The gcp:healthcare/hl7StoreIamBinding:Hl7StoreIamBinding resource, part of the Pulumi GCP provider, manages IAM access for Healthcare HL7v2 stores by granting roles to members. This resource is in beta and should be used with the terraform-provider-google-beta provider. This guide focuses on two capabilities: granting roles to multiple members and adding individual members to roles.
This resource manages access to existing HL7v2 stores. The examples are intentionally small. Combine them with your own Healthcare datasets and HL7v2 store infrastructure.
Grant a role to multiple members
Teams managing HL7v2 store access often need to grant the same role to multiple users, service accounts, or groups.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const hl7V2Store = new gcp.healthcare.Hl7StoreIamBinding("hl7_v2_store", {
hl7V2StoreId: "your-hl7-v2-store-id",
role: "roles/editor",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
hl7_v2_store = gcp.healthcare.Hl7StoreIamBinding("hl7_v2_store",
hl7_v2_store_id="your-hl7-v2-store-id",
role="roles/editor",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/healthcare"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := healthcare.NewHl7StoreIamBinding(ctx, "hl7_v2_store", &healthcare.Hl7StoreIamBindingArgs{
Hl7V2StoreId: pulumi.String("your-hl7-v2-store-id"),
Role: pulumi.String("roles/editor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var hl7V2Store = new Gcp.Healthcare.Hl7StoreIamBinding("hl7_v2_store", new()
{
Hl7V2StoreId = "your-hl7-v2-store-id",
Role = "roles/editor",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.healthcare.Hl7StoreIamBinding;
import com.pulumi.gcp.healthcare.Hl7StoreIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var hl7V2Store = new Hl7StoreIamBinding("hl7V2Store", Hl7StoreIamBindingArgs.builder()
.hl7V2StoreId("your-hl7-v2-store-id")
.role("roles/editor")
.members("user:jane@example.com")
.build());
}
}
resources:
hl7V2Store:
type: gcp:healthcare:Hl7StoreIamBinding
name: hl7_v2_store
properties:
hl7V2StoreId: your-hl7-v2-store-id
role: roles/editor
members:
- user:jane@example.com
Hl7StoreIamBinding is authoritative for the specified role: it replaces all members for that role while preserving other roles in the policy. The hl7V2StoreId identifies the store, role specifies the IAM role to grant, and members lists all identities that should have that role. Member identities can be users, service accounts, groups, domains, or the special identifiers allUsers and allAuthenticatedUsers.
Add a single member to a role
When you need to grant access to one additional user without affecting other members, Hl7StoreIamMember provides non-authoritative access management.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const hl7V2Store = new gcp.healthcare.Hl7StoreIamMember("hl7_v2_store", {
hl7V2StoreId: "your-hl7-v2-store-id",
role: "roles/editor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
hl7_v2_store = gcp.healthcare.Hl7StoreIamMember("hl7_v2_store",
hl7_v2_store_id="your-hl7-v2-store-id",
role="roles/editor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/healthcare"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := healthcare.NewHl7StoreIamMember(ctx, "hl7_v2_store", &healthcare.Hl7StoreIamMemberArgs{
Hl7V2StoreId: pulumi.String("your-hl7-v2-store-id"),
Role: pulumi.String("roles/editor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var hl7V2Store = new Gcp.Healthcare.Hl7StoreIamMember("hl7_v2_store", new()
{
Hl7V2StoreId = "your-hl7-v2-store-id",
Role = "roles/editor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.healthcare.Hl7StoreIamMember;
import com.pulumi.gcp.healthcare.Hl7StoreIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var hl7V2Store = new Hl7StoreIamMember("hl7V2Store", Hl7StoreIamMemberArgs.builder()
.hl7V2StoreId("your-hl7-v2-store-id")
.role("roles/editor")
.member("user:jane@example.com")
.build());
}
}
resources:
hl7V2Store:
type: gcp:healthcare:Hl7StoreIamMember
name: hl7_v2_store
properties:
hl7V2StoreId: your-hl7-v2-store-id
role: roles/editor
member: user:jane@example.com
Unlike Hl7StoreIamBinding, Hl7StoreIamMember is non-authoritative: it adds a single member to a role without replacing existing members. Use member (singular) instead of members (plural) to specify one identity. Multiple Hl7StoreIamMember resources can grant the same role to different members, and they can be used alongside Hl7StoreIamBinding resources as long as they don’t manage the same role.
Beyond these examples
These snippets focus on specific IAM binding features: role-based access control and member and binding management. They’re intentionally minimal rather than full access control policies.
The examples reference pre-existing infrastructure such as HL7v2 stores in Healthcare datasets. They focus on configuring access rather than provisioning the stores themselves.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Policy-level management (Hl7StoreIamPolicy)
- Custom role definitions
- Cross-project or organization-level roles
These omissions are intentional: the goal is to illustrate how IAM bindings are wired, not provide drop-in access control modules. See the Hl7StoreIamBinding resource reference for all available configuration options.
Let's manage GCP Healthcare HL7 Store IAM Bindings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Compatibility
Hl7StoreIamPolicy for full policy control (replaces entire policy), Hl7StoreIamBinding for managing all members of a specific role, or Hl7StoreIamMember for adding individual members without affecting others.Hl7StoreIamPolicy cannot be used with Hl7StoreIamBinding or Hl7StoreIamMember because they will conflict over the policy configuration.Configuration & Formats
[projects|organizations]/{parent-name}/roles/{role-name}. This applies both when setting the role property and when importing resources.allUsers, allAuthenticatedUsers, user:{emailid}, serviceAccount:{emailid}, group:{emailid}, or domain:{domain}.{project_id}/{location_name}/{dataset_name}/{hl7_v2_store_name} or {location_name}/{dataset_name}/{hl7_v2_store_name}. In the shorter form, the provider’s project setting is used as a fallback.Immutability & Lifecycle
hl7V2StoreId, role, and condition properties are immutable and require resource replacement if changed.