1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. iam
  5. DenyPolicy
Google Cloud Classic v6.66.0 published on Monday, Sep 18, 2023 by Pulumi

gcp.iam.DenyPolicy

Explore with Pulumi AI

gcp logo
Google Cloud Classic v6.66.0 published on Monday, Sep 18, 2023 by Pulumi

    Represents a collection of denial policies to apply to a given resource.

    To get more information about DenyPolicy, see:

    Create DenyPolicy Resource

    new DenyPolicy(name: string, args: DenyPolicyArgs, opts?: CustomResourceOptions);
    @overload
    def DenyPolicy(resource_name: str,
                   opts: Optional[ResourceOptions] = None,
                   display_name: Optional[str] = None,
                   name: Optional[str] = None,
                   parent: Optional[str] = None,
                   rules: Optional[Sequence[DenyPolicyRuleArgs]] = None)
    @overload
    def DenyPolicy(resource_name: str,
                   args: DenyPolicyArgs,
                   opts: Optional[ResourceOptions] = None)
    func NewDenyPolicy(ctx *Context, name string, args DenyPolicyArgs, opts ...ResourceOption) (*DenyPolicy, error)
    public DenyPolicy(string name, DenyPolicyArgs args, CustomResourceOptions? opts = null)
    public DenyPolicy(String name, DenyPolicyArgs args)
    public DenyPolicy(String name, DenyPolicyArgs args, CustomResourceOptions options)
    
    type: gcp:iam:DenyPolicy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args DenyPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args DenyPolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args DenyPolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args DenyPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args DenyPolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    DenyPolicy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The DenyPolicy resource accepts the following input properties:

    Parent string

    The attachment point is identified by its URL-encoded full resource name.

    Rules List<DenyPolicyRule>

    Rules to be applied. Structure is documented below.

    DisplayName string

    The display name of the rule.

    Name string

    The name of the policy.

    Parent string

    The attachment point is identified by its URL-encoded full resource name.

    Rules []DenyPolicyRuleArgs

    Rules to be applied. Structure is documented below.

    DisplayName string

    The display name of the rule.

    Name string

    The name of the policy.

    parent String

    The attachment point is identified by its URL-encoded full resource name.

    rules List<DenyPolicyRule>

    Rules to be applied. Structure is documented below.

    displayName String

    The display name of the rule.

    name String

    The name of the policy.

    parent string

    The attachment point is identified by its URL-encoded full resource name.

    rules DenyPolicyRule[]

    Rules to be applied. Structure is documented below.

    displayName string

    The display name of the rule.

    name string

    The name of the policy.

    parent str

    The attachment point is identified by its URL-encoded full resource name.

    rules Sequence[DenyPolicyRuleArgs]

    Rules to be applied. Structure is documented below.

    display_name str

    The display name of the rule.

    name str

    The name of the policy.

    parent String

    The attachment point is identified by its URL-encoded full resource name.

    rules List<Property Map>

    Rules to be applied. Structure is documented below.

    displayName String

    The display name of the rule.

    name String

    The name of the policy.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the DenyPolicy resource produces the following output properties:

    Etag string

    The hash of the resource. Used internally during updates.

    Id string

    The provider-assigned unique ID for this managed resource.

    Etag string

    The hash of the resource. Used internally during updates.

    Id string

    The provider-assigned unique ID for this managed resource.

    etag String

    The hash of the resource. Used internally during updates.

    id String

    The provider-assigned unique ID for this managed resource.

    etag string

    The hash of the resource. Used internally during updates.

    id string

    The provider-assigned unique ID for this managed resource.

    etag str

    The hash of the resource. Used internally during updates.

    id str

    The provider-assigned unique ID for this managed resource.

    etag String

    The hash of the resource. Used internally during updates.

    id String

    The provider-assigned unique ID for this managed resource.

    Look up Existing DenyPolicy Resource

    Get an existing DenyPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: DenyPolicyState, opts?: CustomResourceOptions): DenyPolicy
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            display_name: Optional[str] = None,
            etag: Optional[str] = None,
            name: Optional[str] = None,
            parent: Optional[str] = None,
            rules: Optional[Sequence[DenyPolicyRuleArgs]] = None) -> DenyPolicy
    func GetDenyPolicy(ctx *Context, name string, id IDInput, state *DenyPolicyState, opts ...ResourceOption) (*DenyPolicy, error)
    public static DenyPolicy Get(string name, Input<string> id, DenyPolicyState? state, CustomResourceOptions? opts = null)
    public static DenyPolicy get(String name, Output<String> id, DenyPolicyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    DisplayName string

    The display name of the rule.

    Etag string

    The hash of the resource. Used internally during updates.

    Name string

    The name of the policy.

    Parent string

    The attachment point is identified by its URL-encoded full resource name.

    Rules List<DenyPolicyRule>

    Rules to be applied. Structure is documented below.

    DisplayName string

    The display name of the rule.

    Etag string

    The hash of the resource. Used internally during updates.

    Name string

    The name of the policy.

    Parent string

    The attachment point is identified by its URL-encoded full resource name.

    Rules []DenyPolicyRuleArgs

    Rules to be applied. Structure is documented below.

    displayName String

    The display name of the rule.

    etag String

    The hash of the resource. Used internally during updates.

    name String

    The name of the policy.

    parent String

    The attachment point is identified by its URL-encoded full resource name.

    rules List<DenyPolicyRule>

    Rules to be applied. Structure is documented below.

    displayName string

    The display name of the rule.

    etag string

    The hash of the resource. Used internally during updates.

    name string

    The name of the policy.

    parent string

    The attachment point is identified by its URL-encoded full resource name.

    rules DenyPolicyRule[]

    Rules to be applied. Structure is documented below.

    display_name str

    The display name of the rule.

    etag str

    The hash of the resource. Used internally during updates.

    name str

    The name of the policy.

    parent str

    The attachment point is identified by its URL-encoded full resource name.

    rules Sequence[DenyPolicyRuleArgs]

    Rules to be applied. Structure is documented below.

    displayName String

    The display name of the rule.

    etag String

    The hash of the resource. Used internally during updates.

    name String

    The name of the policy.

    parent String

    The attachment point is identified by its URL-encoded full resource name.

    rules List<Property Map>

    Rules to be applied. Structure is documented below.

    Supporting Types

    DenyPolicyRule, DenyPolicyRuleArgs

    DenyRule DenyPolicyRuleDenyRule

    A deny rule in an IAM deny policy. Structure is documented below.

    Description string

    The description of the rule.

    DenyRule DenyPolicyRuleDenyRule

    A deny rule in an IAM deny policy. Structure is documented below.

    Description string

    The description of the rule.

    denyRule DenyPolicyRuleDenyRule

    A deny rule in an IAM deny policy. Structure is documented below.

    description String

    The description of the rule.

    denyRule DenyPolicyRuleDenyRule

    A deny rule in an IAM deny policy. Structure is documented below.

    description string

    The description of the rule.

    deny_rule DenyPolicyRuleDenyRule

    A deny rule in an IAM deny policy. Structure is documented below.

    description str

    The description of the rule.

    denyRule Property Map

    A deny rule in an IAM deny policy. Structure is documented below.

    description String

    The description of the rule.

    DenyPolicyRuleDenyRule, DenyPolicyRuleDenyRuleArgs

    DenialCondition DenyPolicyRuleDenyRuleDenialCondition

    User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.

    DeniedPermissions List<string>

    The permissions that are explicitly denied by this rule. Each permission uses the format {service-fqdn}/{resource}.{verb}, where {service-fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

    DeniedPrincipals List<string>

    The identities that are prevented from using one or more permissions on Google Cloud resources.

    ExceptionPermissions List<string>

    Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.

    ExceptionPrincipals List<string>

    The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.

    DenialCondition DenyPolicyRuleDenyRuleDenialCondition

    User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.

    DeniedPermissions []string

    The permissions that are explicitly denied by this rule. Each permission uses the format {service-fqdn}/{resource}.{verb}, where {service-fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

    DeniedPrincipals []string

    The identities that are prevented from using one or more permissions on Google Cloud resources.

    ExceptionPermissions []string

    Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.

    ExceptionPrincipals []string

    The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.

    denialCondition DenyPolicyRuleDenyRuleDenialCondition

    User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.

    deniedPermissions List<String>

    The permissions that are explicitly denied by this rule. Each permission uses the format {service-fqdn}/{resource}.{verb}, where {service-fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

    deniedPrincipals List<String>

    The identities that are prevented from using one or more permissions on Google Cloud resources.

    exceptionPermissions List<String>

    Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.

    exceptionPrincipals List<String>

    The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.

    denialCondition DenyPolicyRuleDenyRuleDenialCondition

    User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.

    deniedPermissions string[]

    The permissions that are explicitly denied by this rule. Each permission uses the format {service-fqdn}/{resource}.{verb}, where {service-fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

    deniedPrincipals string[]

    The identities that are prevented from using one or more permissions on Google Cloud resources.

    exceptionPermissions string[]

    Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.

    exceptionPrincipals string[]

    The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.

    denial_condition DenyPolicyRuleDenyRuleDenialCondition

    User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.

    denied_permissions Sequence[str]

    The permissions that are explicitly denied by this rule. Each permission uses the format {service-fqdn}/{resource}.{verb}, where {service-fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

    denied_principals Sequence[str]

    The identities that are prevented from using one or more permissions on Google Cloud resources.

    exception_permissions Sequence[str]

    Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.

    exception_principals Sequence[str]

    The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.

    denialCondition Property Map

    User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is documented below.

    deniedPermissions List<String>

    The permissions that are explicitly denied by this rule. Each permission uses the format {service-fqdn}/{resource}.{verb}, where {service-fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

    deniedPrincipals List<String>

    The identities that are prevented from using one or more permissions on Google Cloud resources.

    exceptionPermissions List<String>

    Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.

    exceptionPrincipals List<String>

    The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.

    DenyPolicyRuleDenyRuleDenialCondition, DenyPolicyRuleDenyRuleDenialConditionArgs

    Expression string

    Textual representation of an expression in Common Expression Language syntax.

    Description string

    Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

    Location string

    String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.


    Title string

    Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

    Expression string

    Textual representation of an expression in Common Expression Language syntax.

    Description string

    Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

    Location string

    String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.


    Title string

    Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

    expression String

    Textual representation of an expression in Common Expression Language syntax.

    description String

    Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

    location String

    String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.


    title String

    Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

    expression string

    Textual representation of an expression in Common Expression Language syntax.

    description string

    Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

    location string

    String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.


    title string

    Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

    expression str

    Textual representation of an expression in Common Expression Language syntax.

    description str

    Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

    location str

    String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.


    title str

    Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

    expression String

    Textual representation of an expression in Common Expression Language syntax.

    description String

    Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

    location String

    String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.


    title String

    Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

    Import

    DenyPolicy can be imported using any of these accepted formats:

     $ pulumi import gcp:iam/denyPolicy:DenyPolicy default {{parent}}/{{name}}
    

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes

    This Pulumi package is based on the google-beta Terraform Provider.

    gcp logo
    Google Cloud Classic v6.66.0 published on Monday, Sep 18, 2023 by Pulumi