The gcp:folder/iamAuditConfig:IamAuditConfig resource, part of the Pulumi GCP provider, configures Cloud Audit Logs for a GCP folder, controlling which API operations are logged and which members are exempt from logging. This guide focuses on three capabilities: enabling audit logging across all services, configuring log types, and exempting specific members.
Audit configs apply to existing folders in your organization hierarchy and send logs to Cloud Logging. The example is intentionally small. Combine it with your own folder structure and log analysis tools.
Enable audit logging for all services
Organizations tracking compliance or investigating security incidents need visibility into who accessed what resources and when.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const folder = new gcp.folder.IamAuditConfig("folder", {
folder: "folders/1234567",
service: "allServices",
auditLogConfigs: [
{
logType: "ADMIN_READ",
},
{
logType: "DATA_READ",
exemptedMembers: ["user:joebloggs@example.com"],
},
],
});
import pulumi
import pulumi_gcp as gcp
folder = gcp.folder.IamAuditConfig("folder",
folder="folders/1234567",
service="allServices",
audit_log_configs=[
{
"log_type": "ADMIN_READ",
},
{
"log_type": "DATA_READ",
"exempted_members": ["user:joebloggs@example.com"],
},
])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/folder"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := folder.NewIamAuditConfig(ctx, "folder", &folder.IamAuditConfigArgs{
Folder: pulumi.String("folders/1234567"),
Service: pulumi.String("allServices"),
AuditLogConfigs: folder.IamAuditConfigAuditLogConfigArray{
&folder.IamAuditConfigAuditLogConfigArgs{
LogType: pulumi.String("ADMIN_READ"),
},
&folder.IamAuditConfigAuditLogConfigArgs{
LogType: pulumi.String("DATA_READ"),
ExemptedMembers: pulumi.StringArray{
pulumi.String("user:joebloggs@example.com"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var folder = new Gcp.Folder.IamAuditConfig("folder", new()
{
Folder = "folders/1234567",
Service = "allServices",
AuditLogConfigs = new[]
{
new Gcp.Folder.Inputs.IamAuditConfigAuditLogConfigArgs
{
LogType = "ADMIN_READ",
},
new Gcp.Folder.Inputs.IamAuditConfigAuditLogConfigArgs
{
LogType = "DATA_READ",
ExemptedMembers = new[]
{
"user:joebloggs@example.com",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.folder.IamAuditConfig;
import com.pulumi.gcp.folder.IamAuditConfigArgs;
import com.pulumi.gcp.folder.inputs.IamAuditConfigAuditLogConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var folder = new IamAuditConfig("folder", IamAuditConfigArgs.builder()
.folder("folders/1234567")
.service("allServices")
.auditLogConfigs(
IamAuditConfigAuditLogConfigArgs.builder()
.logType("ADMIN_READ")
.build(),
IamAuditConfigAuditLogConfigArgs.builder()
.logType("DATA_READ")
.exemptedMembers("user:joebloggs@example.com")
.build())
.build());
}
}
resources:
folder:
type: gcp:folder:IamAuditConfig
properties:
folder: folders/1234567
service: allServices
auditLogConfigs:
- logType: ADMIN_READ
- logType: DATA_READ
exemptedMembers:
- user:joebloggs@example.com
The service property determines which GCP services generate audit logs. Setting it to “allServices” captures activity across all APIs. The auditLogConfigs array defines which operation types to log: ADMIN_READ captures administrative actions like creating resources, while DATA_READ logs data access operations like reading files. The exemptedMembers list excludes specific users or service accounts from logging, useful for high-volume automated processes that would generate excessive log entries.
Beyond these examples
This snippet focuses on audit log configuration: log type selection, service scope, and member exemptions. It’s intentionally minimal rather than a full compliance monitoring solution.
The example references pre-existing infrastructure such as GCP folders in the organization hierarchy and Cloud Logging for receiving audit logs. It focuses on configuring audit logging rather than provisioning the folder hierarchy or log analysis infrastructure.
To keep things focused, common audit logging patterns are omitted, including:
- IAM policy management (IAMPolicy, IAMBinding, IAMMember resources)
- Service-specific audit configs (using specific service names vs allServices)
- DATA_WRITE and other log types
- Conditional audit logging based on resource attributes
These omissions are intentional: the goal is to illustrate how audit logging is wired, not provide drop-in compliance modules. See the Folder IamAuditConfig resource reference for all available configuration options.
Let's configure GCP Folder IAM Audit Logging
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
gcp.folder.IAMPolicy cannot be used with IAMBinding, IAMMember, or IamAuditConfig as they will conflict. However, IAMBinding and IAMMember can be used together if they don’t grant privilege to the same role.IAMPolicy removes access from anyone without parent folder/organization permissions, potentially locking you out. It’s recommended to import the existing policy before applying changes and avoid using it with your provider folder.Configuration & Setup
allServices covers all services. When both allServices and specific service configs exist, their union is used: all log_types are enabled, and all exempted_members are exempted.auditLogConfigs with logType values like ADMIN_READ and DATA_READ. You can specify multiple log types and optionally add exemptedMembers for each.folders/{folder_id}, for example folders/1234567.Advanced Features
exemptedMembers to the auditLogConfig for a specific log type, such as exemptedMembers: ["user:joebloggs@example.com"] for DATA_READ logs.Operations & Lifecycle
folder property is immutable and cannot be changed after creation.folder/{{folder_id}} foo.googleapis.com where foo.googleapis.com is the service name, for example: pulumi import gcp:folder/iamAuditConfig:IamAuditConfig default "folder/{{folder_id}} foo.googleapis.com".