gcp.iam.DenyPolicy
Explore with Pulumi AI
Represents a collection of denial policies to apply to a given resource.
To get more information about DenyPolicy, see:
Create DenyPolicy Resource
new DenyPolicy(name: string, args: DenyPolicyArgs, opts?: CustomResourceOptions);
@overload
def DenyPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
display_name: Optional[str] = None,
name: Optional[str] = None,
parent: Optional[str] = None,
rules: Optional[Sequence[DenyPolicyRuleArgs]] = None)
@overload
def DenyPolicy(resource_name: str,
args: DenyPolicyArgs,
opts: Optional[ResourceOptions] = None)
func NewDenyPolicy(ctx *Context, name string, args DenyPolicyArgs, opts ...ResourceOption) (*DenyPolicy, error)
public DenyPolicy(string name, DenyPolicyArgs args, CustomResourceOptions? opts = null)
public DenyPolicy(String name, DenyPolicyArgs args)
public DenyPolicy(String name, DenyPolicyArgs args, CustomResourceOptions options)
type: gcp:iam:DenyPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args DenyPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args DenyPolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args DenyPolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args DenyPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args DenyPolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
DenyPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The DenyPolicy resource accepts the following input properties:
- Parent string
The attachment point is identified by its URL-encoded full resource name.
- Rules
List<Deny
Policy Rule> Rules to be applied. Structure is documented below.
- Display
Name string The display name of the rule.
- Name string
The name of the policy.
- Parent string
The attachment point is identified by its URL-encoded full resource name.
- Rules
[]Deny
Policy Rule Args Rules to be applied. Structure is documented below.
- Display
Name string The display name of the rule.
- Name string
The name of the policy.
- parent String
The attachment point is identified by its URL-encoded full resource name.
- rules
List<Deny
Policy Rule> Rules to be applied. Structure is documented below.
- display
Name String The display name of the rule.
- name String
The name of the policy.
- parent string
The attachment point is identified by its URL-encoded full resource name.
- rules
Deny
Policy Rule[] Rules to be applied. Structure is documented below.
- display
Name string The display name of the rule.
- name string
The name of the policy.
- parent str
The attachment point is identified by its URL-encoded full resource name.
- rules
Sequence[Deny
Policy Rule Args] Rules to be applied. Structure is documented below.
- display_
name str The display name of the rule.
- name str
The name of the policy.
- parent String
The attachment point is identified by its URL-encoded full resource name.
- rules List<Property Map>
Rules to be applied. Structure is documented below.
- display
Name String The display name of the rule.
- name String
The name of the policy.
Outputs
All input properties are implicitly available as output properties. Additionally, the DenyPolicy resource produces the following output properties:
Look up Existing DenyPolicy Resource
Get an existing DenyPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: DenyPolicyState, opts?: CustomResourceOptions): DenyPolicy
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
display_name: Optional[str] = None,
etag: Optional[str] = None,
name: Optional[str] = None,
parent: Optional[str] = None,
rules: Optional[Sequence[DenyPolicyRuleArgs]] = None) -> DenyPolicy
func GetDenyPolicy(ctx *Context, name string, id IDInput, state *DenyPolicyState, opts ...ResourceOption) (*DenyPolicy, error)
public static DenyPolicy Get(string name, Input<string> id, DenyPolicyState? state, CustomResourceOptions? opts = null)
public static DenyPolicy get(String name, Output<String> id, DenyPolicyState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Display
Name string The display name of the rule.
- Etag string
The hash of the resource. Used internally during updates.
- Name string
The name of the policy.
- Parent string
The attachment point is identified by its URL-encoded full resource name.
- Rules
List<Deny
Policy Rule> Rules to be applied. Structure is documented below.
- Display
Name string The display name of the rule.
- Etag string
The hash of the resource. Used internally during updates.
- Name string
The name of the policy.
- Parent string
The attachment point is identified by its URL-encoded full resource name.
- Rules
[]Deny
Policy Rule Args Rules to be applied. Structure is documented below.
- display
Name String The display name of the rule.
- etag String
The hash of the resource. Used internally during updates.
- name String
The name of the policy.
- parent String
The attachment point is identified by its URL-encoded full resource name.
- rules
List<Deny
Policy Rule> Rules to be applied. Structure is documented below.
- display
Name string The display name of the rule.
- etag string
The hash of the resource. Used internally during updates.
- name string
The name of the policy.
- parent string
The attachment point is identified by its URL-encoded full resource name.
- rules
Deny
Policy Rule[] Rules to be applied. Structure is documented below.
- display_
name str The display name of the rule.
- etag str
The hash of the resource. Used internally during updates.
- name str
The name of the policy.
- parent str
The attachment point is identified by its URL-encoded full resource name.
- rules
Sequence[Deny
Policy Rule Args] Rules to be applied. Structure is documented below.
- display
Name String The display name of the rule.
- etag String
The hash of the resource. Used internally during updates.
- name String
The name of the policy.
- parent String
The attachment point is identified by its URL-encoded full resource name.
- rules List<Property Map>
Rules to be applied. Structure is documented below.
Supporting Types
DenyPolicyRule, DenyPolicyRuleArgs
- Deny
Rule DenyPolicy Rule Deny Rule A deny rule in an IAM deny policy. Structure is documented below.
- Description string
The description of the rule.
- Deny
Rule DenyPolicy Rule Deny Rule A deny rule in an IAM deny policy. Structure is documented below.
- Description string
The description of the rule.
- deny
Rule DenyPolicy Rule Deny Rule A deny rule in an IAM deny policy. Structure is documented below.
- description String
The description of the rule.
- deny
Rule DenyPolicy Rule Deny Rule A deny rule in an IAM deny policy. Structure is documented below.
- description string
The description of the rule.
- deny_
rule DenyPolicy Rule Deny Rule A deny rule in an IAM deny policy. Structure is documented below.
- description str
The description of the rule.
- deny
Rule Property Map A deny rule in an IAM deny policy. Structure is documented below.
- description String
The description of the rule.
DenyPolicyRuleDenyRule, DenyPolicyRuleDenyRuleArgs
- Denial
Condition DenyPolicy Rule Deny Rule Denial Condition User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.
- Denied
Permissions List<string> The permissions that are explicitly denied by this rule. Each permission uses the format
{service-fqdn}/{resource}.{verb}
, where{service-fqdn}
is the fully qualified domain name for the service. For example,iam.googleapis.com/roles.list
.- Denied
Principals List<string> The identities that are prevented from using one or more permissions on Google Cloud resources.
- Exception
Permissions List<string> Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.
- Exception
Principals List<string> The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.
- Denial
Condition DenyPolicy Rule Deny Rule Denial Condition User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.
- Denied
Permissions []string The permissions that are explicitly denied by this rule. Each permission uses the format
{service-fqdn}/{resource}.{verb}
, where{service-fqdn}
is the fully qualified domain name for the service. For example,iam.googleapis.com/roles.list
.- Denied
Principals []string The identities that are prevented from using one or more permissions on Google Cloud resources.
- Exception
Permissions []string Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.
- Exception
Principals []string The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.
- denial
Condition DenyPolicy Rule Deny Rule Denial Condition User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.
- denied
Permissions List<String> The permissions that are explicitly denied by this rule. Each permission uses the format
{service-fqdn}/{resource}.{verb}
, where{service-fqdn}
is the fully qualified domain name for the service. For example,iam.googleapis.com/roles.list
.- denied
Principals List<String> The identities that are prevented from using one or more permissions on Google Cloud resources.
- exception
Permissions List<String> Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.
- exception
Principals List<String> The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.
- denial
Condition DenyPolicy Rule Deny Rule Denial Condition User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.
- denied
Permissions string[] The permissions that are explicitly denied by this rule. Each permission uses the format
{service-fqdn}/{resource}.{verb}
, where{service-fqdn}
is the fully qualified domain name for the service. For example,iam.googleapis.com/roles.list
.- denied
Principals string[] The identities that are prevented from using one or more permissions on Google Cloud resources.
- exception
Permissions string[] Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.
- exception
Principals string[] The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.
- denial_
condition DenyPolicy Rule Deny Rule Denial Condition User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.
- denied_
permissions Sequence[str] The permissions that are explicitly denied by this rule. Each permission uses the format
{service-fqdn}/{resource}.{verb}
, where{service-fqdn}
is the fully qualified domain name for the service. For example,iam.googleapis.com/roles.list
.- denied_
principals Sequence[str] The identities that are prevented from using one or more permissions on Google Cloud resources.
- exception_
permissions Sequence[str] Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.
- exception_
principals Sequence[str] The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.
- denial
Condition Property Map User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.
- denied
Permissions List<String> The permissions that are explicitly denied by this rule. Each permission uses the format
{service-fqdn}/{resource}.{verb}
, where{service-fqdn}
is the fully qualified domain name for the service. For example,iam.googleapis.com/roles.list
.- denied
Principals List<String> The identities that are prevented from using one or more permissions on Google Cloud resources.
- exception
Permissions List<String> Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.
- exception
Principals List<String> The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.
DenyPolicyRuleDenyRuleDenialCondition, DenyPolicyRuleDenyRuleDenialConditionArgs
- Expression string
Textual representation of an expression in Common Expression Language syntax.
- Description string
Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- Location string
String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- Title string
Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- Expression string
Textual representation of an expression in Common Expression Language syntax.
- Description string
Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- Location string
String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- Title string
Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- expression String
Textual representation of an expression in Common Expression Language syntax.
- description String
Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- location String
String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- title String
Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- expression string
Textual representation of an expression in Common Expression Language syntax.
- description string
Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- location string
String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- title string
Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- expression str
Textual representation of an expression in Common Expression Language syntax.
- description str
Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- location str
String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- title str
Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- expression String
Textual representation of an expression in Common Expression Language syntax.
- description String
Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- location String
String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- title String
Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
Import
DenyPolicy can be imported using any of these accepted formats:
$ pulumi import gcp:iam/denyPolicy:DenyPolicy default {{parent}}/{{name}}
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
google-beta
Terraform Provider.