1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. iam
  5. DenyPolicy
Google Cloud Classic v7.16.0 published on Wednesday, Mar 27, 2024 by Pulumi

gcp.iam.DenyPolicy

Explore with Pulumi AI

gcp logo
Google Cloud Classic v7.16.0 published on Wednesday, Mar 27, 2024 by Pulumi

    Represents a collection of denial policies to apply to a given resource.

    To get more information about DenyPolicy, see:

    Example Usage

    Iam Deny Policy Basic

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    import * as std from "@pulumi/std";
    
    const project = new gcp.organizations.Project("project", {
        projectId: "my-project",
        name: "my-project",
        orgId: "123456789",
        billingAccount: "000000-0000000-0000000-000000",
    });
    const test_account = new gcp.serviceaccount.Account("test-account", {
        accountId: "svc-acc",
        displayName: "Test Service Account",
        project: project.projectId,
    });
    const example = new gcp.iam.DenyPolicy("example", {
        parent: std.urlencodeOutput({
            input: pulumi.interpolate`cloudresourcemanager.googleapis.com/projects/${project.projectId}`,
        }).apply(invoke => invoke.result),
        name: "my-deny-policy",
        displayName: "A deny rule",
        rules: [
            {
                description: "First rule",
                denyRule: {
                    deniedPrincipals: ["principalSet://goog/public:all"],
                    denialCondition: {
                        title: "Some expr",
                        expression: "!resource.matchTag('12345678/env', 'test')",
                    },
                    deniedPermissions: ["cloudresourcemanager.googleapis.com/projects.update"],
                },
            },
            {
                description: "Second rule",
                denyRule: {
                    deniedPrincipals: ["principalSet://goog/public:all"],
                    denialCondition: {
                        title: "Some expr",
                        expression: "!resource.matchTag('12345678/env', 'test')",
                    },
                    deniedPermissions: ["cloudresourcemanager.googleapis.com/projects.update"],
                    exceptionPrincipals: [pulumi.interpolate`principal://iam.googleapis.com/projects/-/serviceAccounts/${test_account.email}`],
                },
            },
        ],
    });
    
    import pulumi
    import pulumi_gcp as gcp
    import pulumi_std as std
    
    project = gcp.organizations.Project("project",
        project_id="my-project",
        name="my-project",
        org_id="123456789",
        billing_account="000000-0000000-0000000-000000")
    test_account = gcp.serviceaccount.Account("test-account",
        account_id="svc-acc",
        display_name="Test Service Account",
        project=project.project_id)
    example = gcp.iam.DenyPolicy("example",
        parent=std.urlencode_output(input=project.project_id.apply(lambda project_id: f"cloudresourcemanager.googleapis.com/projects/{project_id}")).apply(lambda invoke: invoke.result),
        name="my-deny-policy",
        display_name="A deny rule",
        rules=[
            gcp.iam.DenyPolicyRuleArgs(
                description="First rule",
                deny_rule=gcp.iam.DenyPolicyRuleDenyRuleArgs(
                    denied_principals=["principalSet://goog/public:all"],
                    denial_condition=gcp.iam.DenyPolicyRuleDenyRuleDenialConditionArgs(
                        title="Some expr",
                        expression="!resource.matchTag('12345678/env', 'test')",
                    ),
                    denied_permissions=["cloudresourcemanager.googleapis.com/projects.update"],
                ),
            ),
            gcp.iam.DenyPolicyRuleArgs(
                description="Second rule",
                deny_rule=gcp.iam.DenyPolicyRuleDenyRuleArgs(
                    denied_principals=["principalSet://goog/public:all"],
                    denial_condition=gcp.iam.DenyPolicyRuleDenyRuleDenialConditionArgs(
                        title="Some expr",
                        expression="!resource.matchTag('12345678/env', 'test')",
                    ),
                    denied_permissions=["cloudresourcemanager.googleapis.com/projects.update"],
                    exception_principals=[test_account.email.apply(lambda email: f"principal://iam.googleapis.com/projects/-/serviceAccounts/{email}")],
                ),
            ),
        ])
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/iam"
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
    	"github.com/pulumi/pulumi-std/sdk/go/std"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		project, err := organizations.NewProject(ctx, "project", &organizations.ProjectArgs{
    			ProjectId:      pulumi.String("my-project"),
    			Name:           pulumi.String("my-project"),
    			OrgId:          pulumi.String("123456789"),
    			BillingAccount: pulumi.String("000000-0000000-0000000-000000"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = serviceaccount.NewAccount(ctx, "test-account", &serviceaccount.AccountArgs{
    			AccountId:   pulumi.String("svc-acc"),
    			DisplayName: pulumi.String("Test Service Account"),
    			Project:     project.ProjectId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewDenyPolicy(ctx, "example", &iam.DenyPolicyArgs{
    			Parent: std.UrlencodeOutput(ctx, std.UrlencodeOutputArgs{
    				Input: project.ProjectId.ApplyT(func(projectId string) (string, error) {
    					return fmt.Sprintf("cloudresourcemanager.googleapis.com/projects/%v", projectId), nil
    				}).(pulumi.StringOutput),
    			}, nil).ApplyT(func(invoke std.UrlencodeResult) (*string, error) {
    				return invoke.Result, nil
    			}).(pulumi.StringPtrOutput),
    			Name:        pulumi.String("my-deny-policy"),
    			DisplayName: pulumi.String("A deny rule"),
    			Rules: iam.DenyPolicyRuleArray{
    				&iam.DenyPolicyRuleArgs{
    					Description: pulumi.String("First rule"),
    					DenyRule: &iam.DenyPolicyRuleDenyRuleArgs{
    						DeniedPrincipals: pulumi.StringArray{
    							pulumi.String("principalSet://goog/public:all"),
    						},
    						DenialCondition: &iam.DenyPolicyRuleDenyRuleDenialConditionArgs{
    							Title:      pulumi.String("Some expr"),
    							Expression: pulumi.String("!resource.matchTag('12345678/env', 'test')"),
    						},
    						DeniedPermissions: pulumi.StringArray{
    							pulumi.String("cloudresourcemanager.googleapis.com/projects.update"),
    						},
    					},
    				},
    				&iam.DenyPolicyRuleArgs{
    					Description: pulumi.String("Second rule"),
    					DenyRule: &iam.DenyPolicyRuleDenyRuleArgs{
    						DeniedPrincipals: pulumi.StringArray{
    							pulumi.String("principalSet://goog/public:all"),
    						},
    						DenialCondition: &iam.DenyPolicyRuleDenyRuleDenialConditionArgs{
    							Title:      pulumi.String("Some expr"),
    							Expression: pulumi.String("!resource.matchTag('12345678/env', 'test')"),
    						},
    						DeniedPermissions: pulumi.StringArray{
    							pulumi.String("cloudresourcemanager.googleapis.com/projects.update"),
    						},
    						ExceptionPrincipals: pulumi.StringArray{
    							test_account.Email.ApplyT(func(email string) (string, error) {
    								return fmt.Sprintf("principal://iam.googleapis.com/projects/-/serviceAccounts/%v", email), nil
    							}).(pulumi.StringOutput),
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    using Std = Pulumi.Std;
    
    return await Deployment.RunAsync(() => 
    {
        var project = new Gcp.Organizations.Project("project", new()
        {
            ProjectId = "my-project",
            Name = "my-project",
            OrgId = "123456789",
            BillingAccount = "000000-0000000-0000000-000000",
        });
    
        var test_account = new Gcp.ServiceAccount.Account("test-account", new()
        {
            AccountId = "svc-acc",
            DisplayName = "Test Service Account",
            Project = project.ProjectId,
        });
    
        var example = new Gcp.Iam.DenyPolicy("example", new()
        {
            Parent = Std.Urlencode.Invoke(new()
            {
                Input = project.ProjectId.Apply(projectId => $"cloudresourcemanager.googleapis.com/projects/{projectId}"),
            }).Apply(invoke => invoke.Result),
            Name = "my-deny-policy",
            DisplayName = "A deny rule",
            Rules = new[]
            {
                new Gcp.Iam.Inputs.DenyPolicyRuleArgs
                {
                    Description = "First rule",
                    DenyRule = new Gcp.Iam.Inputs.DenyPolicyRuleDenyRuleArgs
                    {
                        DeniedPrincipals = new[]
                        {
                            "principalSet://goog/public:all",
                        },
                        DenialCondition = new Gcp.Iam.Inputs.DenyPolicyRuleDenyRuleDenialConditionArgs
                        {
                            Title = "Some expr",
                            Expression = "!resource.matchTag('12345678/env', 'test')",
                        },
                        DeniedPermissions = new[]
                        {
                            "cloudresourcemanager.googleapis.com/projects.update",
                        },
                    },
                },
                new Gcp.Iam.Inputs.DenyPolicyRuleArgs
                {
                    Description = "Second rule",
                    DenyRule = new Gcp.Iam.Inputs.DenyPolicyRuleDenyRuleArgs
                    {
                        DeniedPrincipals = new[]
                        {
                            "principalSet://goog/public:all",
                        },
                        DenialCondition = new Gcp.Iam.Inputs.DenyPolicyRuleDenyRuleDenialConditionArgs
                        {
                            Title = "Some expr",
                            Expression = "!resource.matchTag('12345678/env', 'test')",
                        },
                        DeniedPermissions = new[]
                        {
                            "cloudresourcemanager.googleapis.com/projects.update",
                        },
                        ExceptionPrincipals = new[]
                        {
                            test_account.Email.Apply(email => $"principal://iam.googleapis.com/projects/-/serviceAccounts/{email}"),
                        },
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.organizations.Project;
    import com.pulumi.gcp.organizations.ProjectArgs;
    import com.pulumi.gcp.serviceaccount.Account;
    import com.pulumi.gcp.serviceaccount.AccountArgs;
    import com.pulumi.gcp.iam.DenyPolicy;
    import com.pulumi.gcp.iam.DenyPolicyArgs;
    import com.pulumi.gcp.iam.inputs.DenyPolicyRuleArgs;
    import com.pulumi.gcp.iam.inputs.DenyPolicyRuleDenyRuleArgs;
    import com.pulumi.gcp.iam.inputs.DenyPolicyRuleDenyRuleDenialConditionArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var project = new Project("project", ProjectArgs.builder()        
                .projectId("my-project")
                .name("my-project")
                .orgId("123456789")
                .billingAccount("000000-0000000-0000000-000000")
                .build());
    
            var test_account = new Account("test-account", AccountArgs.builder()        
                .accountId("svc-acc")
                .displayName("Test Service Account")
                .project(project.projectId())
                .build());
    
            var example = new DenyPolicy("example", DenyPolicyArgs.builder()        
                .parent(StdFunctions.urlencode().applyValue(invoke -> invoke.result()))
                .name("my-deny-policy")
                .displayName("A deny rule")
                .rules(            
                    DenyPolicyRuleArgs.builder()
                        .description("First rule")
                        .denyRule(DenyPolicyRuleDenyRuleArgs.builder()
                            .deniedPrincipals("principalSet://goog/public:all")
                            .denialCondition(DenyPolicyRuleDenyRuleDenialConditionArgs.builder()
                                .title("Some expr")
                                .expression("!resource.matchTag('12345678/env', 'test')")
                                .build())
                            .deniedPermissions("cloudresourcemanager.googleapis.com/projects.update")
                            .build())
                        .build(),
                    DenyPolicyRuleArgs.builder()
                        .description("Second rule")
                        .denyRule(DenyPolicyRuleDenyRuleArgs.builder()
                            .deniedPrincipals("principalSet://goog/public:all")
                            .denialCondition(DenyPolicyRuleDenyRuleDenialConditionArgs.builder()
                                .title("Some expr")
                                .expression("!resource.matchTag('12345678/env', 'test')")
                                .build())
                            .deniedPermissions("cloudresourcemanager.googleapis.com/projects.update")
                            .exceptionPrincipals(test_account.email().applyValue(email -> String.format("principal://iam.googleapis.com/projects/-/serviceAccounts/%s", email)))
                            .build())
                        .build())
                .build());
    
        }
    }
    
    resources:
      project:
        type: gcp:organizations:Project
        properties:
          projectId: my-project
          name: my-project
          orgId: '123456789'
          billingAccount: 000000-0000000-0000000-000000
      example:
        type: gcp:iam:DenyPolicy
        properties:
          parent:
            fn::invoke:
              Function: std:urlencode
              Arguments:
                input: cloudresourcemanager.googleapis.com/projects/${project.projectId}
              Return: result
          name: my-deny-policy
          displayName: A deny rule
          rules:
            - description: First rule
              denyRule:
                deniedPrincipals:
                  - principalSet://goog/public:all
                denialCondition:
                  title: Some expr
                  expression: '!resource.matchTag(''12345678/env'', ''test'')'
                deniedPermissions:
                  - cloudresourcemanager.googleapis.com/projects.update
            - description: Second rule
              denyRule:
                deniedPrincipals:
                  - principalSet://goog/public:all
                denialCondition:
                  title: Some expr
                  expression: '!resource.matchTag(''12345678/env'', ''test'')'
                deniedPermissions:
                  - cloudresourcemanager.googleapis.com/projects.update
                exceptionPrincipals:
                  - principal://iam.googleapis.com/projects/-/serviceAccounts/${["test-account"].email}
      test-account:
        type: gcp:serviceaccount:Account
        properties:
          accountId: svc-acc
          displayName: Test Service Account
          project: ${project.projectId}
    

    Create DenyPolicy Resource

    new DenyPolicy(name: string, args: DenyPolicyArgs, opts?: CustomResourceOptions);
    @overload
    def DenyPolicy(resource_name: str,
                   opts: Optional[ResourceOptions] = None,
                   display_name: Optional[str] = None,
                   name: Optional[str] = None,
                   parent: Optional[str] = None,
                   rules: Optional[Sequence[DenyPolicyRuleArgs]] = None)
    @overload
    def DenyPolicy(resource_name: str,
                   args: DenyPolicyArgs,
                   opts: Optional[ResourceOptions] = None)
    func NewDenyPolicy(ctx *Context, name string, args DenyPolicyArgs, opts ...ResourceOption) (*DenyPolicy, error)
    public DenyPolicy(string name, DenyPolicyArgs args, CustomResourceOptions? opts = null)
    public DenyPolicy(String name, DenyPolicyArgs args)
    public DenyPolicy(String name, DenyPolicyArgs args, CustomResourceOptions options)
    
    type: gcp:iam:DenyPolicy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args DenyPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args DenyPolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args DenyPolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args DenyPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args DenyPolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    DenyPolicy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The DenyPolicy resource accepts the following input properties:

    Parent string
    The attachment point is identified by its URL-encoded full resource name.
    Rules List<DenyPolicyRule>
    Rules to be applied. Structure is documented below.
    DisplayName string
    The display name of the rule.
    Name string
    The name of the policy.
    Parent string
    The attachment point is identified by its URL-encoded full resource name.
    Rules []DenyPolicyRuleArgs
    Rules to be applied. Structure is documented below.
    DisplayName string
    The display name of the rule.
    Name string
    The name of the policy.
    parent String
    The attachment point is identified by its URL-encoded full resource name.
    rules List<DenyPolicyRule>
    Rules to be applied. Structure is documented below.
    displayName String
    The display name of the rule.
    name String
    The name of the policy.
    parent string
    The attachment point is identified by its URL-encoded full resource name.
    rules DenyPolicyRule[]
    Rules to be applied. Structure is documented below.
    displayName string
    The display name of the rule.
    name string
    The name of the policy.
    parent str
    The attachment point is identified by its URL-encoded full resource name.
    rules Sequence[DenyPolicyRuleArgs]
    Rules to be applied. Structure is documented below.
    display_name str
    The display name of the rule.
    name str
    The name of the policy.
    parent String
    The attachment point is identified by its URL-encoded full resource name.
    rules List<Property Map>
    Rules to be applied. Structure is documented below.
    displayName String
    The display name of the rule.
    name String
    The name of the policy.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the DenyPolicy resource produces the following output properties:

    Etag string
    The hash of the resource. Used internally during updates.
    Id string
    The provider-assigned unique ID for this managed resource.
    Etag string
    The hash of the resource. Used internally during updates.
    Id string
    The provider-assigned unique ID for this managed resource.
    etag String
    The hash of the resource. Used internally during updates.
    id String
    The provider-assigned unique ID for this managed resource.
    etag string
    The hash of the resource. Used internally during updates.
    id string
    The provider-assigned unique ID for this managed resource.
    etag str
    The hash of the resource. Used internally during updates.
    id str
    The provider-assigned unique ID for this managed resource.
    etag String
    The hash of the resource. Used internally during updates.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing DenyPolicy Resource

    Get an existing DenyPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: DenyPolicyState, opts?: CustomResourceOptions): DenyPolicy
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            display_name: Optional[str] = None,
            etag: Optional[str] = None,
            name: Optional[str] = None,
            parent: Optional[str] = None,
            rules: Optional[Sequence[DenyPolicyRuleArgs]] = None) -> DenyPolicy
    func GetDenyPolicy(ctx *Context, name string, id IDInput, state *DenyPolicyState, opts ...ResourceOption) (*DenyPolicy, error)
    public static DenyPolicy Get(string name, Input<string> id, DenyPolicyState? state, CustomResourceOptions? opts = null)
    public static DenyPolicy get(String name, Output<String> id, DenyPolicyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    DisplayName string
    The display name of the rule.
    Etag string
    The hash of the resource. Used internally during updates.
    Name string
    The name of the policy.
    Parent string
    The attachment point is identified by its URL-encoded full resource name.
    Rules List<DenyPolicyRule>
    Rules to be applied. Structure is documented below.
    DisplayName string
    The display name of the rule.
    Etag string
    The hash of the resource. Used internally during updates.
    Name string
    The name of the policy.
    Parent string
    The attachment point is identified by its URL-encoded full resource name.
    Rules []DenyPolicyRuleArgs
    Rules to be applied. Structure is documented below.
    displayName String
    The display name of the rule.
    etag String
    The hash of the resource. Used internally during updates.
    name String
    The name of the policy.
    parent String
    The attachment point is identified by its URL-encoded full resource name.
    rules List<DenyPolicyRule>
    Rules to be applied. Structure is documented below.
    displayName string
    The display name of the rule.
    etag string
    The hash of the resource. Used internally during updates.
    name string
    The name of the policy.
    parent string
    The attachment point is identified by its URL-encoded full resource name.
    rules DenyPolicyRule[]
    Rules to be applied. Structure is documented below.
    display_name str
    The display name of the rule.
    etag str
    The hash of the resource. Used internally during updates.
    name str
    The name of the policy.
    parent str
    The attachment point is identified by its URL-encoded full resource name.
    rules Sequence[DenyPolicyRuleArgs]
    Rules to be applied. Structure is documented below.
    displayName String
    The display name of the rule.
    etag String
    The hash of the resource. Used internally during updates.
    name String
    The name of the policy.
    parent String
    The attachment point is identified by its URL-encoded full resource name.
    rules List<Property Map>
    Rules to be applied. Structure is documented below.

    Supporting Types

    DenyPolicyRule, DenyPolicyRuleArgs

    DenyRule DenyPolicyRuleDenyRule
    A deny rule in an IAM deny policy. Structure is documented below.
    Description string
    The description of the rule.
    DenyRule DenyPolicyRuleDenyRule
    A deny rule in an IAM deny policy. Structure is documented below.
    Description string
    The description of the rule.
    denyRule DenyPolicyRuleDenyRule
    A deny rule in an IAM deny policy. Structure is documented below.
    description String
    The description of the rule.
    denyRule DenyPolicyRuleDenyRule
    A deny rule in an IAM deny policy. Structure is documented below.
    description string
    The description of the rule.
    deny_rule DenyPolicyRuleDenyRule
    A deny rule in an IAM deny policy. Structure is documented below.
    description str
    The description of the rule.
    denyRule Property Map
    A deny rule in an IAM deny policy. Structure is documented below.
    description String
    The description of the rule.

    DenyPolicyRuleDenyRule, DenyPolicyRuleDenyRuleArgs

    DenialCondition DenyPolicyRuleDenyRuleDenialCondition
    User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.
    DeniedPermissions List<string>
    The permissions that are explicitly denied by this rule. Each permission uses the format {service-fqdn}/{resource}.{verb}, where {service-fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.
    DeniedPrincipals List<string>
    The identities that are prevented from using one or more permissions on Google Cloud resources.
    ExceptionPermissions List<string>
    Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.
    ExceptionPrincipals List<string>
    The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.
    DenialCondition DenyPolicyRuleDenyRuleDenialCondition
    User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.
    DeniedPermissions []string
    The permissions that are explicitly denied by this rule. Each permission uses the format {service-fqdn}/{resource}.{verb}, where {service-fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.
    DeniedPrincipals []string
    The identities that are prevented from using one or more permissions on Google Cloud resources.
    ExceptionPermissions []string
    Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.
    ExceptionPrincipals []string
    The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.
    denialCondition DenyPolicyRuleDenyRuleDenialCondition
    User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.
    deniedPermissions List<String>
    The permissions that are explicitly denied by this rule. Each permission uses the format {service-fqdn}/{resource}.{verb}, where {service-fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.
    deniedPrincipals List<String>
    The identities that are prevented from using one or more permissions on Google Cloud resources.
    exceptionPermissions List<String>
    Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.
    exceptionPrincipals List<String>
    The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.
    denialCondition DenyPolicyRuleDenyRuleDenialCondition
    User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.
    deniedPermissions string[]
    The permissions that are explicitly denied by this rule. Each permission uses the format {service-fqdn}/{resource}.{verb}, where {service-fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.
    deniedPrincipals string[]
    The identities that are prevented from using one or more permissions on Google Cloud resources.
    exceptionPermissions string[]
    Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.
    exceptionPrincipals string[]
    The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.
    denial_condition DenyPolicyRuleDenyRuleDenialCondition
    User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.
    denied_permissions Sequence[str]
    The permissions that are explicitly denied by this rule. Each permission uses the format {service-fqdn}/{resource}.{verb}, where {service-fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.
    denied_principals Sequence[str]
    The identities that are prevented from using one or more permissions on Google Cloud resources.
    exception_permissions Sequence[str]
    Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.
    exception_principals Sequence[str]
    The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.
    denialCondition Property Map
    User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.
    deniedPermissions List<String>
    The permissions that are explicitly denied by this rule. Each permission uses the format {service-fqdn}/{resource}.{verb}, where {service-fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.
    deniedPrincipals List<String>
    The identities that are prevented from using one or more permissions on Google Cloud resources.
    exceptionPermissions List<String>
    Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.
    exceptionPrincipals List<String>
    The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.

    DenyPolicyRuleDenyRuleDenialCondition, DenyPolicyRuleDenyRuleDenialConditionArgs

    Expression string
    Textual representation of an expression in Common Expression Language syntax.
    Description string
    Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    Location string
    String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.


    Title string
    Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    Expression string
    Textual representation of an expression in Common Expression Language syntax.
    Description string
    Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    Location string
    String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.


    Title string
    Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    expression String
    Textual representation of an expression in Common Expression Language syntax.
    description String
    Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    location String
    String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.


    title String
    Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    expression string
    Textual representation of an expression in Common Expression Language syntax.
    description string
    Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    location string
    String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.


    title string
    Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    expression str
    Textual representation of an expression in Common Expression Language syntax.
    description str
    Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    location str
    String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.


    title str
    Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    expression String
    Textual representation of an expression in Common Expression Language syntax.
    description String
    Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    location String
    String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.


    title String
    Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

    Import

    DenyPolicy can be imported using any of these accepted formats:

    • {{parent}}/{{name}}

    When using the pulumi import command, DenyPolicy can be imported using one of the formats above. For example:

    $ pulumi import gcp:iam/denyPolicy:DenyPolicy default {{parent}}/{{name}}
    

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v7.16.0 published on Wednesday, Mar 27, 2024 by Pulumi