FolderAccessPolicy

Google Cloud v9.26.0, Jun 9 26

Viewing docs for Google Cloud v9.26.0
published on Tuesday, Jun 9, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-gcp

Viewing docs for Google Cloud v9.26.0
published on Tuesday, Jun 9, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-gcp

Example Usage

Access Policy Folder Minimal

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as time from "@pulumiverse/time";

const folder = new gcp.organizations.Folder("folder", {
    displayName: "ap-folder-",
    parent: "organizations/123456789",
    deletionProtection: false,
});
const project = new gcp.organizations.Project("project", {
    projectId: "ap-project-",
    name: "ap-project-",
    folderId: folder.folderId,
    billingAccount: "000000-0000000-0000000-000000",
    deletionPolicy: "DELETE",
}, {
    dependsOn: [folder],
});
const iamApi = new gcp.projects.Service("iam_api", {
    project: project.projectId,
    service: "iam.googleapis.com",
    disableOnDestroy: false,
}, {
    dependsOn: [project],
});
const waitForPropagation = new time.Sleep("wait_for_propagation", {createDuration: "30s"}, {
    dependsOn: [
        folder,
        iamApi,
    ],
});
const testSa = new gcp.serviceaccount.Account("test_sa", {
    accountId: "svc-acc-",
    displayName: "Test Service Account for Access Policy",
    project: project.projectId,
}, {
    dependsOn: [waitForPropagation],
});
const example = new gcp.iam.FolderAccessPolicy("example", {
    folder: folder.folderId,
    location: "global",
    accessPolicyId: "my-folder-policy-",
    details: {
        rules: [{
            effect: "ALLOW",
            principals: [pulumi.interpolate`principal://iam.googleapis.com/projects/-/serviceAccounts/${testSa.email}`],
            operation: {
                permissions: ["eventarc.googleapis.com/messageBuses.publish"],
            },
        }],
    },
}, {
    dependsOn: [
        waitForPropagation,
        testSa,
    ],
});

import pulumi
import pulumi_gcp as gcp
import pulumiverse_time as time

folder = gcp.organizations.Folder("folder",
    display_name="ap-folder-",
    parent="organizations/123456789",
    deletion_protection=False)
project = gcp.organizations.Project("project",
    project_id="ap-project-",
    name="ap-project-",
    folder_id=folder.folder_id,
    billing_account="000000-0000000-0000000-000000",
    deletion_policy="DELETE",
    opts = pulumi.ResourceOptions(depends_on=[folder]))
iam_api = gcp.projects.Service("iam_api",
    project=project.project_id,
    service="iam.googleapis.com",
    disable_on_destroy=False,
    opts = pulumi.ResourceOptions(depends_on=[project]))
wait_for_propagation = time.Sleep("wait_for_propagation", create_duration="30s",
opts = pulumi.ResourceOptions(depends_on=[
        folder,
        iam_api,
    ]))
test_sa = gcp.serviceaccount.Account("test_sa",
    account_id="svc-acc-",
    display_name="Test Service Account for Access Policy",
    project=project.project_id,
    opts = pulumi.ResourceOptions(depends_on=[wait_for_propagation]))
example = gcp.iam.FolderAccessPolicy("example",
    folder=folder.folder_id,
    location="global",
    access_policy_id="my-folder-policy-",
    details={
        "rules": [{
            "effect": "ALLOW",
            "principals": [test_sa.email.apply(lambda email: f"principal://iam.googleapis.com/projects/-/serviceAccounts/{email}")],
            "operation": {
                "permissions": ["eventarc.googleapis.com/messageBuses.publish"],
            },
        }],
    },
    opts = pulumi.ResourceOptions(depends_on=[
            wait_for_propagation,
            test_sa,
        ]))

package main

import (
	"fmt"

	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iam"
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/projects"
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/serviceaccount"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
	"github.com/pulumiverse/pulumi-time/sdk/go/time"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		folder, err := organizations.NewFolder(ctx, "folder", &organizations.FolderArgs{
			DisplayName:        pulumi.String("ap-folder-"),
			Parent:             pulumi.String("organizations/123456789"),
			DeletionProtection: pulumi.Bool(false),
		})
		if err != nil {
			return err
		}
		project, err := organizations.NewProject(ctx, "project", &organizations.ProjectArgs{
			ProjectId:      pulumi.String("ap-project-"),
			Name:           pulumi.String("ap-project-"),
			FolderId:       folder.FolderId,
			BillingAccount: pulumi.String("000000-0000000-0000000-000000"),
			DeletionPolicy: pulumi.String("DELETE"),
		}, pulumi.DependsOn([]pulumi.Resource{
			folder,
		}))
		if err != nil {
			return err
		}
		iamApi, err := projects.NewService(ctx, "iam_api", &projects.ServiceArgs{
			Project:          project.ProjectId,
			Service:          pulumi.String("iam.googleapis.com"),
			DisableOnDestroy: pulumi.Bool(false),
		}, pulumi.DependsOn([]pulumi.Resource{
			project,
		}))
		if err != nil {
			return err
		}
		waitForPropagation, err := time.NewSleep(ctx, "wait_for_propagation", &time.SleepArgs{
			CreateDuration: pulumi.String("30s"),
		}, pulumi.DependsOn([]pulumi.Resource{
			folder,
			iamApi,
		}))
		if err != nil {
			return err
		}
		testSa, err := serviceaccount.NewAccount(ctx, "test_sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("svc-acc-"),
			DisplayName: pulumi.String("Test Service Account for Access Policy"),
			Project:     project.ProjectId,
		}, pulumi.DependsOn([]pulumi.Resource{
			waitForPropagation,
		}))
		if err != nil {
			return err
		}
		_, err = iam.NewFolderAccessPolicy(ctx, "example", &iam.FolderAccessPolicyArgs{
			Folder:         folder.FolderId,
			Location:       pulumi.String("global"),
			AccessPolicyId: pulumi.String("my-folder-policy-"),
			Details: &iam.FolderAccessPolicyDetailsArgs{
				Rules: iam.FolderAccessPolicyDetailsRuleArray{
					&iam.FolderAccessPolicyDetailsRuleArgs{
						Effect: pulumi.String("ALLOW"),
						Principals: pulumi.StringArray{
							testSa.Email.ApplyT(func(email string) (string, error) {
								return fmt.Sprintf("principal://iam.googleapis.com/projects/-/serviceAccounts/%v", email), nil
							}).(pulumi.StringOutput),
						},
						Operation: &iam.FolderAccessPolicyDetailsRuleOperationArgs{
							Permissions: pulumi.StringArray{
								pulumi.String("eventarc.googleapis.com/messageBuses.publish"),
							},
						},
					},
				},
			},
		}, pulumi.DependsOn([]pulumi.Resource{
			waitForPropagation,
			testSa,
		}))
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Time = Pulumiverse.Time;

return await Deployment.RunAsync(() => 
{
    var folder = new Gcp.Organizations.Folder("folder", new()
    {
        DisplayName = "ap-folder-",
        Parent = "organizations/123456789",
        DeletionProtection = false,
    });

    var project = new Gcp.Organizations.Project("project", new()
    {
        ProjectId = "ap-project-",
        Name = "ap-project-",
        FolderId = folder.FolderId,
        BillingAccount = "000000-0000000-0000000-000000",
        DeletionPolicy = "DELETE",
    }, new CustomResourceOptions
    {
        DependsOn =
        {
            folder,
        },
    });

    var iamApi = new Gcp.Projects.Service("iam_api", new()
    {
        Project = project.ProjectId,
        ServiceName = "iam.googleapis.com",
        DisableOnDestroy = false,
    }, new CustomResourceOptions
    {
        DependsOn =
        {
            project,
        },
    });

    var waitForPropagation = new Time.Sleep("wait_for_propagation", new()
    {
        CreateDuration = "30s",
    }, new CustomResourceOptions
    {
        DependsOn =
        {
            folder,
            iamApi,
        },
    });

    var testSa = new Gcp.ServiceAccount.Account("test_sa", new()
    {
        AccountId = "svc-acc-",
        DisplayName = "Test Service Account for Access Policy",
        Project = project.ProjectId,
    }, new CustomResourceOptions
    {
        DependsOn =
        {
            waitForPropagation,
        },
    });

    var example = new Gcp.Iam.FolderAccessPolicy("example", new()
    {
        Folder = folder.FolderId,
        Location = "global",
        AccessPolicyId = "my-folder-policy-",
        Details = new Gcp.Iam.Inputs.FolderAccessPolicyDetailsArgs
        {
            Rules = new[]
            {
                new Gcp.Iam.Inputs.FolderAccessPolicyDetailsRuleArgs
                {
                    Effect = "ALLOW",
                    Principals = new[]
                    {
                        testSa.Email.Apply(email => $"principal://iam.googleapis.com/projects/-/serviceAccounts/{email}"),
                    },
                    Operation = new Gcp.Iam.Inputs.FolderAccessPolicyDetailsRuleOperationArgs
                    {
                        Permissions = new[]
                        {
                            "eventarc.googleapis.com/messageBuses.publish",
                        },
                    },
                },
            },
        },
    }, new CustomResourceOptions
    {
        DependsOn =
        {
            waitForPropagation,
            testSa,
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.Folder;
import com.pulumi.gcp.organizations.FolderArgs;
import com.pulumi.gcp.organizations.Project;
import com.pulumi.gcp.organizations.ProjectArgs;
import com.pulumi.gcp.projects.Service;
import com.pulumi.gcp.projects.ServiceArgs;
import com.pulumiverse.time.Sleep;
import com.pulumiverse.time.SleepArgs;
import com.pulumi.gcp.serviceaccount.Account;
import com.pulumi.gcp.serviceaccount.AccountArgs;
import com.pulumi.gcp.iam.FolderAccessPolicy;
import com.pulumi.gcp.iam.FolderAccessPolicyArgs;
import com.pulumi.gcp.iam.inputs.FolderAccessPolicyDetailsArgs;
import com.pulumi.gcp.iam.inputs.FolderAccessPolicyDetailsRuleArgs;
import com.pulumi.gcp.iam.inputs.FolderAccessPolicyDetailsRuleOperationArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var folder = new Folder("folder", FolderArgs.builder()
            .displayName("ap-folder-")
            .parent("organizations/123456789")
            .deletionProtection(false)
            .build());

        var project = new Project("project", ProjectArgs.builder()
            .projectId("ap-project-")
            .name("ap-project-")
            .folderId(folder.folderId())
            .billingAccount("000000-0000000-0000000-000000")
            .deletionPolicy("DELETE")
            .build(), CustomResourceOptions.builder()
                .dependsOn(folder)
                .build());

        var iamApi = new Service("iamApi", ServiceArgs.builder()
            .project(project.projectId())
            .service("iam.googleapis.com")
            .disableOnDestroy(false)
            .build(), CustomResourceOptions.builder()
                .dependsOn(project)
                .build());

        var waitForPropagation = new Sleep("waitForPropagation", SleepArgs.builder()
            .createDuration("30s")
            .build(), CustomResourceOptions.builder()
                .dependsOn(                
                    folder,
                    iamApi)
                .build());

        var testSa = new Account("testSa", AccountArgs.builder()
            .accountId("svc-acc-")
            .displayName("Test Service Account for Access Policy")
            .project(project.projectId())
            .build(), CustomResourceOptions.builder()
                .dependsOn(waitForPropagation)
                .build());

        var example = new FolderAccessPolicy("example", FolderAccessPolicyArgs.builder()
            .folder(folder.folderId())
            .location("global")
            .accessPolicyId("my-folder-policy-")
            .details(FolderAccessPolicyDetailsArgs.builder()
                .rules(FolderAccessPolicyDetailsRuleArgs.builder()
                    .effect("ALLOW")
                    .principals(testSa.email().applyValue(_email -> String.format("principal://iam.googleapis.com/projects/-/serviceAccounts/%s", _email)))
                    .operation(FolderAccessPolicyDetailsRuleOperationArgs.builder()
                        .permissions("eventarc.googleapis.com/messageBuses.publish")
                        .build())
                    .build())
                .build())
            .build(), CustomResourceOptions.builder()
                .dependsOn(                
                    waitForPropagation,
                    testSa)
                .build());

    }
}

resources:
  folder:
    type: gcp:organizations:Folder
    properties:
      displayName: ap-folder-
      parent: organizations/123456789
      deletionProtection: false
  project:
    type: gcp:organizations:Project
    properties:
      projectId: ap-project-
      name: ap-project-
      folderId: ${folder.folderId}
      billingAccount: 000000-0000000-0000000-000000
      deletionPolicy: DELETE
    options:
      dependsOn:
        - ${folder}
  iamApi:
    type: gcp:projects:Service
    name: iam_api
    properties:
      project: ${project.projectId}
      service: iam.googleapis.com
      disableOnDestroy: false
    options:
      dependsOn:
        - ${project}
  waitForPropagation:
    type: time:Sleep
    name: wait_for_propagation
    properties:
      createDuration: 30s
    options:
      dependsOn:
        - ${folder}
        - ${iamApi}
  testSa:
    type: gcp:serviceaccount:Account
    name: test_sa
    properties:
      accountId: svc-acc-
      displayName: Test Service Account for Access Policy
      project: ${project.projectId}
    options:
      dependsOn:
        - ${waitForPropagation}
  example:
    type: gcp:iam:FolderAccessPolicy
    properties:
      folder: ${folder.folderId}
      location: global
      accessPolicyId: my-folder-policy-
      details:
        rules:
          - effect: ALLOW
            principals:
              - principal://iam.googleapis.com/projects/-/serviceAccounts/${testSa.email}
            operation:
              permissions:
                - eventarc.googleapis.com/messageBuses.publish
    options:
      dependsOn:
        - ${waitForPropagation}
        - ${testSa}

pulumi {
  required_providers {
    gcp = {
      source = "pulumi/gcp"
    }
    time = {
      source = "pulumi/time"
    }
  }
}

resource "gcp_organizations_folder" "folder" {
  display_name        = "ap-folder-"
  parent              = "organizations/123456789"
  deletion_protection = false
}
resource "gcp_organizations_project" "project" {
  depends_on      = [gcp_organizations_folder.folder]
  project_id      = "ap-project-"
  name            = "ap-project-"
  folder_id       = gcp_organizations_folder.folder.folder_id
  billing_account = "000000-0000000-0000000-000000"
  deletion_policy = "DELETE"
}
resource "gcp_projects_service" "iam_api" {
  depends_on         = [gcp_organizations_project.project]
  project            = gcp_organizations_project.project.project_id
  service            = "iam.googleapis.com"
  disable_on_destroy = false
}
resource "time_sleep" "wait_for_propagation" {
  depends_on      = [gcp_organizations_folder.folder, gcp_projects_service.iam_api]
  create_duration = "30s"
}
resource "gcp_serviceaccount_account" "test_sa" {
  depends_on   = [time_sleep.wait_for_propagation]
  account_id   = "svc-acc-"
  display_name = "Test Service Account for Access Policy"
  project      = gcp_organizations_project.project.project_id
}
resource "gcp_iam_folderaccesspolicy" "example" {
  depends_on       = [time_sleep.wait_for_propagation, gcp_serviceaccount_account.test_sa]
  folder           = gcp_organizations_folder.folder.folder_id
  location         = "global"
  access_policy_id = "my-folder-policy-"
  details = {
    rules = [{
      "effect"     = "ALLOW"
      "principals" = ["principal://iam.googleapis.com/projects/-/serviceAccounts/${gcp_serviceaccount_account.test_sa.email}"]
      "operation" = {
        "permissions" = ["eventarc.googleapis.com/messageBuses.publish"]
      }
    }]
  }
}

Create FolderAccessPolicy Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new FolderAccessPolicy(name: string, args: FolderAccessPolicyArgs, opts?: CustomResourceOptions);

@overload
def FolderAccessPolicy(resource_name: str,
                       args: FolderAccessPolicyArgs,
                       opts: Optional[ResourceOptions] = None)

@overload
def FolderAccessPolicy(resource_name: str,
                       opts: Optional[ResourceOptions] = None,
                       access_policy_id: Optional[str] = None,
                       folder: Optional[str] = None,
                       location: Optional[str] = None,
                       annotations: Optional[Mapping[str, str]] = None,
                       deletion_policy: Optional[str] = None,
                       details: Optional[FolderAccessPolicyDetailsArgs] = None,
                       display_name: Optional[str] = None)

func NewFolderAccessPolicy(ctx *Context, name string, args FolderAccessPolicyArgs, opts ...ResourceOption) (*FolderAccessPolicy, error)

public FolderAccessPolicy(string name, FolderAccessPolicyArgs args, CustomResourceOptions? opts = null)

public FolderAccessPolicy(String name, FolderAccessPolicyArgs args)
public FolderAccessPolicy(String name, FolderAccessPolicyArgs args, CustomResourceOptions options)

type: gcp:iam:FolderAccessPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

resource "gcp_iam_folderaccesspolicy" "name" {
    # resource properties
}

Parameters

name string: The unique name of the resource.
args FolderAccessPolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args FolderAccessPolicyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args FolderAccessPolicyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args FolderAccessPolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args FolderAccessPolicyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var folderAccessPolicyResource = new Gcp.Iam.FolderAccessPolicy("folderAccessPolicyResource", new()
{
    AccessPolicyId = "string",
    Folder = "string",
    Location = "string",
    Annotations = 
    {
        { "string", "string" },
    },
    DeletionPolicy = "string",
    Details = new Gcp.Iam.Inputs.FolderAccessPolicyDetailsArgs
    {
        Rules = new[]
        {
            new Gcp.Iam.Inputs.FolderAccessPolicyDetailsRuleArgs
            {
                Effect = "string",
                Operation = new Gcp.Iam.Inputs.FolderAccessPolicyDetailsRuleOperationArgs
                {
                    Permissions = new[]
                    {
                        "string",
                    },
                    ExcludedPermissions = new[]
                    {
                        "string",
                    },
                },
                Principals = new[]
                {
                    "string",
                },
                Conditions = new[]
                {
                    new Gcp.Iam.Inputs.FolderAccessPolicyDetailsRuleConditionArgs
                    {
                        Service = "string",
                        Expression = "string",
                    },
                },
                Description = "string",
                ExcludedPrincipals = new[]
                {
                    "string",
                },
            },
        },
    },
    DisplayName = "string",
});

example, err := iam.NewFolderAccessPolicy(ctx, "folderAccessPolicyResource", &iam.FolderAccessPolicyArgs{
	AccessPolicyId: pulumi.String("string"),
	Folder:         pulumi.String("string"),
	Location:       pulumi.String("string"),
	Annotations: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	DeletionPolicy: pulumi.String("string"),
	Details: &iam.FolderAccessPolicyDetailsArgs{
		Rules: iam.FolderAccessPolicyDetailsRuleArray{
			&iam.FolderAccessPolicyDetailsRuleArgs{
				Effect: pulumi.String("string"),
				Operation: &iam.FolderAccessPolicyDetailsRuleOperationArgs{
					Permissions: pulumi.StringArray{
						pulumi.String("string"),
					},
					ExcludedPermissions: pulumi.StringArray{
						pulumi.String("string"),
					},
				},
				Principals: pulumi.StringArray{
					pulumi.String("string"),
				},
				Conditions: iam.FolderAccessPolicyDetailsRuleConditionArray{
					&iam.FolderAccessPolicyDetailsRuleConditionArgs{
						Service:    pulumi.String("string"),
						Expression: pulumi.String("string"),
					},
				},
				Description: pulumi.String("string"),
				ExcludedPrincipals: pulumi.StringArray{
					pulumi.String("string"),
				},
			},
		},
	},
	DisplayName: pulumi.String("string"),
})

resource "gcp_iam_folderaccesspolicy" "folderAccessPolicyResource" {
  access_policy_id = "string"
  folder           = "string"
  location         = "string"
  annotations = {
    "string" = "string"
  }
  deletion_policy = "string"
  details = {
    rules = [{
      "effect" = "string"
      "operation" = {
        "permissions"         = ["string"]
        "excludedPermissions" = ["string"]
      }
      "principals" = ["string"]
      "conditions" = [{
        "service"    = "string"
        "expression" = "string"
      }]
      "description"        = "string"
      "excludedPrincipals" = ["string"]
    }]
  }
  display_name = "string"
}

var folderAccessPolicyResource = new FolderAccessPolicy("folderAccessPolicyResource", FolderAccessPolicyArgs.builder()
    .accessPolicyId("string")
    .folder("string")
    .location("string")
    .annotations(Map.of("string", "string"))
    .deletionPolicy("string")
    .details(FolderAccessPolicyDetailsArgs.builder()
        .rules(FolderAccessPolicyDetailsRuleArgs.builder()
            .effect("string")
            .operation(FolderAccessPolicyDetailsRuleOperationArgs.builder()
                .permissions("string")
                .excludedPermissions("string")
                .build())
            .principals("string")
            .conditions(FolderAccessPolicyDetailsRuleConditionArgs.builder()
                .service("string")
                .expression("string")
                .build())
            .description("string")
            .excludedPrincipals("string")
            .build())
        .build())
    .displayName("string")
    .build());

folder_access_policy_resource = gcp.iam.FolderAccessPolicy("folderAccessPolicyResource",
    access_policy_id="string",
    folder="string",
    location="string",
    annotations={
        "string": "string",
    },
    deletion_policy="string",
    details={
        "rules": [{
            "effect": "string",
            "operation": {
                "permissions": ["string"],
                "excluded_permissions": ["string"],
            },
            "principals": ["string"],
            "conditions": [{
                "service": "string",
                "expression": "string",
            }],
            "description": "string",
            "excluded_principals": ["string"],
        }],
    },
    display_name="string")

const folderAccessPolicyResource = new gcp.iam.FolderAccessPolicy("folderAccessPolicyResource", {
    accessPolicyId: "string",
    folder: "string",
    location: "string",
    annotations: {
        string: "string",
    },
    deletionPolicy: "string",
    details: {
        rules: [{
            effect: "string",
            operation: {
                permissions: ["string"],
                excludedPermissions: ["string"],
            },
            principals: ["string"],
            conditions: [{
                service: "string",
                expression: "string",
            }],
            description: "string",
            excludedPrincipals: ["string"],
        }],
    },
    displayName: "string",
});

type: gcp:iam:FolderAccessPolicy
properties:
    accessPolicyId: string
    annotations:
        string: string
    deletionPolicy: string
    details:
        rules:
            - conditions:
                - expression: string
                  service: string
              description: string
              effect: string
              excludedPrincipals:
                - string
              operation:
                excludedPermissions:
                    - string
                permissions:
                    - string
              principals:
                - string
    displayName: string
    folder: string
    location: string

FolderAccessPolicy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The FolderAccessPolicy resource accepts the following input properties:

AccessPolicyId string: The ID to use for the access policy, which will become the final component of the access policy's resource name. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/. This value must be unique among all access policies with the same parent.
Folder string: Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
Location string: Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
Annotations Dictionary<string, string>: User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations Note: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field effectiveAnnotations for all of the annotations present on the resource.
DeletionPolicy string: Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. When a 'terraform destroy' or 'pulumi up' would delete the resource, the command will fail if this field is set to "PREVENT" in Terraform state. When set to "ABANDON", the command will remove the resource from Terraform management without updating or deleting the resource in the API. When set to "DELETE", deleting the resource is allowed.
Details FolderAccessPolicyDetails: Access policy details. Structure is documented below.
DisplayName string: The description of the access policy. Must be less than or equal to 63 characters.

AccessPolicyId string: The ID to use for the access policy, which will become the final component of the access policy's resource name. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/. This value must be unique among all access policies with the same parent.
Folder string: Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
Location string: Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
Annotations map[string]string: User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations Note: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field effectiveAnnotations for all of the annotations present on the resource.
DeletionPolicy string: Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. When a 'terraform destroy' or 'pulumi up' would delete the resource, the command will fail if this field is set to "PREVENT" in Terraform state. When set to "ABANDON", the command will remove the resource from Terraform management without updating or deleting the resource in the API. When set to "DELETE", deleting the resource is allowed.
Details FolderAccessPolicyDetailsArgs: Access policy details. Structure is documented below.
DisplayName string: The description of the access policy. Must be less than or equal to 63 characters.

access_policy_id string: The ID to use for the access policy, which will become the final component of the access policy's resource name. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/. This value must be unique among all access policies with the same parent.
folder string: Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
location string: Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
annotations map(string): User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations Note: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field effectiveAnnotations for all of the annotations present on the resource.
deletion_policy string: Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. When a 'terraform destroy' or 'pulumi up' would delete the resource, the command will fail if this field is set to "PREVENT" in Terraform state. When set to "ABANDON", the command will remove the resource from Terraform management without updating or deleting the resource in the API. When set to "DELETE", deleting the resource is allowed.
details object: Access policy details. Structure is documented below.
display_name string: The description of the access policy. Must be less than or equal to 63 characters.

accessPolicyId String: The ID to use for the access policy, which will become the final component of the access policy's resource name. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/. This value must be unique among all access policies with the same parent.
folder String: Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
location String: Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
annotations Map<String,String>: User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations Note: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field effectiveAnnotations for all of the annotations present on the resource.
deletionPolicy String: Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. When a 'terraform destroy' or 'pulumi up' would delete the resource, the command will fail if this field is set to "PREVENT" in Terraform state. When set to "ABANDON", the command will remove the resource from Terraform management without updating or deleting the resource in the API. When set to "DELETE", deleting the resource is allowed.
details FolderAccessPolicyDetails: Access policy details. Structure is documented below.
displayName String: The description of the access policy. Must be less than or equal to 63 characters.

accessPolicyId string: The ID to use for the access policy, which will become the final component of the access policy's resource name. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/. This value must be unique among all access policies with the same parent.
folder string: Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
location string: Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
annotations {[key: string]: string}: User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations Note: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field effectiveAnnotations for all of the annotations present on the resource.
deletionPolicy string: Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. When a 'terraform destroy' or 'pulumi up' would delete the resource, the command will fail if this field is set to "PREVENT" in Terraform state. When set to "ABANDON", the command will remove the resource from Terraform management without updating or deleting the resource in the API. When set to "DELETE", deleting the resource is allowed.
details FolderAccessPolicyDetails: Access policy details. Structure is documented below.
displayName string: The description of the access policy. Must be less than or equal to 63 characters.

access_policy_id str: The ID to use for the access policy, which will become the final component of the access policy's resource name. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/. This value must be unique among all access policies with the same parent.
folder str: Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
location str: Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
annotations Mapping[str, str]: User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations Note: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field effectiveAnnotations for all of the annotations present on the resource.
deletion_policy str: Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. When a 'terraform destroy' or 'pulumi up' would delete the resource, the command will fail if this field is set to "PREVENT" in Terraform state. When set to "ABANDON", the command will remove the resource from Terraform management without updating or deleting the resource in the API. When set to "DELETE", deleting the resource is allowed.
details FolderAccessPolicyDetailsArgs: Access policy details. Structure is documented below.
display_name str: The description of the access policy. Must be less than or equal to 63 characters.

accessPolicyId String: The ID to use for the access policy, which will become the final component of the access policy's resource name. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/. This value must be unique among all access policies with the same parent.
folder String: Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
location String: Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.
annotations Map<String>: User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations Note: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field effectiveAnnotations for all of the annotations present on the resource.
deletionPolicy String: Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. When a 'terraform destroy' or 'pulumi up' would delete the resource, the command will fail if this field is set to "PREVENT" in Terraform state. When set to "ABANDON", the command will remove the resource from Terraform management without updating or deleting the resource in the API. When set to "DELETE", deleting the resource is allowed.
details Property Map: Access policy details. Structure is documented below.
displayName String: The description of the access policy. Must be less than or equal to 63 characters.

Outputs

All input properties are implicitly available as output properties. Additionally, the FolderAccessPolicy resource produces the following output properties:

CreateTime string

The time when the access policy was created.

EffectiveAnnotations Dictionary<string, string>

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

Etag string

The etag for the access policy. If this is provided on update, it must match the server's etag.

Id string

The provider-assigned unique ID for this managed resource.

Name string

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

Uid string

The globally unique ID of the access policy.

UpdateTime string

The time when the access policy was most recently updated.

CreateTime string

The time when the access policy was created.

EffectiveAnnotations map[string]string

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

Etag string

The etag for the access policy. If this is provided on update, it must match the server's etag.

Id string

The provider-assigned unique ID for this managed resource.

Name string

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

Uid string

The globally unique ID of the access policy.

UpdateTime string

The time when the access policy was most recently updated.

create_time string

The time when the access policy was created.

effective_annotations map(string)

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

etag string

The etag for the access policy. If this is provided on update, it must match the server's etag.

id string

The provider-assigned unique ID for this managed resource.

name string

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

uid string

The globally unique ID of the access policy.

update_time string

The time when the access policy was most recently updated.

createTime String

The time when the access policy was created.

effectiveAnnotations Map<String,String>

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

etag String

The etag for the access policy. If this is provided on update, it must match the server's etag.

id String

The provider-assigned unique ID for this managed resource.

name String

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

uid String

The globally unique ID of the access policy.

updateTime String

The time when the access policy was most recently updated.

createTime string

The time when the access policy was created.

effectiveAnnotations {[key: string]: string}

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

etag string

The etag for the access policy. If this is provided on update, it must match the server's etag.

id string

The provider-assigned unique ID for this managed resource.

name string

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

uid string

The globally unique ID of the access policy.

updateTime string

The time when the access policy was most recently updated.

create_time str

The time when the access policy was created.

effective_annotations Mapping[str, str]

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

etag str

The etag for the access policy. If this is provided on update, it must match the server's etag.

id str

The provider-assigned unique ID for this managed resource.

name str

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

uid str

The globally unique ID of the access policy.

update_time str

The time when the access policy was most recently updated.

createTime String

The time when the access policy was created.

effectiveAnnotations Map<String>

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

etag String

The etag for the access policy. If this is provided on update, it must match the server's etag.

id String

The provider-assigned unique ID for this managed resource.

name String

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

uid String

The globally unique ID of the access policy.

updateTime String

The time when the access policy was most recently updated.

Look up Existing FolderAccessPolicy Resource

Get an existing FolderAccessPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: FolderAccessPolicyState, opts?: CustomResourceOptions): FolderAccessPolicy

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        access_policy_id: Optional[str] = None,
        annotations: Optional[Mapping[str, str]] = None,
        create_time: Optional[str] = None,
        deletion_policy: Optional[str] = None,
        details: Optional[FolderAccessPolicyDetailsArgs] = None,
        display_name: Optional[str] = None,
        effective_annotations: Optional[Mapping[str, str]] = None,
        etag: Optional[str] = None,
        folder: Optional[str] = None,
        location: Optional[str] = None,
        name: Optional[str] = None,
        uid: Optional[str] = None,
        update_time: Optional[str] = None) -> FolderAccessPolicy

func GetFolderAccessPolicy(ctx *Context, name string, id IDInput, state *FolderAccessPolicyState, opts ...ResourceOption) (*FolderAccessPolicy, error)

public static FolderAccessPolicy Get(string name, Input<string> id, FolderAccessPolicyState? state, CustomResourceOptions? opts = null)

public static FolderAccessPolicy get(String name, Output<String> id, FolderAccessPolicyState state, CustomResourceOptions options)

resources:  _:    type: gcp:iam:FolderAccessPolicy    get:      id: ${id}

import {
  to = gcp_iam_folderaccesspolicy.example
  id = "${id}"
}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccessPolicyId string

The ID to use for the access policy, which will become the final component of the access policy's resource name. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/. This value must be unique among all access policies with the same parent.

Annotations Dictionary<string, string>

User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations Note: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field effectiveAnnotations for all of the annotations present on the resource.

CreateTime string

The time when the access policy was created.

DeletionPolicy string

Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. When a 'terraform destroy' or 'pulumi up' would delete the resource, the command will fail if this field is set to "PREVENT" in Terraform state. When set to "ABANDON", the command will remove the resource from Terraform management without updating or deleting the resource in the API. When set to "DELETE", deleting the resource is allowed.

Details FolderAccessPolicyDetails

Access policy details. Structure is documented below.

DisplayName string

The description of the access policy. Must be less than or equal to 63 characters.

EffectiveAnnotations Dictionary<string, string>

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

Etag string

The etag for the access policy. If this is provided on update, it must match the server's etag.

Folder string

Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.

Location string

Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.

Name string

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

Uid string

The globally unique ID of the access policy.

UpdateTime string

The time when the access policy was most recently updated.

AccessPolicyId string

Annotations map[string]string

CreateTime string

The time when the access policy was created.

DeletionPolicy string

Details FolderAccessPolicyDetailsArgs

Access policy details. Structure is documented below.

DisplayName string

The description of the access policy. Must be less than or equal to 63 characters.

EffectiveAnnotations map[string]string

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

Etag string

The etag for the access policy. If this is provided on update, it must match the server's etag.

Folder string

Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.

Location string

Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.

Name string

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

Uid string

The globally unique ID of the access policy.

UpdateTime string

The time when the access policy was most recently updated.

access_policy_id string

annotations map(string)

create_time string

The time when the access policy was created.

deletion_policy string

details object

Access policy details. Structure is documented below.

display_name string

The description of the access policy. Must be less than or equal to 63 characters.

effective_annotations map(string)

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

etag string

The etag for the access policy. If this is provided on update, it must match the server's etag.

folder string

Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.

location string

Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.

name string

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

uid string

The globally unique ID of the access policy.

update_time string

The time when the access policy was most recently updated.

accessPolicyId String

annotations Map<String,String>

createTime String

The time when the access policy was created.

deletionPolicy String

details FolderAccessPolicyDetails

Access policy details. Structure is documented below.

displayName String

The description of the access policy. Must be less than or equal to 63 characters.

effectiveAnnotations Map<String,String>

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

etag String

The etag for the access policy. If this is provided on update, it must match the server's etag.

folder String

Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.

location String

Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.

name String

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

uid String

The globally unique ID of the access policy.

updateTime String

The time when the access policy was most recently updated.

accessPolicyId string

annotations {[key: string]: string}

createTime string

The time when the access policy was created.

deletionPolicy string

details FolderAccessPolicyDetails

Access policy details. Structure is documented below.

displayName string

The description of the access policy. Must be less than or equal to 63 characters.

effectiveAnnotations {[key: string]: string}

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

etag string

The etag for the access policy. If this is provided on update, it must match the server's etag.

folder string

Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.

location string

Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.

name string

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

uid string

The globally unique ID of the access policy.

updateTime string

The time when the access policy was most recently updated.

access_policy_id str

annotations Mapping[str, str]

create_time str

The time when the access policy was created.

deletion_policy str

details FolderAccessPolicyDetailsArgs

Access policy details. Structure is documented below.

display_name str

The description of the access policy. Must be less than or equal to 63 characters.

effective_annotations Mapping[str, str]

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

etag str

The etag for the access policy. If this is provided on update, it must match the server's etag.

folder str

Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.

location str

Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.

name str

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

uid str

The globally unique ID of the access policy.

update_time str

The time when the access policy was most recently updated.

accessPolicyId String

annotations Map<String>

createTime String

The time when the access policy was created.

deletionPolicy String

details Property Map

Access policy details. Structure is documented below.

displayName String

The description of the access policy. Must be less than or equal to 63 characters.

effectiveAnnotations Map<String>

All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

etag String

The etag for the access policy. If this is provided on update, it must match the server's etag.

folder String

Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.

location String

Resource ID segment making up resource name. It identifies the resource within its parent collection as described in https://google.aip.dev/122.

name String

Identifier. The resource name of the access policy. The following formats are supported:

projects/{project_id}/locations/{location}/accessPolicies/{policy_id}
projects/{project_number}/locations/{location}/accessPolicies/{policy_id}
folders/{folder_id}/locations/{location}/accessPolicies/{policy_id}
organizations/{organization_id}/locations/{location}/accessPolicies/{policy_id}

uid String

The globally unique ID of the access policy.

updateTime String

The time when the access policy was most recently updated.

Supporting Types

FolderAccessPolicyDetails, FolderAccessPolicyDetailsArgs

Rules List<FolderAccessPolicyDetailsRule>: A list of access policy rules. Structure is documented below.

Rules []FolderAccessPolicyDetailsRule: A list of access policy rules. Structure is documented below.

rules list(object): A list of access policy rules. Structure is documented below.

rules List<FolderAccessPolicyDetailsRule>: A list of access policy rules. Structure is documented below.

rules FolderAccessPolicyDetailsRule[]: A list of access policy rules. Structure is documented below.

rules Sequence[FolderAccessPolicyDetailsRule]: A list of access policy rules. Structure is documented below.

rules List<Property Map>: A list of access policy rules. Structure is documented below.

FolderAccessPolicyDetailsRule, FolderAccessPolicyDetailsRuleArgs

Effect string

The effect of the rule. Possible values: DENY ALLOW Possible values are: DENY, ALLOW.

Operation FolderAccessPolicyDetailsRuleOperation

Attributes that are used to determine whether this rule applies to a request. Structure is documented below.

Principals List<string>

The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35. If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

Conditions List<FolderAccessPolicyDetailsRuleCondition>

The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

"conditions": {
"iam.googleapis.com": {
"expression":
}
}

Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.
iam.googleapis.com: Can use CEL functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported. Structure is documented below.

Description string

Customer specified description of the rule. Must be less than or equal to 256 characters.

ExcludedPrincipals List<string>

The identities that are excluded from the access policy rule, even if they are listed in the principals. For example, you could add a Google group to the principals, then exclude specific users who belong to that group.

Effect string

The effect of the rule. Possible values: DENY ALLOW Possible values are: DENY, ALLOW.

Operation FolderAccessPolicyDetailsRuleOperation

Attributes that are used to determine whether this rule applies to a request. Structure is documented below.

Principals []string

The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35. If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

Conditions []FolderAccessPolicyDetailsRuleCondition

The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

"conditions": {
"iam.googleapis.com": {
"expression":
}
}

Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.
iam.googleapis.com: Can use CEL functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported. Structure is documented below.

Description string

Customer specified description of the rule. Must be less than or equal to 256 characters.

ExcludedPrincipals []string

effect string

The effect of the rule. Possible values: DENY ALLOW Possible values are: DENY, ALLOW.

operation object

Attributes that are used to determine whether this rule applies to a request. Structure is documented below.

principals list(string)

The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35. If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

conditions list(object)

The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

"conditions": {
"iam.googleapis.com": {
"expression":
}
}

Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.
iam.googleapis.com: Can use CEL functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported. Structure is documented below.

description string

Customer specified description of the rule. Must be less than or equal to 256 characters.

excluded_principals list(string)

effect String

The effect of the rule. Possible values: DENY ALLOW Possible values are: DENY, ALLOW.

operation FolderAccessPolicyDetailsRuleOperation

Attributes that are used to determine whether this rule applies to a request. Structure is documented below.

principals List<String>

The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35. If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

conditions List<FolderAccessPolicyDetailsRuleCondition>

The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

"conditions": {
"iam.googleapis.com": {
"expression":
}
}

Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.
iam.googleapis.com: Can use CEL functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported. Structure is documented below.

description String

Customer specified description of the rule. Must be less than or equal to 256 characters.

excludedPrincipals List<String>

effect string

The effect of the rule. Possible values: DENY ALLOW Possible values are: DENY, ALLOW.

operation FolderAccessPolicyDetailsRuleOperation

Attributes that are used to determine whether this rule applies to a request. Structure is documented below.

principals string[]

The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35. If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

conditions FolderAccessPolicyDetailsRuleCondition[]

The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

"conditions": {
"iam.googleapis.com": {
"expression":
}
}

Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.
iam.googleapis.com: Can use CEL functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported. Structure is documented below.

description string

Customer specified description of the rule. Must be less than or equal to 256 characters.

excludedPrincipals string[]

effect str

The effect of the rule. Possible values: DENY ALLOW Possible values are: DENY, ALLOW.

operation FolderAccessPolicyDetailsRuleOperation

Attributes that are used to determine whether this rule applies to a request. Structure is documented below.

principals Sequence[str]

The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35. If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

conditions Sequence[FolderAccessPolicyDetailsRuleCondition]

The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

"conditions": {
"iam.googleapis.com": {
"expression":
}
}

Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.
iam.googleapis.com: Can use CEL functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported. Structure is documented below.

description str

Customer specified description of the rule. Must be less than or equal to 256 characters.

excluded_principals Sequence[str]

effect String

The effect of the rule. Possible values: DENY ALLOW Possible values are: DENY, ALLOW.

operation Property Map

Attributes that are used to determine whether this rule applies to a request. Structure is documented below.

principals List<String>

The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35. If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

conditions List<Property Map>

The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

"conditions": {
"iam.googleapis.com": {
"expression":
}
}

Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.
iam.googleapis.com: Can use CEL functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported. Structure is documented below.

description String

Customer specified description of the rule. Must be less than or equal to 256 characters.

excludedPrincipals List<String>

FolderAccessPolicyDetailsRuleCondition, FolderAccessPolicyDetailsRuleConditionArgs

Service string: The identifier for this object. Format specified above.
Expression string: Textual representation of an expression in Common Expression Language syntax.

Service string: The identifier for this object. Format specified above.
Expression string: Textual representation of an expression in Common Expression Language syntax.

service string: The identifier for this object. Format specified above.
expression string: Textual representation of an expression in Common Expression Language syntax.

service String: The identifier for this object. Format specified above.
expression String: Textual representation of an expression in Common Expression Language syntax.

service string: The identifier for this object. Format specified above.
expression string: Textual representation of an expression in Common Expression Language syntax.

service str: The identifier for this object. Format specified above.
expression str: Textual representation of an expression in Common Expression Language syntax.

service String: The identifier for this object. Format specified above.
expression String: Textual representation of an expression in Common Expression Language syntax.

FolderAccessPolicyDetailsRuleOperation, FolderAccessPolicyDetailsRuleOperationArgs

Permissions List<string>

The permissions that are explicitly affected by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn} is the fully qualified domain name for the service. Currently supported permissions are as follows:

eventarc.googleapis.com/messageBuses.publish.

ExcludedPermissions List<string>

Specifies the permissions that this rule excludes from the set of affected permissions given by permissions. If a permission appears in permissions and in excludedPermissions then it will not be subject to the policy effect. The excluded permissions can be specified using the same syntax as permissions.

Permissions []string

eventarc.googleapis.com/messageBuses.publish.

ExcludedPermissions []string

permissions list(string)

eventarc.googleapis.com/messageBuses.publish.

excluded_permissions list(string)

permissions List<String>

eventarc.googleapis.com/messageBuses.publish.

excludedPermissions List<String>

permissions string[]

eventarc.googleapis.com/messageBuses.publish.

excludedPermissions string[]

permissions Sequence[str]

eventarc.googleapis.com/messageBuses.publish.

excluded_permissions Sequence[str]

permissions List<String>

eventarc.googleapis.com/messageBuses.publish.

excludedPermissions List<String>

Import

FolderAccessPolicy can be imported using any of these accepted formats:

folders/{{folder}}/locations/{{location}}/accessPolicies/{{access_policy_id}}
{{folder}}/{{location}}/{{access_policy_id}}

When using the pulumi import command, FolderAccessPolicy can be imported using one of the formats above. For example:

$ pulumi import gcp:iam/folderAccessPolicy:FolderAccessPolicy default folders/{{folder}}/locations/{{location}}/accessPolicies/{{access_policy_id}}
$ pulumi import gcp:iam/folderAccessPolicy:FolderAccessPolicy default {{folder}}/{{location}}/{{access_policy_id}}

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Google Cloud (GCP) Classic pulumi/pulumi-gcp
License: Apache-2.0
Notes: This Pulumi package is based on the google-beta Terraform Provider.

Viewing docs for Google Cloud v9.26.0
published on Tuesday, Jun 9, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-gcp

gcp.iam.FolderAccessPolicy

On this page

On this page

Example Usage

Access Policy Folder Minimal

Create FolderAccessPolicy Resource

Constructor syntax

Parameters

Constructor example

FolderAccessPolicy Resource Properties

Inputs

Outputs

Look up Existing FolderAccessPolicy Resource

Supporting Types

FolderAccessPolicyDetails, FolderAccessPolicyDetailsArgs

FolderAccessPolicyDetailsRule, FolderAccessPolicyDetailsRuleArgs

FolderAccessPolicyDetailsRuleCondition, FolderAccessPolicyDetailsRuleConditionArgs

FolderAccessPolicyDetailsRuleOperation, FolderAccessPolicyDetailsRuleOperationArgs

Import

Package Details

On this page

On this page

Try Pulumi Cloud free.
Your team will thank you.

gcp.iam.FolderAccessPolicy

On this page

On this page

Example Usage

Access Policy Folder Minimal

Create FolderAccessPolicy Resource

Constructor syntax

Parameters

Constructor example

FolderAccessPolicy Resource Properties

Inputs

Outputs

Look up Existing FolderAccessPolicy Resource

Supporting Types

FolderAccessPolicyDetails, FolderAccessPolicyDetailsArgs

FolderAccessPolicyDetailsRule, FolderAccessPolicyDetailsRuleArgs

FolderAccessPolicyDetailsRuleCondition, FolderAccessPolicyDetailsRuleConditionArgs

FolderAccessPolicyDetailsRuleOperation, FolderAccessPolicyDetailsRuleOperationArgs

Import

Package Details

On this page

On this page

Try Pulumi Cloud free.Your team will thank you.

Try Pulumi Cloud free.
Your team will thank you.