Docs Home
Google Cloud v8.27.0 published on Thursday, Apr 17, 2025 by Pulumi
gcp.iam.DenyPolicy
Explore with Pulumi AI
Represents a collection of denial policies to apply to a given resource.
To get more information about DenyPolicy, see:
Example Usage
Iam Deny Policy Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const project = new gcp.organizations.Project("project", {
projectId: "my-project",
name: "my-project",
orgId: "123456789",
billingAccount: "000000-0000000-0000000-000000",
deletionPolicy: "DELETE",
});
const test_account = new gcp.serviceaccount.Account("test-account", {
accountId: "svc-acc",
displayName: "Test Service Account",
project: project.projectId,
});
const example = new gcp.iam.DenyPolicy("example", {
parent: std.urlencodeOutput({
input: pulumi.interpolate`cloudresourcemanager.googleapis.com/projects/${project.projectId}`,
}).apply(invoke => invoke.result),
name: "my-deny-policy",
displayName: "A deny rule",
rules: [
{
description: "First rule",
denyRule: {
deniedPrincipals: ["principalSet://goog/public:all"],
denialCondition: {
title: "Some expr",
expression: "!resource.matchTag('12345678/env', 'test')",
},
deniedPermissions: ["cloudresourcemanager.googleapis.com/projects.update"],
},
},
{
description: "Second rule",
denyRule: {
deniedPrincipals: ["principalSet://goog/public:all"],
denialCondition: {
title: "Some expr",
expression: "!resource.matchTag('12345678/env', 'test')",
},
deniedPermissions: ["cloudresourcemanager.googleapis.com/projects.update"],
exceptionPrincipals: [pulumi.interpolate`principal://iam.googleapis.com/projects/-/serviceAccounts/${test_account.email}`],
},
},
],
});
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
project = gcp.organizations.Project("project",
project_id="my-project",
name="my-project",
org_id="123456789",
billing_account="000000-0000000-0000000-000000",
deletion_policy="DELETE")
test_account = gcp.serviceaccount.Account("test-account",
account_id="svc-acc",
display_name="Test Service Account",
project=project.project_id)
example = gcp.iam.DenyPolicy("example",
parent=std.urlencode_output(input=project.project_id.apply(lambda project_id: f"cloudresourcemanager.googleapis.com/projects/{project_id}")).apply(lambda invoke: invoke.result),
name="my-deny-policy",
display_name="A deny rule",
rules=[
{
"description": "First rule",
"deny_rule": {
"denied_principals": ["principalSet://goog/public:all"],
"denial_condition": {
"title": "Some expr",
"expression": "!resource.matchTag('12345678/env', 'test')",
},
"denied_permissions": ["cloudresourcemanager.googleapis.com/projects.update"],
},
},
{
"description": "Second rule",
"deny_rule": {
"denied_principals": ["principalSet://goog/public:all"],
"denial_condition": {
"title": "Some expr",
"expression": "!resource.matchTag('12345678/env', 'test')",
},
"denied_permissions": ["cloudresourcemanager.googleapis.com/projects.update"],
"exception_principals": [test_account.email.apply(lambda email: f"principal://iam.googleapis.com/projects/-/serviceAccounts/{email}")],
},
},
])
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/serviceaccount"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
project, err := organizations.NewProject(ctx, "project", &organizations.ProjectArgs{
ProjectId: pulumi.String("my-project"),
Name: pulumi.String("my-project"),
OrgId: pulumi.String("123456789"),
BillingAccount: pulumi.String("000000-0000000-0000000-000000"),
DeletionPolicy: pulumi.String("DELETE"),
})
if err != nil {
return err
}
test_account, err := serviceaccount.NewAccount(ctx, "test-account", &serviceaccount.AccountArgs{
AccountId: pulumi.String("svc-acc"),
DisplayName: pulumi.String("Test Service Account"),
Project: project.ProjectId,
})
if err != nil {
return err
}
_, err = iam.NewDenyPolicy(ctx, "example", &iam.DenyPolicyArgs{
Parent: pulumi.String(std.UrlencodeOutput(ctx, std.UrlencodeOutputArgs{
Input: project.ProjectId.ApplyT(func(projectId string) (string, error) {
return fmt.Sprintf("cloudresourcemanager.googleapis.com/projects/%v", projectId), nil
}).(pulumi.StringOutput),
}, nil).ApplyT(func(invoke std.UrlencodeResult) (*string, error) {
return invoke.Result, nil
}).(pulumi.StringPtrOutput)),
Name: pulumi.String("my-deny-policy"),
DisplayName: pulumi.String("A deny rule"),
Rules: iam.DenyPolicyRuleArray{
&iam.DenyPolicyRuleArgs{
Description: pulumi.String("First rule"),
DenyRule: &iam.DenyPolicyRuleDenyRuleArgs{
DeniedPrincipals: pulumi.StringArray{
pulumi.String("principalSet://goog/public:all"),
},
DenialCondition: &iam.DenyPolicyRuleDenyRuleDenialConditionArgs{
Title: pulumi.String("Some expr"),
Expression: pulumi.String("!resource.matchTag('12345678/env', 'test')"),
},
DeniedPermissions: pulumi.StringArray{
pulumi.String("cloudresourcemanager.googleapis.com/projects.update"),
},
},
},
&iam.DenyPolicyRuleArgs{
Description: pulumi.String("Second rule"),
DenyRule: &iam.DenyPolicyRuleDenyRuleArgs{
DeniedPrincipals: pulumi.StringArray{
pulumi.String("principalSet://goog/public:all"),
},
DenialCondition: &iam.DenyPolicyRuleDenyRuleDenialConditionArgs{
Title: pulumi.String("Some expr"),
Expression: pulumi.String("!resource.matchTag('12345678/env', 'test')"),
},
DeniedPermissions: pulumi.StringArray{
pulumi.String("cloudresourcemanager.googleapis.com/projects.update"),
},
ExceptionPrincipals: pulumi.StringArray{
test_account.Email.ApplyT(func(email string) (string, error) {
return fmt.Sprintf("principal://iam.googleapis.com/projects/-/serviceAccounts/%v", email), nil
}).(pulumi.StringOutput),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var project = new Gcp.Organizations.Project("project", new()
{
ProjectId = "my-project",
Name = "my-project",
OrgId = "123456789",
BillingAccount = "000000-0000000-0000000-000000",
DeletionPolicy = "DELETE",
});
var test_account = new Gcp.ServiceAccount.Account("test-account", new()
{
AccountId = "svc-acc",
DisplayName = "Test Service Account",
Project = project.ProjectId,
});
var example = new Gcp.Iam.DenyPolicy("example", new()
{
Parent = Std.Urlencode.Invoke(new()
{
Input = project.ProjectId.Apply(projectId => $"cloudresourcemanager.googleapis.com/projects/{projectId}"),
}).Apply(invoke => invoke.Result),
Name = "my-deny-policy",
DisplayName = "A deny rule",
Rules = new[]
{
new Gcp.Iam.Inputs.DenyPolicyRuleArgs
{
Description = "First rule",
DenyRule = new Gcp.Iam.Inputs.DenyPolicyRuleDenyRuleArgs
{
DeniedPrincipals = new[]
{
"principalSet://goog/public:all",
},
DenialCondition = new Gcp.Iam.Inputs.DenyPolicyRuleDenyRuleDenialConditionArgs
{
Title = "Some expr",
Expression = "!resource.matchTag('12345678/env', 'test')",
},
DeniedPermissions = new[]
{
"cloudresourcemanager.googleapis.com/projects.update",
},
},
},
new Gcp.Iam.Inputs.DenyPolicyRuleArgs
{
Description = "Second rule",
DenyRule = new Gcp.Iam.Inputs.DenyPolicyRuleDenyRuleArgs
{
DeniedPrincipals = new[]
{
"principalSet://goog/public:all",
},
DenialCondition = new Gcp.Iam.Inputs.DenyPolicyRuleDenyRuleDenialConditionArgs
{
Title = "Some expr",
Expression = "!resource.matchTag('12345678/env', 'test')",
},
DeniedPermissions = new[]
{
"cloudresourcemanager.googleapis.com/projects.update",
},
ExceptionPrincipals = new[]
{
test_account.Email.Apply(email => $"principal://iam.googleapis.com/projects/-/serviceAccounts/{email}"),
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.Project;
import com.pulumi.gcp.organizations.ProjectArgs;
import com.pulumi.gcp.serviceaccount.Account;
import com.pulumi.gcp.serviceaccount.AccountArgs;
import com.pulumi.gcp.iam.DenyPolicy;
import com.pulumi.gcp.iam.DenyPolicyArgs;
import com.pulumi.gcp.iam.inputs.DenyPolicyRuleArgs;
import com.pulumi.gcp.iam.inputs.DenyPolicyRuleDenyRuleArgs;
import com.pulumi.gcp.iam.inputs.DenyPolicyRuleDenyRuleDenialConditionArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.UrlencodeArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var project = new Project("project", ProjectArgs.builder()
.projectId("my-project")
.name("my-project")
.orgId("123456789")
.billingAccount("000000-0000000-0000000-000000")
.deletionPolicy("DELETE")
.build());
var test_account = new Account("test-account", AccountArgs.builder()
.accountId("svc-acc")
.displayName("Test Service Account")
.project(project.projectId())
.build());
var example = new DenyPolicy("example", DenyPolicyArgs.builder()
.parent(StdFunctions.urlencode(UrlencodeArgs.builder()
.input(project.projectId().applyValue(_projectId -> String.format("cloudresourcemanager.googleapis.com/projects/%s", _projectId)))
.build()).applyValue(_invoke -> _invoke.result()))
.name("my-deny-policy")
.displayName("A deny rule")
.rules(
DenyPolicyRuleArgs.builder()
.description("First rule")
.denyRule(DenyPolicyRuleDenyRuleArgs.builder()
.deniedPrincipals("principalSet://goog/public:all")
.denialCondition(DenyPolicyRuleDenyRuleDenialConditionArgs.builder()
.title("Some expr")
.expression("!resource.matchTag('12345678/env', 'test')")
.build())
.deniedPermissions("cloudresourcemanager.googleapis.com/projects.update")
.build())
.build(),
DenyPolicyRuleArgs.builder()
.description("Second rule")
.denyRule(DenyPolicyRuleDenyRuleArgs.builder()
.deniedPrincipals("principalSet://goog/public:all")
.denialCondition(DenyPolicyRuleDenyRuleDenialConditionArgs.builder()
.title("Some expr")
.expression("!resource.matchTag('12345678/env', 'test')")
.build())
.deniedPermissions("cloudresourcemanager.googleapis.com/projects.update")
.exceptionPrincipals(test_account.email().applyValue(_email -> String.format("principal://iam.googleapis.com/projects/-/serviceAccounts/%s", _email)))
.build())
.build())
.build());
}
}
resources:
project:
type: gcp:organizations:Project
properties:
projectId: my-project
name: my-project
orgId: '123456789'
billingAccount: 000000-0000000-0000000-000000
deletionPolicy: DELETE
example:
type: gcp:iam:DenyPolicy
properties:
parent:
fn::invoke:
function: std:urlencode
arguments:
input: cloudresourcemanager.googleapis.com/projects/${project.projectId}
return: result
name: my-deny-policy
displayName: A deny rule
rules:
- description: First rule
denyRule:
deniedPrincipals:
- principalSet://goog/public:all
denialCondition:
title: Some expr
expression: '!resource.matchTag(''12345678/env'', ''test'')'
deniedPermissions:
- cloudresourcemanager.googleapis.com/projects.update
- description: Second rule
denyRule:
deniedPrincipals:
- principalSet://goog/public:all
denialCondition:
title: Some expr
expression: '!resource.matchTag(''12345678/env'', ''test'')'
deniedPermissions:
- cloudresourcemanager.googleapis.com/projects.update
exceptionPrincipals:
- principal://iam.googleapis.com/projects/-/serviceAccounts/${["test-account"].email}
test-account:
type: gcp:serviceaccount:Account
properties:
accountId: svc-acc
displayName: Test Service Account
project: ${project.projectId}
Create DenyPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new DenyPolicy(name: string, args: DenyPolicyArgs, opts?: CustomResourceOptions);@overload
def DenyPolicy(resource_name: str,
args: DenyPolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def DenyPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
parent: Optional[str] = None,
rules: Optional[Sequence[DenyPolicyRuleArgs]] = None,
display_name: Optional[str] = None,
name: Optional[str] = None)func NewDenyPolicy(ctx *Context, name string, args DenyPolicyArgs, opts ...ResourceOption) (*DenyPolicy, error)public DenyPolicy(string name, DenyPolicyArgs args, CustomResourceOptions? opts = null)
public DenyPolicy(String name, DenyPolicyArgs args)
public DenyPolicy(String name, DenyPolicyArgs args, CustomResourceOptions options)
type: gcp:iam:DenyPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args DenyPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args DenyPolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args DenyPolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args DenyPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args DenyPolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var denyPolicyResource = new Gcp.Iam.DenyPolicy("denyPolicyResource", new()
{
Parent = "string",
Rules = new[]
{
new Gcp.Iam.Inputs.DenyPolicyRuleArgs
{
DenyRule = new Gcp.Iam.Inputs.DenyPolicyRuleDenyRuleArgs
{
DenialCondition = new Gcp.Iam.Inputs.DenyPolicyRuleDenyRuleDenialConditionArgs
{
Expression = "string",
Description = "string",
Location = "string",
Title = "string",
},
DeniedPermissions = new[]
{
"string",
},
DeniedPrincipals = new[]
{
"string",
},
ExceptionPermissions = new[]
{
"string",
},
ExceptionPrincipals = new[]
{
"string",
},
},
Description = "string",
},
},
DisplayName = "string",
Name = "string",
});
example, err := iam.NewDenyPolicy(ctx, "denyPolicyResource", &iam.DenyPolicyArgs{
Parent: pulumi.String("string"),
Rules: iam.DenyPolicyRuleArray{
&iam.DenyPolicyRuleArgs{
DenyRule: &iam.DenyPolicyRuleDenyRuleArgs{
DenialCondition: &iam.DenyPolicyRuleDenyRuleDenialConditionArgs{
Expression: pulumi.String("string"),
Description: pulumi.String("string"),
Location: pulumi.String("string"),
Title: pulumi.String("string"),
},
DeniedPermissions: pulumi.StringArray{
pulumi.String("string"),
},
DeniedPrincipals: pulumi.StringArray{
pulumi.String("string"),
},
ExceptionPermissions: pulumi.StringArray{
pulumi.String("string"),
},
ExceptionPrincipals: pulumi.StringArray{
pulumi.String("string"),
},
},
Description: pulumi.String("string"),
},
},
DisplayName: pulumi.String("string"),
Name: pulumi.String("string"),
})
var denyPolicyResource = new DenyPolicy("denyPolicyResource", DenyPolicyArgs.builder()
.parent("string")
.rules(DenyPolicyRuleArgs.builder()
.denyRule(DenyPolicyRuleDenyRuleArgs.builder()
.denialCondition(DenyPolicyRuleDenyRuleDenialConditionArgs.builder()
.expression("string")
.description("string")
.location("string")
.title("string")
.build())
.deniedPermissions("string")
.deniedPrincipals("string")
.exceptionPermissions("string")
.exceptionPrincipals("string")
.build())
.description("string")
.build())
.displayName("string")
.name("string")
.build());
deny_policy_resource = gcp.iam.DenyPolicy("denyPolicyResource",
parent="string",
rules=[{
"deny_rule": {
"denial_condition": {
"expression": "string",
"description": "string",
"location": "string",
"title": "string",
},
"denied_permissions": ["string"],
"denied_principals": ["string"],
"exception_permissions": ["string"],
"exception_principals": ["string"],
},
"description": "string",
}],
display_name="string",
name="string")
const denyPolicyResource = new gcp.iam.DenyPolicy("denyPolicyResource", {
parent: "string",
rules: [{
denyRule: {
denialCondition: {
expression: "string",
description: "string",
location: "string",
title: "string",
},
deniedPermissions: ["string"],
deniedPrincipals: ["string"],
exceptionPermissions: ["string"],
exceptionPrincipals: ["string"],
},
description: "string",
}],
displayName: "string",
name: "string",
});
type: gcp:iam:DenyPolicy
properties:
displayName: string
name: string
parent: string
rules:
- denyRule:
denialCondition:
description: string
expression: string
location: string
title: string
deniedPermissions:
- string
deniedPrincipals:
- string
exceptionPermissions:
- string
exceptionPrincipals:
- string
description: string
DenyPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The DenyPolicy resource accepts the following input properties:
- Parent string
- The attachment point is identified by its URL-encoded full resource name.
- Rules
List<Deny
Policy Rule> - Rules to be applied. Structure is documented below.
- Display
Name string - The display name of the rule.
- Name string
- The name of the policy.
- Parent string
- The attachment point is identified by its URL-encoded full resource name.
- Rules
[]Deny
Policy Rule Args - Rules to be applied. Structure is documented below.
- Display
Name string - The display name of the rule.
- Name string
- The name of the policy.
- parent String
- The attachment point is identified by its URL-encoded full resource name.
- rules
List<Deny
Policy Rule> - Rules to be applied. Structure is documented below.
- display
Name String - The display name of the rule.
- name String
- The name of the policy.
- parent string
- The attachment point is identified by its URL-encoded full resource name.
- rules
Deny
Policy Rule[] - Rules to be applied. Structure is documented below.
- display
Name string - The display name of the rule.
- name string
- The name of the policy.
- parent str
- The attachment point is identified by its URL-encoded full resource name.
- rules
Sequence[Deny
Policy Rule Args] - Rules to be applied. Structure is documented below.
- display_
name str - The display name of the rule.
- name str
- The name of the policy.
- parent String
- The attachment point is identified by its URL-encoded full resource name.
- rules List<Property Map>
- Rules to be applied. Structure is documented below.
- display
Name String - The display name of the rule.
- name String
- The name of the policy.
Outputs
All input properties are implicitly available as output properties. Additionally, the DenyPolicy resource produces the following output properties:
Look up Existing DenyPolicy Resource
Get an existing DenyPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: DenyPolicyState, opts?: CustomResourceOptions): DenyPolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
display_name: Optional[str] = None,
etag: Optional[str] = None,
name: Optional[str] = None,
parent: Optional[str] = None,
rules: Optional[Sequence[DenyPolicyRuleArgs]] = None) -> DenyPolicyfunc GetDenyPolicy(ctx *Context, name string, id IDInput, state *DenyPolicyState, opts ...ResourceOption) (*DenyPolicy, error)public static DenyPolicy Get(string name, Input<string> id, DenyPolicyState? state, CustomResourceOptions? opts = null)public static DenyPolicy get(String name, Output<String> id, DenyPolicyState state, CustomResourceOptions options)resources: _: type: gcp:iam:DenyPolicy get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Display
Name string - The display name of the rule.
- Etag string
- The hash of the resource. Used internally during updates.
- Name string
- The name of the policy.
- Parent string
- The attachment point is identified by its URL-encoded full resource name.
- Rules
List<Deny
Policy Rule> - Rules to be applied. Structure is documented below.
- Display
Name string - The display name of the rule.
- Etag string
- The hash of the resource. Used internally during updates.
- Name string
- The name of the policy.
- Parent string
- The attachment point is identified by its URL-encoded full resource name.
- Rules
[]Deny
Policy Rule Args - Rules to be applied. Structure is documented below.
- display
Name String - The display name of the rule.
- etag String
- The hash of the resource. Used internally during updates.
- name String
- The name of the policy.
- parent String
- The attachment point is identified by its URL-encoded full resource name.
- rules
List<Deny
Policy Rule> - Rules to be applied. Structure is documented below.
- display
Name string - The display name of the rule.
- etag string
- The hash of the resource. Used internally during updates.
- name string
- The name of the policy.
- parent string
- The attachment point is identified by its URL-encoded full resource name.
- rules
Deny
Policy Rule[] - Rules to be applied. Structure is documented below.
- display_
name str - The display name of the rule.
- etag str
- The hash of the resource. Used internally during updates.
- name str
- The name of the policy.
- parent str
- The attachment point is identified by its URL-encoded full resource name.
- rules
Sequence[Deny
Policy Rule Args] - Rules to be applied. Structure is documented below.
- display
Name String - The display name of the rule.
- etag String
- The hash of the resource. Used internally during updates.
- name String
- The name of the policy.
- parent String
- The attachment point is identified by its URL-encoded full resource name.
- rules List<Property Map>
- Rules to be applied. Structure is documented below.
Supporting Types
DenyPolicyRule, DenyPolicyRuleArgs
- Deny
Rule DenyPolicy Rule Deny Rule - A deny rule in an IAM deny policy. Structure is documented below.
- Description string
- The description of the rule.
- Deny
Rule DenyPolicy Rule Deny Rule - A deny rule in an IAM deny policy. Structure is documented below.
- Description string
- The description of the rule.
- deny
Rule DenyPolicy Rule Deny Rule - A deny rule in an IAM deny policy. Structure is documented below.
- description String
- The description of the rule.
- deny
Rule DenyPolicy Rule Deny Rule - A deny rule in an IAM deny policy. Structure is documented below.
- description string
- The description of the rule.
- deny_
rule DenyPolicy Rule Deny Rule - A deny rule in an IAM deny policy. Structure is documented below.
- description str
- The description of the rule.
- deny
Rule Property Map - A deny rule in an IAM deny policy. Structure is documented below.
- description String
- The description of the rule.
DenyPolicyRuleDenyRule, DenyPolicyRuleDenyRuleArgs
- Denial
Condition DenyPolicy Rule Deny Rule Denial Condition - User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.
- Denied
Permissions List<string> - The permissions that are explicitly denied by this rule. Each permission uses the format
{service-fqdn}/{resource}.{verb}, where{service-fqdn}is the fully qualified domain name for the service. For example,iam.googleapis.com/roles.list. - Denied
Principals List<string> - The identities that are prevented from using one or more permissions on Google Cloud resources.
- Exception
Permissions List<string> - Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.
- Exception
Principals List<string> - The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.
- Denial
Condition DenyPolicy Rule Deny Rule Denial Condition - User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.
- Denied
Permissions []string - The permissions that are explicitly denied by this rule. Each permission uses the format
{service-fqdn}/{resource}.{verb}, where{service-fqdn}is the fully qualified domain name for the service. For example,iam.googleapis.com/roles.list. - Denied
Principals []string - The identities that are prevented from using one or more permissions on Google Cloud resources.
- Exception
Permissions []string - Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.
- Exception
Principals []string - The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.
- denial
Condition DenyPolicy Rule Deny Rule Denial Condition - User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.
- denied
Permissions List<String> - The permissions that are explicitly denied by this rule. Each permission uses the format
{service-fqdn}/{resource}.{verb}, where{service-fqdn}is the fully qualified domain name for the service. For example,iam.googleapis.com/roles.list. - denied
Principals List<String> - The identities that are prevented from using one or more permissions on Google Cloud resources.
- exception
Permissions List<String> - Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.
- exception
Principals List<String> - The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.
- denial
Condition DenyPolicy Rule Deny Rule Denial Condition - User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.
- denied
Permissions string[] - The permissions that are explicitly denied by this rule. Each permission uses the format
{service-fqdn}/{resource}.{verb}, where{service-fqdn}is the fully qualified domain name for the service. For example,iam.googleapis.com/roles.list. - denied
Principals string[] - The identities that are prevented from using one or more permissions on Google Cloud resources.
- exception
Permissions string[] - Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.
- exception
Principals string[] - The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.
- denial_
condition DenyPolicy Rule Deny Rule Denial Condition - User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.
- denied_
permissions Sequence[str] - The permissions that are explicitly denied by this rule. Each permission uses the format
{service-fqdn}/{resource}.{verb}, where{service-fqdn}is the fully qualified domain name for the service. For example,iam.googleapis.com/roles.list. - denied_
principals Sequence[str] - The identities that are prevented from using one or more permissions on Google Cloud resources.
- exception_
permissions Sequence[str] - Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.
- exception_
principals Sequence[str] - The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.
- denial
Condition Property Map - User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.
- denied
Permissions List<String> - The permissions that are explicitly denied by this rule. Each permission uses the format
{service-fqdn}/{resource}.{verb}, where{service-fqdn}is the fully qualified domain name for the service. For example,iam.googleapis.com/roles.list. - denied
Principals List<String> - The identities that are prevented from using one or more permissions on Google Cloud resources.
- exception
Permissions List<String> - Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.
- exception
Principals List<String> - The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.
DenyPolicyRuleDenyRuleDenialCondition, DenyPolicyRuleDenyRuleDenialConditionArgs
- Expression string
- Textual representation of an expression in Common Expression Language syntax.
- Description string
- Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- Location string
- String indicating the location of the expression for error reporting,
e.g. a file name and a position in the file.
- Title string
- Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- Expression string
- Textual representation of an expression in Common Expression Language syntax.
- Description string
- Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- Location string
- String indicating the location of the expression for error reporting,
e.g. a file name and a position in the file.
- Title string
- Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- expression String
- Textual representation of an expression in Common Expression Language syntax.
- description String
- Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- location String
- String indicating the location of the expression for error reporting,
e.g. a file name and a position in the file.
- title String
- Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- expression string
- Textual representation of an expression in Common Expression Language syntax.
- description string
- Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- location string
- String indicating the location of the expression for error reporting,
e.g. a file name and a position in the file.
- title string
- Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- expression str
- Textual representation of an expression in Common Expression Language syntax.
- description str
- Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- location str
- String indicating the location of the expression for error reporting,
e.g. a file name and a position in the file.
- title str
- Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- expression String
- Textual representation of an expression in Common Expression Language syntax.
- description String
- Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- location String
- String indicating the location of the expression for error reporting,
e.g. a file name and a position in the file.
- title String
- Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
Import
DenyPolicy can be imported using any of these accepted formats:
{{parent}}/{{name}}
When using the pulumi import command, DenyPolicy can be imported using one of the formats above. For example:
$ pulumi import gcp:iam/denyPolicy:DenyPolicy default {{parent}}/{{name}}
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-betaTerraform Provider.