_policy=None, labels=None, message_retention_duration=None, name=None, project=None, push_config=None, retain_acked_messages=None, topic=None, __props__=None, __name__=None, __opts__=None)
A named resource representing the stream of messages from a single,
specific topic, to be delivered to the subscribing application.


To get more information about Subscription, see:

* [API documentation](https://cloud.google.com/pubsub/docs/reference/rest/v1/projects.subscriptions)
* How-to Guides
    * [Managing Subscriptions](https://cloud.google.com/pubsub/docs/admin#managing_subscriptions)

## Example Usage

### Pubsub Subscription Push

```python
import pulumi
import pulumi_gcp as gcp

example_topic = gcp.pubsub.Topic("exampleTopic")
example_subscription = gcp.pubsub.Subscription("exampleSubscription",
    topic=example_topic.name,
    ack_deadline_seconds=20,
    labels={
        "foo": "bar",
    },
    push_config={
        "pushEndpoint": "https://example.com/push",
        "attributes": {
            "x-goog-version": "v1",
        },
    })
```

### Pubsub Subscription Pull

```python
import pulumi
import pulumi_gcp as gcp

example_topic = gcp.pubsub.Topic("exampleTopic")
example_subscription = gcp.pubsub.Subscription("exampleSubscription",
    topic=example_topic.name,
    labels={
        "foo": "bar",
    },
    message_retention_duration="1200s",
    retain_acked_messages=True,
    ack_deadline_seconds=20,
    expiration_policy={
        "ttl": "300000.5s",
    })
```

### Pubsub Subscription Different Project

```python
import pulumi
import pulumi_gcp as gcp

example_topic = gcp.pubsub.Topic("exampleTopic", project="topic-project")
example_subscription = gcp.pubsub.Subscription("exampleSubscription",
    project="subscription-project",
    topic=example_topic.name)
```

### Pubsub Subscription Dead Letter

```python
import pulumi
import pulumi_gcp as gcp

example_topic = gcp.pubsub.Topic("exampleTopic")
example_dead_letter = gcp.pubsub.Topic("exampleDeadLetter")
example_subscription = gcp.pubsub.Subscription("exampleSubscription",
    topic=example_topic.name,
    dead_letter_policy={
        "deadLetterTopic": example_dead_letter.id,
        "maxDeliveryAttempts": 10,
    })
```

:param str resource_name: The name of the resource.
:param pulumi.ResourceOptions opts: Options for the resource.
:param pulumi.Input[float] ack_deadline_seconds: This value is the maximum time after a subscriber receives a message
       before the subscriber should acknowledge the message. After message
       delivery but before the ack deadline expires and before the message is
       acknowledged, it is an outstanding message and will not be delivered
       again during that time (on a best-effort basis).
       For pull subscriptions, this value is used as the initial value for
       the ack deadline. To override this value for a given message, call
       subscriptions.modifyAckDeadline with the corresponding ackId if using
       pull. The minimum custom deadline you can specify is 10 seconds. The
       maximum custom deadline you can specify is 600 seconds (10 minutes).
       If this parameter is 0, a default value of 10 seconds is used.
       For push delivery, this value is also used to set the request timeout
       for the call to the push endpoint.
       If the subscriber never acknowledges the message, the Pub/Sub system
       will eventually redeliver the message.
:param pulumi.Input[dict] dead_letter_policy: A policy that specifies the conditions for dead lettering messages in
       this subscription. If dead_letter_policy is not set, dead lettering
       is disabled.
       The Cloud Pub/Sub service account associated with this subscriptions's
       parent project (i.e.,
       service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com) must have
       permission to Acknowledge() messages on this subscription.  Structure is documented below.
:param pulumi.Input[dict] expiration_policy: A policy that specifies the conditions for this subscription's expiration.
       A subscription is considered active as long as any connected subscriber
       is successfully consuming messages from the subscription or is issuing
       operations on the subscription. If expirationPolicy is not set, a default
       policy with ttl of 31 days will be used.  If it is set but ttl is "", the
       resource never expires.  The minimum allowed value for expirationPolicy.ttl
       is 1 day.  Structure is documented below.
:param pulumi.Input[dict] labels: A set of key/value label pairs to assign to this Subscription.
:param pulumi.Input[str] message_retention_duration: How long to retain unacknowledged messages in the subscription's
       backlog, from the moment a message is published. If
       retainAckedMessages is true, then this also configures the retention
       of acknowledged messages, and thus configures how far back in time a
       subscriptions.seek can be done. Defaults to 7 days. Cannot be more
       than 7 days (`"604800s"`) or less than 10 minutes (`"600s"`).
       A duration in seconds with up to nine fractional digits, terminated
       by 's'. Example: `"600.5s"`.
:param pulumi.Input[str] name: Name of the subscription.
:param pulumi.Input[str] project: The ID of the project in which the resource belongs.
       If it is not provided, the provider project is used.
:param pulumi.Input[dict] push_config: If push delivery is used with this subscription, this field is used to
       configure it. An empty pushConfig signifies that the subscriber will
       pull and ack messages using API methods.  Structure is documented below.
:param pulumi.Input[bool] retain_acked_messages: Indicates whether to retain acknowledged messages. If `true`, then
       messages are not expunged from the subscription's backlog, even if
       they are acknowledged, until they fall out of the
       messageRetentionDuration window.
:param pulumi.Input[str] topic: A reference to a Topic resource.

The **dead_letter_policy** object supports the following:

  * `deadLetterTopic` (`pulumi.Input[str]`) - The name of the topic to which dead letter messages should be published.
    Format is `projects/{project}/topics/{topic}`.
    The Cloud Pub/Sub service
account associated with the enclosing subscription’s

parent project (i.e., service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com) must have permission to Publish() to this topic. The operation will fail if the topic does not exist. Users should ensure that there is a subscription attached to this topic since messages published to a topic with no subscriptions are lost.

  * `maxDeliveryAttempts` (`pulumi.Input[float]`) - The maximum number of delivery attempts for any message. The value must be
    between 5 and 100.
    The number of delivery attempts is defined as 1 + (the sum of number of
    NACKs and number of times the acknowledgement deadline has been exceeded for the message).
    A NACK is any call to ModifyAckDeadline with a 0 deadline. Note that
    client libraries may automatically extend ack_deadlines.
    This field will be honored on a best effort basis.
    If this parameter is 0, a default value of 5 is used.

The **expiration_policy** object supports the following:

  * `ttl` (`pulumi.Input[str]`) - Specifies the "time-to-live" duration for an associated resource. The
    resource expires if it is not active for a period of ttl.
    If ttl is not set, the associated resource never expires.
    A duration in seconds with up to nine fractional digits, terminated by 's'.
    Example - "3.5s".

The **push_config** object supports the following:

  * `attributes` (`pulumi.Input[dict]`) - Endpoint configuration attributes.
    Every endpoint has a set of API supported attributes that can
    be used to control different aspects of the message delivery.
    The currently supported attribute is x-goog-version, which you
    can use to change the format of the pushed message. This
    attribute indicates the version of the data expected by
    the endpoint. This controls the shape of the pushed message
    (i.e., its fields and metadata). The endpoint version is
    based on the version of the Pub/Sub API.
    If not present during the subscriptions.create call,
    it will default to the version of the API used to make
    such call. If not present during a subscriptions.modifyPushConfig
    call, its value will not be changed. subscriptions.get
    calls will always return a valid version, even if the
    subscription was created without this attribute.
    The possible values for this attribute are:
    - v1beta1: uses the push format defined in the v1beta1 Pub/Sub API.
    - v1 or v1beta2: uses the push format defined in the v1 Pub/Sub API.
  * `oidcToken` (`pulumi.Input[dict]`) - If specified, Pub/Sub will generate and attach an OIDC JWT token as
    an Authorization header in the HTTP request for every pushed message.  Structure is documented below.
    * `audience` (`pulumi.Input[str]`) - Audience to be used when generating OIDC token. The audience claim
      identifies the recipients that the JWT is intended for. The audience
      value is a single case-sensitive string. Having multiple values (array)
      for the audience field is not supported. More info about the OIDC JWT
      token audience here: https://tools.ietf.org/html/rfc7519#section-4.1.3
      Note: if not specified, the Push endpoint URL will be used.
    * `service_account_email` (`pulumi.Input[str]`) - Service account email to be used for generating the OIDC token.
      The caller (for subscriptions.create, subscriptions.patch, and
      subscriptions.modifyPushConfig RPCs) must have the
      iam.serviceAccounts.actAs permission for the service account.

  * `pushEndpoint` (`pulumi.Input[str]`) - A URL locating the endpoint to which messages should be pushed.
    For example, a Webhook endpoint might use
    "https://example.com/push".
ack_deadline_seconds: pulumi.Output[float] = None

This value is the maximum time after a subscriber receives a message before the subscriber should acknowledge the message. After message delivery but before the ack deadline expires and before the message is acknowledged, it is an outstanding message and will not be delivered again during that time (on a best-effort basis). For pull subscriptions, this value is used as the initial value for the ack deadline. To override this value for a given message, call subscriptions.modifyAckDeadline with the corresponding ackId if using pull. The minimum custom deadline you can specify is 10 seconds. The maximum custom deadline you can specify is 600 seconds (10 minutes). If this parameter is 0, a default value of 10 seconds is used. For push delivery, this value is also used to set the request timeout for the call to the push endpoint. If the subscriber never acknowledges the message, the Pub/Sub system will eventually redeliver the message.

dead_letter_policy: pulumi.Output[dict] = None
A policy that specifies the conditions for dead lettering messages in
this subscription. If dead_letter_policy is not set, dead lettering
is disabled.
The Cloud Pub/Sub service account associated with this subscriptions's
parent project (i.e.,
service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com) must have
permission to Acknowledge() messages on this subscription.  Structure is documented below.

  * `deadLetterTopic` (`str`) - The name of the topic to which dead letter messages should be published.
    Format is `projects/{project}/topics/{topic}`.
    The Cloud Pub/Sub service
account associated with the enclosing subscription’s

parent project (i.e., service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com) must have permission to Publish() to this topic. The operation will fail if the topic does not exist. Users should ensure that there is a subscription attached to this topic since messages published to a topic with no subscriptions are lost.

* `maxDeliveryAttempts` (`float`) - The maximum number of delivery attempts for any message. The value must be
  between 5 and 100.
  The number of delivery attempts is defined as 1 + (the sum of number of
  NACKs and number of times the acknowledgement deadline has been exceeded for the message).
  A NACK is any call to ModifyAckDeadline with a 0 deadline. Note that
  client libraries may automatically extend ack_deadlines.
  This field will be honored on a best effort basis.
  If this parameter is 0, a default value of 5 is used.
expiration_policy: pulumi.Output[dict] = None

A policy that specifies the conditions for this subscription’s expiration. A subscription is considered active as long as any connected subscriber is successfully consuming messages from the subscription or is issuing operations on the subscription. If expirationPolicy is not set, a default policy with ttl of 31 days will be used. If it is set but ttl is “”, the resource never expires. The minimum allowed value for expirationPolicy.ttl is 1 day. Structure is documented below.

  • ttl (str) - Specifies the “time-to-live” duration for an associated resource. The resource expires if it is not active for a period of ttl. If ttl is not set, the associated resource never expires. A duration in seconds with up to nine fractional digits, terminated by ‘s’. Example - “3.5s”.

labels: pulumi.Output[dict] = None

A set of key/value label pairs to assign to this Subscription.

message_retention_duration: pulumi.Output[str] = None

How long to retain unacknowledged messages in the subscription’s backlog, from the moment a message is published. If retainAckedMessages is true, then this also configures the retention of acknowledged messages, and thus configures how far back in time a subscriptions.seek can be done. Defaults to 7 days. Cannot be more than 7 days ("604800s") or less than 10 minutes ("600s"). A duration in seconds with up to nine fractional digits, terminated by ‘s’. Example: "600.5s".

name: pulumi.Output[str] = None

Name of the subscription.

project: pulumi.Output[str] = None

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

push_config: pulumi.Output[dict] = None

If push delivery is used with this subscription, this field is used to configure it. An empty pushConfig signifies that the subscriber will pull and ack messages using API methods. Structure is documented below.

  • attributes (dict) - Endpoint configuration attributes. Every endpoint has a set of API supported attributes that can be used to control different aspects of the message delivery. The currently supported attribute is x-goog-version, which you can use to change the format of the pushed message. This attribute indicates the version of the data expected by the endpoint. This controls the shape of the pushed message (i.e., its fields and metadata). The endpoint version is based on the version of the Pub/Sub API. If not present during the subscriptions.create call, it will default to the version of the API used to make such call. If not present during a subscriptions.modifyPushConfig call, its value will not be changed. subscriptions.get calls will always return a valid version, even if the subscription was created without this attribute. The possible values for this attribute are:

    • v1beta1: uses the push format defined in the v1beta1 Pub/Sub API.

    • v1 or v1beta2: uses the push format defined in the v1 Pub/Sub API.

  • oidcToken (dict) - If specified, Pub/Sub will generate and attach an OIDC JWT token as an Authorization header in the HTTP request for every pushed message. Structure is documented below.

    • audience (str) - Audience to be used when generating OIDC token. The audience claim identifies the recipients that the JWT is intended for. The audience value is a single case-sensitive string. Having multiple values (array) for the audience field is not supported. More info about the OIDC JWT token audience here: https://tools.ietf.org/html/rfc7519#section-4.1.3 Note: if not specified, the Push endpoint URL will be used.

    • service_account_email (str) - Service account email to be used for generating the OIDC token. The caller (for subscriptions.create, subscriptions.patch, and subscriptions.modifyPushConfig RPCs) must have the iam.serviceAccounts.actAs permission for the service account.

  • pushEndpoint (str) - A URL locating the endpoint to which messages should be pushed. For example, a Webhook endpoint might use “https://example.com/push”.

retain_acked_messages: pulumi.Output[bool] = None

Indicates whether to retain acknowledged messages. If true, then messages are not expunged from the subscription’s backlog, even if they are acknowledged, until they fall out of the messageRetentionDuration window.

topic: pulumi.Output[str] = None

A reference to a Topic resource.

static get(resource_name, id, opts=None, ack_deadline_seconds=None, dead_letter_policy=None, expiration_policy=None, labels=None, message_retention_duration=None, name=None, path=None, project=None, push_config=None, retain_acked_messages=None, topic=None)
Get an existing Subscription resource's state with the given name, id, and optional extra
properties used to qualify the lookup.

:param str resource_name: The unique name of the resulting resource.
:param str id: The unique provider ID of the resource to lookup.
:param pulumi.ResourceOptions opts: Options for the resource.
:param pulumi.Input[float] ack_deadline_seconds: This value is the maximum time after a subscriber receives a message
       before the subscriber should acknowledge the message. After message
       delivery but before the ack deadline expires and before the message is
       acknowledged, it is an outstanding message and will not be delivered
       again during that time (on a best-effort basis).
       For pull subscriptions, this value is used as the initial value for
       the ack deadline. To override this value for a given message, call
       subscriptions.modifyAckDeadline with the corresponding ackId if using
       pull. The minimum custom deadline you can specify is 10 seconds. The
       maximum custom deadline you can specify is 600 seconds (10 minutes).
       If this parameter is 0, a default value of 10 seconds is used.
       For push delivery, this value is also used to set the request timeout
       for the call to the push endpoint.
       If the subscriber never acknowledges the message, the Pub/Sub system
       will eventually redeliver the message.
:param pulumi.Input[dict] dead_letter_policy: A policy that specifies the conditions for dead lettering messages in
       this subscription. If dead_letter_policy is not set, dead lettering
       is disabled.
       The Cloud Pub/Sub service account associated with this subscriptions's
       parent project (i.e.,
       service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com) must have
       permission to Acknowledge() messages on this subscription.  Structure is documented below.
:param pulumi.Input[dict] expiration_policy: A policy that specifies the conditions for this subscription's expiration.
       A subscription is considered active as long as any connected subscriber
       is successfully consuming messages from the subscription or is issuing
       operations on the subscription. If expirationPolicy is not set, a default
       policy with ttl of 31 days will be used.  If it is set but ttl is "", the
       resource never expires.  The minimum allowed value for expirationPolicy.ttl
       is 1 day.  Structure is documented below.
:param pulumi.Input[dict] labels: A set of key/value label pairs to assign to this Subscription.
:param pulumi.Input[str] message_retention_duration: How long to retain unacknowledged messages in the subscription's
       backlog, from the moment a message is published. If
       retainAckedMessages is true, then this also configures the retention
       of acknowledged messages, and thus configures how far back in time a
       subscriptions.seek can be done. Defaults to 7 days. Cannot be more
       than 7 days (`"604800s"`) or less than 10 minutes (`"600s"`).
       A duration in seconds with up to nine fractional digits, terminated
       by 's'. Example: `"600.5s"`.
:param pulumi.Input[str] name: Name of the subscription.
:param pulumi.Input[str] project: The ID of the project in which the resource belongs.
       If it is not provided, the provider project is used.
:param pulumi.Input[dict] push_config: If push delivery is used with this subscription, this field is used to
       configure it. An empty pushConfig signifies that the subscriber will
       pull and ack messages using API methods.  Structure is documented below.
:param pulumi.Input[bool] retain_acked_messages: Indicates whether to retain acknowledged messages. If `true`, then
       messages are not expunged from the subscription's backlog, even if
       they are acknowledged, until they fall out of the
       messageRetentionDuration window.
:param pulumi.Input[str] topic: A reference to a Topic resource.

The **dead_letter_policy** object supports the following:

  * `deadLetterTopic` (`pulumi.Input[str]`) - The name of the topic to which dead letter messages should be published.
    Format is `projects/{project}/topics/{topic}`.
    The Cloud Pub/Sub service
account associated with the enclosing subscription’s

parent project (i.e., service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com) must have permission to Publish() to this topic. The operation will fail if the topic does not exist. Users should ensure that there is a subscription attached to this topic since messages published to a topic with no subscriptions are lost.

  * `maxDeliveryAttempts` (`pulumi.Input[float]`) - The maximum number of delivery attempts for any message. The value must be
    between 5 and 100.
    The number of delivery attempts is defined as 1 + (the sum of number of
    NACKs and number of times the acknowledgement deadline has been exceeded for the message).
    A NACK is any call to ModifyAckDeadline with a 0 deadline. Note that
    client libraries may automatically extend ack_deadlines.
    This field will be honored on a best effort basis.
    If this parameter is 0, a default value of 5 is used.

The **expiration_policy** object supports the following:

  * `ttl` (`pulumi.Input[str]`) - Specifies the "time-to-live" duration for an associated resource. The
    resource expires if it is not active for a period of ttl.
    If ttl is not set, the associated resource never expires.
    A duration in seconds with up to nine fractional digits, terminated by 's'.
    Example - "3.5s".

The **push_config** object supports the following:

  * `attributes` (`pulumi.Input[dict]`) - Endpoint configuration attributes.
    Every endpoint has a set of API supported attributes that can
    be used to control different aspects of the message delivery.
    The currently supported attribute is x-goog-version, which you
    can use to change the format of the pushed message. This
    attribute indicates the version of the data expected by
    the endpoint. This controls the shape of the pushed message
    (i.e., its fields and metadata). The endpoint version is
    based on the version of the Pub/Sub API.
    If not present during the subscriptions.create call,
    it will default to the version of the API used to make
    such call. If not present during a subscriptions.modifyPushConfig
    call, its value will not be changed. subscriptions.get
    calls will always return a valid version, even if the
    subscription was created without this attribute.
    The possible values for this attribute are:
    - v1beta1: uses the push format defined in the v1beta1 Pub/Sub API.
    - v1 or v1beta2: uses the push format defined in the v1 Pub/Sub API.
  * `oidcToken` (`pulumi.Input[dict]`) - If specified, Pub/Sub will generate and attach an OIDC JWT token as
    an Authorization header in the HTTP request for every pushed message.  Structure is documented below.
    * `audience` (`pulumi.Input[str]`) - Audience to be used when generating OIDC token. The audience claim
      identifies the recipients that the JWT is intended for. The audience
      value is a single case-sensitive string. Having multiple values (array)
      for the audience field is not supported. More info about the OIDC JWT
      token audience here: https://tools.ietf.org/html/rfc7519#section-4.1.3
      Note: if not specified, the Push endpoint URL will be used.
    * `service_account_email` (`pulumi.Input[str]`) - Service account email to be used for generating the OIDC token.
      The caller (for subscriptions.create, subscriptions.patch, and
      subscriptions.modifyPushConfig RPCs) must have the
      iam.serviceAccounts.actAs permission for the service account.

  * `pushEndpoint` (`pulumi.Input[str]`) - A URL locating the endpoint to which messages should be pushed.
    For example, a Webhook endpoint might use
    "https://example.com/push".
translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.pubsub.SubscriptionIAMBinding(resource_name, opts=None, condition=None, members=None, project=None, role=None, subscription=None, __props__=None, __name__=None, __opts__=None)

Three different resources help you manage your IAM policy for pubsub subscription. Each of these resources serves a different use case:

  • pubsub.SubscriptionIAMPolicy: Authoritative. Sets the IAM policy for the subscription and replaces any existing policy already attached.

  • pubsub.SubscriptionIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the subscription are preserved.

  • pubsub.SubscriptionIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the subscription are preserved.

Note: pubsub.SubscriptionIAMPolicy cannot be used in conjunction with pubsub.SubscriptionIAMBinding and pubsub.SubscriptionIAMMember or they will fight over what your policy should be.

Note: pubsub.SubscriptionIAMBinding resources can be used in conjunction with pubsub.SubscriptionIAMMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/editor",
    "members": ["user:jane@example.com"],
}])
editor = gcp.pubsub.SubscriptionIAMPolicy("editor",
    subscription="your-subscription-name",
    policy_data=admin.policy_data)
import pulumi
import pulumi_gcp as gcp

editor = gcp.pubsub.SubscriptionIAMBinding("editor",
    members=["user:jane@example.com"],
    role="roles/editor",
    subscription="your-subscription-name")
import pulumi
import pulumi_gcp as gcp

editor = gcp.pubsub.SubscriptionIAMMember("editor",
    member="user:jane@example.com",
    role="roles/editor",
    subscription="your-subscription-name")
Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • project (pulumi.Input[str]) – The project in which the resource belongs. If it is not provided, the provider project is used.

  • role (pulumi.Input[str]) – The role that should be applied. Only one pubsub.SubscriptionIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

  • subscription (pulumi.Input[str]) – The subscription name or id to bind to attach IAM policy to.

The condition object supports the following:

  • description (pulumi.Input[str])

  • expression (pulumi.Input[str])

  • title (pulumi.Input[str])

etag: pulumi.Output[str] = None

(Computed) The etag of the subscription’s IAM policy.

project: pulumi.Output[str] = None

The project in which the resource belongs. If it is not provided, the provider project is used.

role: pulumi.Output[str] = None

The role that should be applied. Only one pubsub.SubscriptionIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

subscription: pulumi.Output[str] = None

The subscription name or id to bind to attach IAM policy to.

static get(resource_name, id, opts=None, condition=None, etag=None, members=None, project=None, role=None, subscription=None)

Get an existing SubscriptionIAMBinding resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • etag (pulumi.Input[str]) – (Computed) The etag of the subscription’s IAM policy.

  • project (pulumi.Input[str]) – The project in which the resource belongs. If it is not provided, the provider project is used.

  • role (pulumi.Input[str]) – The role that should be applied. Only one pubsub.SubscriptionIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

  • subscription (pulumi.Input[str]) – The subscription name or id to bind to attach IAM policy to.

The condition object supports the following:

  • description (pulumi.Input[str])

  • expression (pulumi.Input[str])

  • title (pulumi.Input[str])

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.pubsub.SubscriptionIAMMember(resource_name, opts=None, condition=None, member=None, project=None, role=None, subscription=None, __props__=None, __name__=None, __opts__=None)

Three different resources help you manage your IAM policy for pubsub subscription. Each of these resources serves a different use case:

  • pubsub.SubscriptionIAMPolicy: Authoritative. Sets the IAM policy for the subscription and replaces any existing policy already attached.

  • pubsub.SubscriptionIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the subscription are preserved.

  • pubsub.SubscriptionIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the subscription are preserved.

Note: pubsub.SubscriptionIAMPolicy cannot be used in conjunction with pubsub.SubscriptionIAMBinding and pubsub.SubscriptionIAMMember or they will fight over what your policy should be.

Note: pubsub.SubscriptionIAMBinding resources can be used in conjunction with pubsub.SubscriptionIAMMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/editor",
    "members": ["user:jane@example.com"],
}])
editor = gcp.pubsub.SubscriptionIAMPolicy("editor",
    subscription="your-subscription-name",
    policy_data=admin.policy_data)
import pulumi
import pulumi_gcp as gcp

editor = gcp.pubsub.SubscriptionIAMBinding("editor",
    members=["user:jane@example.com"],
    role="roles/editor",
    subscription="your-subscription-name")
import pulumi
import pulumi_gcp as gcp

editor = gcp.pubsub.SubscriptionIAMMember("editor",
    member="user:jane@example.com",
    role="roles/editor",
    subscription="your-subscription-name")
Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • project (pulumi.Input[str]) – The project in which the resource belongs. If it is not provided, the provider project is used.

  • role (pulumi.Input[str]) – The role that should be applied. Only one pubsub.SubscriptionIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

  • subscription (pulumi.Input[str]) – The subscription name or id to bind to attach IAM policy to.

The condition object supports the following:

  • description (pulumi.Input[str])

  • expression (pulumi.Input[str])

  • title (pulumi.Input[str])

etag: pulumi.Output[str] = None

(Computed) The etag of the subscription’s IAM policy.

project: pulumi.Output[str] = None

The project in which the resource belongs. If it is not provided, the provider project is used.

role: pulumi.Output[str] = None

The role that should be applied. Only one pubsub.SubscriptionIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

subscription: pulumi.Output[str] = None

The subscription name or id to bind to attach IAM policy to.

static get(resource_name, id, opts=None, condition=None, etag=None, member=None, project=None, role=None, subscription=None)

Get an existing SubscriptionIAMMember resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • etag (pulumi.Input[str]) – (Computed) The etag of the subscription’s IAM policy.

  • project (pulumi.Input[str]) – The project in which the resource belongs. If it is not provided, the provider project is used.

  • role (pulumi.Input[str]) – The role that should be applied. Only one pubsub.SubscriptionIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

  • subscription (pulumi.Input[str]) – The subscription name or id to bind to attach IAM policy to.

The condition object supports the following:

  • description (pulumi.Input[str])

  • expression (pulumi.Input[str])

  • title (pulumi.Input[str])

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.pubsub.SubscriptionIAMPolicy(resource_name, opts=None, policy_data=None, project=None, subscription=None, __props__=None, __name__=None, __opts__=None)

Three different resources help you manage your IAM policy for pubsub subscription. Each of these resources serves a different use case:

  • pubsub.SubscriptionIAMPolicy: Authoritative. Sets the IAM policy for the subscription and replaces any existing policy already attached.

  • pubsub.SubscriptionIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the subscription are preserved.

  • pubsub.SubscriptionIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the subscription are preserved.

Note: pubsub.SubscriptionIAMPolicy cannot be used in conjunction with pubsub.SubscriptionIAMBinding and pubsub.SubscriptionIAMMember or they will fight over what your policy should be.

Note: pubsub.SubscriptionIAMBinding resources can be used in conjunction with pubsub.SubscriptionIAMMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/editor",
    "members": ["user:jane@example.com"],
}])
editor = gcp.pubsub.SubscriptionIAMPolicy("editor",
    subscription="your-subscription-name",
    policy_data=admin.policy_data)
import pulumi
import pulumi_gcp as gcp

editor = gcp.pubsub.SubscriptionIAMBinding("editor",
    members=["user:jane@example.com"],
    role="roles/editor",
    subscription="your-subscription-name")
import pulumi
import pulumi_gcp as gcp

editor = gcp.pubsub.SubscriptionIAMMember("editor",
    member="user:jane@example.com",
    role="roles/editor",
    subscription="your-subscription-name")
Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • policy_data (pulumi.Input[str]) – The policy data generated by a organizations.getIAMPolicy data source.

  • project (pulumi.Input[str]) – The project in which the resource belongs. If it is not provided, the provider project is used.

  • subscription (pulumi.Input[str]) – The subscription name or id to bind to attach IAM policy to.

etag: pulumi.Output[str] = None

(Computed) The etag of the subscription’s IAM policy.

policy_data: pulumi.Output[str] = None

The policy data generated by a organizations.getIAMPolicy data source.

project: pulumi.Output[str] = None

The project in which the resource belongs. If it is not provided, the provider project is used.

subscription: pulumi.Output[str] = None

The subscription name or id to bind to attach IAM policy to.

static get(resource_name, id, opts=None, etag=None, policy_data=None, project=None, subscription=None)

Get an existing SubscriptionIAMPolicy resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • etag (pulumi.Input[str]) – (Computed) The etag of the subscription’s IAM policy.

  • policy_data (pulumi.Input[str]) – The policy data generated by a organizations.getIAMPolicy data source.

  • project (pulumi.Input[str]) – The project in which the resource belongs. If it is not provided, the provider project is used.

  • subscription (pulumi.Input[str]) – The subscription name or id to bind to attach IAM policy to.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.pubsub.Topic(resource_name, opts=None, kms_key_name=None, labels=None, message_storage_policy=None, name=None, project=None, __props__=None, __name__=None, __opts__=None)

A named resource to which messages are sent by publishers.

To get more information about Topic, see:

import pulumi
import pulumi_gcp as gcp

example = gcp.pubsub.Topic("example", labels={
    "foo": "bar",
})
import pulumi
import pulumi_gcp as gcp

key_ring = gcp.kms.KeyRing("keyRing", location="global")
crypto_key = gcp.kms.CryptoKey("cryptoKey", key_ring=key_ring.id)
example = gcp.pubsub.Topic("example", kms_key_name=crypto_key.id)
import pulumi
import pulumi_gcp as gcp

example = gcp.pubsub.Topic("example", message_storage_policy={
    "allowedPersistenceRegions": ["europe-west3"],
})
Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • kms_key_name (pulumi.Input[str]) – The resource name of the Cloud KMS CryptoKey to be used to protect access to messages published on this topic. Your project’s PubSub service account (service-{{PROJECT_NUMBER}}@gcp-sa-pubsub.iam.gserviceaccount.com) must have roles/cloudkms.cryptoKeyEncrypterDecrypter to use this feature. The expected format is projects/*/locations/*/keyRings/*/cryptoKeys/*

  • labels (pulumi.Input[dict]) – A set of key/value label pairs to assign to this Topic.

  • message_storage_policy (pulumi.Input[dict]) – Policy constraining the set of Google Cloud Platform regions where messages published to the topic may be stored. If not present, then no constraints are in effect. Structure is documented below.

  • name (pulumi.Input[str]) – Name of the topic.

  • project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

The message_storage_policy object supports the following:

  • allowedPersistenceRegions (pulumi.Input[list]) - A list of IDs of GCP regions where messages that are published to the topic may be persisted in storage. Messages published by publishers running in non-allowed GCP regions (or running outside of GCP altogether) will be routed for storage in one of the allowed regions. An empty list means that no regions are allowed, and is not a valid configuration.

kms_key_name: pulumi.Output[str] = None

The resource name of the Cloud KMS CryptoKey to be used to protect access to messages published on this topic. Your project’s PubSub service account (service-{{PROJECT_NUMBER}}@gcp-sa-pubsub.iam.gserviceaccount.com) must have roles/cloudkms.cryptoKeyEncrypterDecrypter to use this feature. The expected format is projects/*/locations/*/keyRings/*/cryptoKeys/*

labels: pulumi.Output[dict] = None

A set of key/value label pairs to assign to this Topic.

message_storage_policy: pulumi.Output[dict] = None

Policy constraining the set of Google Cloud Platform regions where messages published to the topic may be stored. If not present, then no constraints are in effect. Structure is documented below.

  • allowedPersistenceRegions (list) - A list of IDs of GCP regions where messages that are published to the topic may be persisted in storage. Messages published by publishers running in non-allowed GCP regions (or running outside of GCP altogether) will be routed for storage in one of the allowed regions. An empty list means that no regions are allowed, and is not a valid configuration.

name: pulumi.Output[str] = None

Name of the topic.

project: pulumi.Output[str] = None

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

static get(resource_name, id, opts=None, kms_key_name=None, labels=None, message_storage_policy=None, name=None, project=None)

Get an existing Topic resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • kms_key_name (pulumi.Input[str]) – The resource name of the Cloud KMS CryptoKey to be used to protect access to messages published on this topic. Your project’s PubSub service account (service-{{PROJECT_NUMBER}}@gcp-sa-pubsub.iam.gserviceaccount.com) must have roles/cloudkms.cryptoKeyEncrypterDecrypter to use this feature. The expected format is projects/*/locations/*/keyRings/*/cryptoKeys/*

  • labels (pulumi.Input[dict]) – A set of key/value label pairs to assign to this Topic.

  • message_storage_policy (pulumi.Input[dict]) – Policy constraining the set of Google Cloud Platform regions where messages published to the topic may be stored. If not present, then no constraints are in effect. Structure is documented below.

  • name (pulumi.Input[str]) – Name of the topic.

  • project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

The message_storage_policy object supports the following:

  • allowedPersistenceRegions (pulumi.Input[list]) - A list of IDs of GCP regions where messages that are published to the topic may be persisted in storage. Messages published by publishers running in non-allowed GCP regions (or running outside of GCP altogether) will be routed for storage in one of the allowed regions. An empty list means that no regions are allowed, and is not a valid configuration.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.pubsub.TopicIAMBinding(resource_name, opts=None, condition=None, members=None, project=None, role=None, topic=None, __props__=None, __name__=None, __opts__=None)

Three different resources help you manage your IAM policy for Cloud Pub/Sub Topic. Each of these resources serves a different use case:

  • pubsub.TopicIAMPolicy: Authoritative. Sets the IAM policy for the topic and replaces any existing policy already attached.

  • pubsub.TopicIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the topic are preserved.

  • pubsub.TopicIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the topic are preserved.

Note: pubsub.TopicIAMPolicy cannot be used in conjunction with pubsub.TopicIAMBinding and pubsub.TopicIAMMember or they will fight over what your policy should be.

Note: pubsub.TopicIAMBinding resources can be used in conjunction with pubsub.TopicIAMMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/viewer",
    "members": ["user:jane@example.com"],
}])
policy = gcp.pubsub.TopicIAMPolicy("policy",
    project=google_pubsub_topic["example"]["project"],
    topic=google_pubsub_topic["example"]["name"],
    policy_data=admin.policy_data)
import pulumi
import pulumi_gcp as gcp

binding = gcp.pubsub.TopicIAMBinding("binding",
    project=google_pubsub_topic["example"]["project"],
    topic=google_pubsub_topic["example"]["name"],
    role="roles/viewer",
    members=["user:jane@example.com"])
import pulumi
import pulumi_gcp as gcp

member = gcp.pubsub.TopicIAMMember("member",
    project=google_pubsub_topic["example"]["project"],
    topic=google_pubsub_topic["example"]["name"],
    role="roles/viewer",
    member="user:jane@example.com")
Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • role (pulumi.Input[str]) – The role that should be applied. Only one pubsub.TopicIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

  • topic (pulumi.Input[str]) – Used to find the parent resource to bind the IAM policy to

The condition object supports the following:

  • description (pulumi.Input[str])

  • expression (pulumi.Input[str])

  • title (pulumi.Input[str])

etag: pulumi.Output[str] = None

(Computed) The etag of the IAM policy.

project: pulumi.Output[str] = None

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

role: pulumi.Output[str] = None

The role that should be applied. Only one pubsub.TopicIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

topic: pulumi.Output[str] = None

Used to find the parent resource to bind the IAM policy to

static get(resource_name, id, opts=None, condition=None, etag=None, members=None, project=None, role=None, topic=None)

Get an existing TopicIAMBinding resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • etag (pulumi.Input[str]) – (Computed) The etag of the IAM policy.

  • project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • role (pulumi.Input[str]) – The role that should be applied. Only one pubsub.TopicIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

  • topic (pulumi.Input[str]) – Used to find the parent resource to bind the IAM policy to

The condition object supports the following:

  • description (pulumi.Input[str])

  • expression (pulumi.Input[str])

  • title (pulumi.Input[str])

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.pubsub.TopicIAMMember(resource_name, opts=None, condition=None, member=None, project=None, role=None, topic=None, __props__=None, __name__=None, __opts__=None)

Three different resources help you manage your IAM policy for Cloud Pub/Sub Topic. Each of these resources serves a different use case:

  • pubsub.TopicIAMPolicy: Authoritative. Sets the IAM policy for the topic and replaces any existing policy already attached.

  • pubsub.TopicIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the topic are preserved.

  • pubsub.TopicIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the topic are preserved.

Note: pubsub.TopicIAMPolicy cannot be used in conjunction with pubsub.TopicIAMBinding and pubsub.TopicIAMMember or they will fight over what your policy should be.

Note: pubsub.TopicIAMBinding resources can be used in conjunction with pubsub.TopicIAMMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/viewer",
    "members": ["user:jane@example.com"],
}])
policy = gcp.pubsub.TopicIAMPolicy("policy",
    project=google_pubsub_topic["example"]["project"],
    topic=google_pubsub_topic["example"]["name"],
    policy_data=admin.policy_data)
import pulumi
import pulumi_gcp as gcp

binding = gcp.pubsub.TopicIAMBinding("binding",
    project=google_pubsub_topic["example"]["project"],
    topic=google_pubsub_topic["example"]["name"],
    role="roles/viewer",
    members=["user:jane@example.com"])
import pulumi
import pulumi_gcp as gcp

member = gcp.pubsub.TopicIAMMember("member",
    project=google_pubsub_topic["example"]["project"],
    topic=google_pubsub_topic["example"]["name"],
    role="roles/viewer",
    member="user:jane@example.com")
Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • role (pulumi.Input[str]) – The role that should be applied. Only one pubsub.TopicIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

  • topic (pulumi.Input[str]) – Used to find the parent resource to bind the IAM policy to

The condition object supports the following:

  • description (pulumi.Input[str])

  • expression (pulumi.Input[str])

  • title (pulumi.Input[str])

etag: pulumi.Output[str] = None

(Computed) The etag of the IAM policy.

project: pulumi.Output[str] = None

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

role: pulumi.Output[str] = None

The role that should be applied. Only one pubsub.TopicIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

topic: pulumi.Output[str] = None

Used to find the parent resource to bind the IAM policy to

static get(resource_name, id, opts=None, condition=None, etag=None, member=None, project=None, role=None, topic=None)

Get an existing TopicIAMMember resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • etag (pulumi.Input[str]) – (Computed) The etag of the IAM policy.

  • project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • role (pulumi.Input[str]) – The role that should be applied. Only one pubsub.TopicIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

  • topic (pulumi.Input[str]) – Used to find the parent resource to bind the IAM policy to

The condition object supports the following:

  • description (pulumi.Input[str])

  • expression (pulumi.Input[str])

  • title (pulumi.Input[str])

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.pubsub.TopicIAMPolicy(resource_name, opts=None, policy_data=None, project=None, topic=None, __props__=None, __name__=None, __opts__=None)

Three different resources help you manage your IAM policy for Cloud Pub/Sub Topic. Each of these resources serves a different use case:

  • pubsub.TopicIAMPolicy: Authoritative. Sets the IAM policy for the topic and replaces any existing policy already attached.

  • pubsub.TopicIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the topic are preserved.

  • pubsub.TopicIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the topic are preserved.

Note: pubsub.TopicIAMPolicy cannot be used in conjunction with pubsub.TopicIAMBinding and pubsub.TopicIAMMember or they will fight over what your policy should be.

Note: pubsub.TopicIAMBinding resources can be used in conjunction with pubsub.TopicIAMMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/viewer",
    "members": ["user:jane@example.com"],
}])
policy = gcp.pubsub.TopicIAMPolicy("policy",
    project=google_pubsub_topic["example"]["project"],
    topic=google_pubsub_topic["example"]["name"],
    policy_data=admin.policy_data)
import pulumi
import pulumi_gcp as gcp

binding = gcp.pubsub.TopicIAMBinding("binding",
    project=google_pubsub_topic["example"]["project"],
    topic=google_pubsub_topic["example"]["name"],
    role="roles/viewer",
    members=["user:jane@example.com"])
import pulumi
import pulumi_gcp as gcp

member = gcp.pubsub.TopicIAMMember("member",
    project=google_pubsub_topic["example"]["project"],
    topic=google_pubsub_topic["example"]["name"],
    role="roles/viewer",
    member="user:jane@example.com")
Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • policy_data (pulumi.Input[str]) – The policy data generated by a organizations.getIAMPolicy data source.

  • project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • topic (pulumi.Input[str]) – Used to find the parent resource to bind the IAM policy to

etag: pulumi.Output[str] = None

(Computed) The etag of the IAM policy.

policy_data: pulumi.Output[str] = None

The policy data generated by a organizations.getIAMPolicy data source.

project: pulumi.Output[str] = None

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

topic: pulumi.Output[str] = None

Used to find the parent resource to bind the IAM policy to

static get(resource_name, id, opts=None, etag=None, policy_data=None, project=None, topic=None)

Get an existing TopicIAMPolicy resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • etag (pulumi.Input[str]) – (Computed) The etag of the IAM policy.

  • policy_data (pulumi.Input[str]) – The policy data generated by a organizations.getIAMPolicy data source.

  • project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • topic (pulumi.Input[str]) – Used to find the parent resource to bind the IAM policy to

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str