The gcp:healthcare/hl7StoreIamPolicy:Hl7StoreIamPolicy resource, part of the Pulumi GCP provider, manages IAM policies for Healthcare HL7v2 stores, controlling who can access and modify HL7 message data. This guide focuses on three capabilities: authoritative policy replacement, role-based member grants, and incremental member additions.
IAM resources for HL7v2 stores reference an existing store by ID and grant access to IAM principals. The examples are intentionally small. Combine them with your own HL7v2 store infrastructure and IAM principals. Note that this resource is in beta and requires the terraform-provider-google-beta provider.
Replace the entire IAM policy with a new definition
When you need complete control over who can access an HL7v2 store, you can replace the entire IAM policy in one operation.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/editor",
members: ["user:jane@example.com"],
}],
});
const hl7V2Store = new gcp.healthcare.Hl7StoreIamPolicy("hl7_v2_store", {
hl7V2StoreId: "your-hl7-v2-store-id",
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/editor",
"members": ["user:jane@example.com"],
}])
hl7_v2_store = gcp.healthcare.Hl7StoreIamPolicy("hl7_v2_store",
hl7_v2_store_id="your-hl7-v2-store-id",
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/healthcare"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/editor",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = healthcare.NewHl7StoreIamPolicy(ctx, "hl7_v2_store", &healthcare.Hl7StoreIamPolicyArgs{
Hl7V2StoreId: pulumi.String("your-hl7-v2-store-id"),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/editor",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var hl7V2Store = new Gcp.Healthcare.Hl7StoreIamPolicy("hl7_v2_store", new()
{
Hl7V2StoreId = "your-hl7-v2-store-id",
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.healthcare.Hl7StoreIamPolicy;
import com.pulumi.gcp.healthcare.Hl7StoreIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/editor")
.members("user:jane@example.com")
.build())
.build());
var hl7V2Store = new Hl7StoreIamPolicy("hl7V2Store", Hl7StoreIamPolicyArgs.builder()
.hl7V2StoreId("your-hl7-v2-store-id")
.policyData(admin.policyData())
.build());
}
}
resources:
hl7V2Store:
type: gcp:healthcare:Hl7StoreIamPolicy
name: hl7_v2_store
properties:
hl7V2StoreId: your-hl7-v2-store-id
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/editor
members:
- user:jane@example.com
The Hl7StoreIamPolicy resource is authoritative: it replaces any existing policy with the new definition from policyData. The getIAMPolicy data source generates the policy structure with bindings that map roles to members. This approach removes any bindings not included in the new policy, making it useful for establishing a clean baseline.
Grant a role to multiple members at once
Teams often need to grant the same role to several users or service accounts simultaneously.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const hl7V2Store = new gcp.healthcare.Hl7StoreIamBinding("hl7_v2_store", {
hl7V2StoreId: "your-hl7-v2-store-id",
role: "roles/editor",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
hl7_v2_store = gcp.healthcare.Hl7StoreIamBinding("hl7_v2_store",
hl7_v2_store_id="your-hl7-v2-store-id",
role="roles/editor",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/healthcare"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := healthcare.NewHl7StoreIamBinding(ctx, "hl7_v2_store", &healthcare.Hl7StoreIamBindingArgs{
Hl7V2StoreId: pulumi.String("your-hl7-v2-store-id"),
Role: pulumi.String("roles/editor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var hl7V2Store = new Gcp.Healthcare.Hl7StoreIamBinding("hl7_v2_store", new()
{
Hl7V2StoreId = "your-hl7-v2-store-id",
Role = "roles/editor",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.healthcare.Hl7StoreIamBinding;
import com.pulumi.gcp.healthcare.Hl7StoreIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var hl7V2Store = new Hl7StoreIamBinding("hl7V2Store", Hl7StoreIamBindingArgs.builder()
.hl7V2StoreId("your-hl7-v2-store-id")
.role("roles/editor")
.members("user:jane@example.com")
.build());
}
}
resources:
hl7V2Store:
type: gcp:healthcare:Hl7StoreIamBinding
name: hl7_v2_store
properties:
hl7V2StoreId: your-hl7-v2-store-id
role: roles/editor
members:
- user:jane@example.com
The Hl7StoreIamBinding resource grants one role to a list of members. It’s authoritative for that specific role, replacing all existing members for roles/editor, but preserves other roles in the policy. This resource cannot be used with Hl7StoreIamPolicy (they conflict), but can coexist with Hl7StoreIamMember as long as they don’t manage the same role.
Add a single member to a role incrementally
When granting access to individual users, you often want to add them without disturbing existing permissions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const hl7V2Store = new gcp.healthcare.Hl7StoreIamMember("hl7_v2_store", {
hl7V2StoreId: "your-hl7-v2-store-id",
role: "roles/editor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
hl7_v2_store = gcp.healthcare.Hl7StoreIamMember("hl7_v2_store",
hl7_v2_store_id="your-hl7-v2-store-id",
role="roles/editor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/healthcare"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := healthcare.NewHl7StoreIamMember(ctx, "hl7_v2_store", &healthcare.Hl7StoreIamMemberArgs{
Hl7V2StoreId: pulumi.String("your-hl7-v2-store-id"),
Role: pulumi.String("roles/editor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var hl7V2Store = new Gcp.Healthcare.Hl7StoreIamMember("hl7_v2_store", new()
{
Hl7V2StoreId = "your-hl7-v2-store-id",
Role = "roles/editor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.healthcare.Hl7StoreIamMember;
import com.pulumi.gcp.healthcare.Hl7StoreIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var hl7V2Store = new Hl7StoreIamMember("hl7V2Store", Hl7StoreIamMemberArgs.builder()
.hl7V2StoreId("your-hl7-v2-store-id")
.role("roles/editor")
.member("user:jane@example.com")
.build());
}
}
resources:
hl7V2Store:
type: gcp:healthcare:Hl7StoreIamMember
name: hl7_v2_store
properties:
hl7V2StoreId: your-hl7-v2-store-id
role: roles/editor
member: user:jane@example.com
The Hl7StoreIamMember resource is non-authoritative: it adds one member to one role without affecting other members who already have that role. Use member (singular) instead of members (plural) to specify the principal. This resource can coexist with Hl7StoreIamBinding as long as they manage different roles.
Beyond these examples
These snippets focus on specific IAM management features: authoritative vs non-authoritative IAM management, and policy replacement and role-based grants. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as HL7v2 stores (by ID) and IAM principals (users, service accounts, groups). They focus on configuring IAM bindings rather than provisioning the underlying healthcare infrastructure.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition blocks)
- Custom roles and role definitions
- IAM policy etag handling for concurrent updates
- Combining Binding and Member resources safely
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the HL7 Store IAM Policy resource reference for all available configuration options.
Let's manage GCP Healthcare HL7 Store IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
Hl7StoreIamPolicy is authoritative and replaces the entire IAM policy. Hl7StoreIamBinding is authoritative for a specific role, preserving other roles. Hl7StoreIamMember is non-authoritative, adding individual members without affecting other members for the same role.Hl7StoreIamPolicy with Hl7StoreIamBinding or Hl7StoreIamMember, as they will conflict. You can use Hl7StoreIamBinding and Hl7StoreIamMember together only if they manage different roles.Configuration & Setup
{location_name}/{dataset_name}/{hl7_v2_store_name}, and the provider’s project setting will be used as a fallback.Policy Management
gcp.organizations.getIAMPolicy data source with your desired bindings, then pass its policyData output to the Hl7StoreIamPolicy resource.