diff --git a/build/inspec b/build/inspec index 9b939cb857d2..543613cd19c6 160000 --- a/build/inspec +++ b/build/inspec @@ -1 +1 @@ -Subproject commit 9b939cb857d26be8799800709ac8a12ee965c7a9 +Subproject commit 543613cd19c6507614f1decd0047c59a29d5a30a diff --git a/build/terraform b/build/terraform index e45c6a2dfa6e..0dac2fe2112b 160000 --- a/build/terraform +++ b/build/terraform @@ -1 +1 @@ -Subproject commit e45c6a2dfa6ecb07747448c878483c8fb475eb6d +Subproject commit 0dac2fe2112bc6a1ce204eb74b0a745f1c553884 diff --git a/build/terraform-beta b/build/terraform-beta index ceba627b0106..f03a60f5654a 160000 --- a/build/terraform-beta +++ b/build/terraform-beta @@ -1 +1 @@ -Subproject commit ceba627b0106480947e403758e128683d0a90815 +Subproject commit f03a60f5654a23f811a7232867a0c9876f3a25e6 diff --git a/third_party/terraform/tests/resource_kms_crypto_key_iam_test.go.erb b/third_party/terraform/tests/resource_kms_crypto_key_iam_test.go.erb index 87465c57a2f9..e94d650a03a6 100644 --- a/third_party/terraform/tests/resource_kms_crypto_key_iam_test.go.erb +++ b/third_party/terraform/tests/resource_kms_crypto_key_iam_test.go.erb @@ -172,6 +172,80 @@ func TestAccKmsCryptoKeyIamMember_withCondition(t *testing.T) { } <% end -%> +func TestAccKmsCryptoKeyIamPolicy(t *testing.T) { + t.Parallel() + + orgId := getTestOrgFromEnv(t) + projectId := acctest.RandomWithPrefix("tf-test") + billingAccount := getTestBillingAccountFromEnv(t) + account := acctest.RandomWithPrefix("tf-test") + roleId := "roles/cloudkms.cryptoKeyEncrypter" + keyRingName := fmt.Sprintf("tf-test-%s", acctest.RandString(10)) + + keyRingId := &kmsKeyRingId{ + Project: projectId, + Location: DEFAULT_KMS_TEST_LOCATION, + Name: keyRingName, + } + cryptoKeyName := fmt.Sprintf("tf-test-%s", acctest.RandString(10)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: testAccKmsCryptoKeyIamPolicy_basic(projectId, orgId, billingAccount, account, keyRingName, cryptoKeyName, roleId), + Check: testAccCheckGoogleCryptoKmsKeyIam("foo", roleId, []string{ + fmt.Sprintf("serviceAccount:%s@%s.iam.gserviceaccount.com", account, projectId), + }), + }, + { + ResourceName: "google_kms_crypto_key_iam_policy.foo", + ImportStateId: fmt.Sprintf("%s/%s", keyRingId.terraformId(), cryptoKeyName), + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +<% unless version == 'ga' -%> +func TestAccKmsCryptoKeyIamPolicy_withCondition(t *testing.T) { + t.Parallel() + + orgId := getTestOrgFromEnv(t) + projectId := acctest.RandomWithPrefix("tf-test") + billingAccount := getTestBillingAccountFromEnv(t) + account := acctest.RandomWithPrefix("tf-test") + roleId := "roles/cloudkms.cryptoKeyEncrypter" + keyRingName := fmt.Sprintf("tf-test-%s", acctest.RandString(10)) + + keyRingId := &kmsKeyRingId{ + Project: projectId, + Location: DEFAULT_KMS_TEST_LOCATION, + Name: keyRingName, + } + cryptoKeyName := fmt.Sprintf("tf-test-%s", acctest.RandString(10)) + conditionTitle := "expires_after_2019_12_31" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: testAccKmsCryptoKeyIamPolicy_withCondition(projectId, orgId, billingAccount, account, keyRingName, cryptoKeyName, roleId, conditionTitle), + }, + { + ResourceName: "google_kms_crypto_key_iam_policy.foo", + ImportStateId: fmt.Sprintf("%s/%s", keyRingId.terraformId(), cryptoKeyName), + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} +<% end -%> + func testAccCheckGoogleKmsCryptoKeyIamBindingExists(bindingResourceName, roleId string, members []string) resource.TestCheckFunc { return func(s *terraform.State) error { bindingRs, ok := s.RootModule().Resources[fmt.Sprintf("google_kms_crypto_key_iam_binding.%s", bindingResourceName)] @@ -243,6 +317,44 @@ func testAccCheckGoogleKmsCryptoKeyIamMemberExists(n, role, member string) resou } } +func testAccCheckGoogleCryptoKmsKeyIam(n, role string, members []string) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources["google_kms_crypto_key_iam_policy."+n] + if !ok { + return fmt.Errorf("IAM policy resource not found") + } + + config := testAccProvider.Meta().(*Config) + cryptoKeyId, err := parseKmsCryptoKeyId(rs.Primary.Attributes["crypto_key_id"], config) + + if err != nil { + return err + } + + p, err := config.clientKms.Projects.Locations.KeyRings.GetIamPolicy(cryptoKeyId.cryptoKeyId()).Do() + if err != nil { + return err + } + + for _, binding := range p.Bindings { + if binding.Role == role { + sort.Strings(members) + sort.Strings(binding.Members) + + if reflect.DeepEqual(members, binding.Members) { + return nil + } + + return fmt.Errorf("Binding found but expected members is %v, got %v", members, binding.Members) + } else { + return fmt.Errorf("Binding found but not expected for role: %v", binding.Role) + } + } + + return fmt.Errorf("No binding for role %q", role) + } +} + // We are using a custom role since iam_binding is authoritative on the member list and // we want to avoid removing members from an existing role to prevent unwanted side effects. func testAccKmsCryptoKeyIamBinding_basic(projectId, orgId, billingAccount, account, keyRingName, cryptoKeyName, roleId string) string { @@ -487,3 +599,110 @@ resource "google_kms_crypto_key_iam_member" "foo" { `, projectId, orgId, billingAccount, account, keyRingName, cryptoKeyName, roleId, conditionTitle) } <% end -%> + +func testAccKmsCryptoKeyIamPolicy_basic(projectId, orgId, billingAccount, account, keyRingName, cryptoKeyName, roleId string) string { + return fmt.Sprintf(` +resource "google_project" "test_project" { + name = "Test project" + project_id = "%s" + org_id = "%s" + billing_account = "%s" +} + +resource "google_project_service" "kms" { + project = google_project.test_project.project_id + service = "cloudkms.googleapis.com" +} + +resource "google_project_service" "iam" { + project = google_project_service.kms.project + service = "iam.googleapis.com" +} + +resource "google_service_account" "test_account" { + project = google_project_service.iam.project + account_id = "%s" + display_name = "Kms Crypto Key Iam Testing Account" +} + +resource "google_kms_key_ring" "key_ring" { + project = google_project_service.iam.project + location = "us-central1" + name = "%s" +} + +resource "google_kms_crypto_key" "crypto_key" { + key_ring = google_kms_key_ring.key_ring.id + name = "%s" +} + +data "google_iam_policy" "foo" { + binding { + role = "%s" + members = ["serviceAccount:${google_service_account.test_account.email}"] + } +} + +resource "google_kms_crypto_key_iam_policy" "foo" { + crypto_key_id = google_kms_crypto_key.crypto_key.id + policy_data = data.google_iam_policy.foo.policy_data +} +`, projectId, orgId, billingAccount, account, keyRingName, cryptoKeyName, roleId) +} + +<% unless version == 'ga' -%> +func testAccKmsCryptoKeyIamPolicy_withCondition(projectId, orgId, billingAccount, account, keyRingName, cryptoKeyName, roleId, conditionTitle string) string { + return fmt.Sprintf(` +resource "google_project" "test_project" { + name = "Test project" + project_id = "%s" + org_id = "%s" + billing_account = "%s" +} + +resource "google_project_service" "kms" { + project = google_project.test_project.project_id + service = "cloudkms.googleapis.com" +} + +resource "google_project_service" "iam" { + project = google_project_service.kms.project + service = "iam.googleapis.com" +} + +resource "google_service_account" "test_account" { + project = google_project_service.iam.project + account_id = "%s" + display_name = "Kms Crypto Key Iam Testing Account" +} + +resource "google_kms_key_ring" "key_ring" { + project = google_project_service.iam.project + location = "us-central1" + name = "%s" +} + +resource "google_kms_crypto_key" "crypto_key" { + key_ring = google_kms_key_ring.key_ring.id + name = "%s" +} + +data "google_iam_policy" "foo" { + binding { + role = "%s" + members = ["serviceAccount:${google_service_account.test_account.email}"] + condition { + title = "%s" + description = "Expiring at midnight of 2019-12-31" + expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")" + } + } +} + +resource "google_kms_crypto_key_iam_policy" "foo" { + crypto_key_id = google_kms_crypto_key.crypto_key.id + policy_data = data.google_iam_policy.foo.policy_data +} +`, projectId, orgId, billingAccount, account, keyRingName, cryptoKeyName, roleId, conditionTitle) +} +<% end -%> diff --git a/third_party/terraform/utils/provider.go.erb b/third_party/terraform/utils/provider.go.erb index 1d4b5487be55..a602d1033909 100644 --- a/third_party/terraform/utils/provider.go.erb +++ b/third_party/terraform/utils/provider.go.erb @@ -352,6 +352,7 @@ end # products.each do "google_kms_key_ring_iam_policy": ResourceIamPolicy(IamKmsKeyRingSchema, NewKmsKeyRingIamUpdater, KeyRingIdParseFunc), "google_kms_crypto_key_iam_binding": ResourceIamBinding(IamKmsCryptoKeySchema, NewKmsCryptoKeyIamUpdater, CryptoIdParseFunc), "google_kms_crypto_key_iam_member": ResourceIamMember(IamKmsCryptoKeySchema, NewKmsCryptoKeyIamUpdater, CryptoIdParseFunc), + "google_kms_crypto_key_iam_policy": ResourceIamPolicy(IamKmsCryptoKeySchema, NewKmsCryptoKeyIamUpdater, CryptoIdParseFunc), "google_service_networking_connection": resourceServiceNetworkingConnection(), "google_spanner_instance_iam_binding": ResourceIamBinding(IamSpannerInstanceSchema, NewSpannerInstanceIamUpdater, SpannerInstanceIdParseFunc), "google_spanner_instance_iam_member": ResourceIamMember(IamSpannerInstanceSchema, NewSpannerInstanceIamUpdater, SpannerInstanceIdParseFunc), diff --git a/third_party/terraform/website-compiled/google.erb b/third_party/terraform/website-compiled/google.erb index 154a695487cd..a0ad7abf2b5a 100644 --- a/third_party/terraform/website-compiled/google.erb +++ b/third_party/terraform/website-compiled/google.erb @@ -1003,11 +1003,14 @@ > google_kms_crypto_key - > - google_kms_crypto_key_iam_binding + > + google_kms_crypto_key_iam_binding - > - google_kms_crypto_key_iam_member + > + google_kms_crypto_key_iam_member + + > + google_kms_crypto_key_iam_policy > google_kms_key_ring diff --git a/third_party/terraform/website/docs/r/google_kms_crypto_key_iam.html.markdown b/third_party/terraform/website/docs/r/google_kms_crypto_key_iam.html.markdown new file mode 100644 index 000000000000..a5bf655a0cce --- /dev/null +++ b/third_party/terraform/website/docs/r/google_kms_crypto_key_iam.html.markdown @@ -0,0 +1,198 @@ +--- +subcategory: "Cloud KMS" +layout: "google" +page_title: "Google: google_kms_crypto_key_iam" +sidebar_current: "docs-google-kms-crypto-key-iam" +description: |- + Collection of resources to manage IAM policy for a Google Cloud KMS crypto key. +--- + +# IAM policy for Google Cloud KMS crypto key + +Three different resources help you manage your IAM policy for KMS crypto key. Each of these resources serves a different use case: + +* `google_kms_crypto_key_iam_policy`: Authoritative. Sets the IAM policy for the crypto key and replaces any existing policy already attached. +* `google_kms_crypto_key_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the crypto key are preserved. +* `google_kms_crypto_key_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the crypto key are preserved. + +~> **Note:** `google_kms_crypto_key_iam_policy` **cannot** be used in conjunction with `google_kms_crypto_key_iam_binding` and `google_kms_crypto_key_iam_member` or they will fight over what your policy should be. + +~> **Note:** `google_kms_crypto_key_iam_binding` resources **can be** used in conjunction with `google_kms_crypto_key_iam_member` resources **only if** they do not grant privilege to the same role. + +# google\_kms\_crypto\_key\_iam\_policy + +```hcl +resource "google_kms_key_ring" "keyring" { + name = "keyring-example" + location = "global" +} +resource "google_kms_crypto_key" "key" { + name = "crypto-key-example" + key_ring = google_kms_key_ring.keyring.id + rotation_period = "100000s" + lifecycle { + prevent_destroy = true + } +} + +data "google_iam_policy" "admin" { + binding { + role = "roles/cloudkms.cryptoKeyEncrypter" + + members = [ + "user:jane@example.com", + ] + } +} + +resource "google_kms_crypto_key_iam_policy" "crypto_key" { + crypto_key_id = google_kms_crypto_key.key.id + policy_data = data.google_iam_policy.admin.policy_data +} +``` + +With IAM Conditions ([beta](https://terraform.io/docs/providers/google/provider_versions.html)): +```hcl +data "google_iam_policy" "admin" { + binding { + role = "roles/cloudkms.cryptoKeyEncrypter" + + members = [ + "user:jane@example.com", + ] + + condition { + title = "expires_after_2019_12_31" + description = "Expiring at midnight of 2019-12-31" + expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")" + } + } +} +``` + +# google\_kms\_crypto\_key\_iam\_binding + +```hcl +resource "google_kms_crypto_key_iam_binding" "crypto_key" { + crypto_key_id = google_kms_crypto_key.key.id + role = "roles/cloudkms.cryptoKeyEncrypter" + + members = [ + "user:jane@example.com", + ] +} +``` + +With IAM Conditions ([beta](https://terraform.io/docs/providers/google/provider_versions.html)): +```hcl +resource "google_kms_crypto_key_iam_binding" "crypto_key" { + crypto_key_id = google_kms_crypto_key.key.id + role = "roles/cloudkms.cryptoKeyEncrypter" + + members = [ + "user:jane@example.com", + ] + + condition { + title = "expires_after_2019_12_31" + description = "Expiring at midnight of 2019-12-31" + expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")" + } +} +``` + +# google\_kms\_crypto\_key\_iam\_member + +```hcl +resource "google_kms_crypto_key_iam_member" "crypto_key" { + crypto_key_id = google_kms_crypto_key.key.id + role = "roles/cloudkms.cryptoKeyEncrypter" + member = "user:jane@example.com" +} +``` + +With IAM Conditions ([beta](https://terraform.io/docs/providers/google/provider_versions.html)): +```hcl +resource "google_kms_crypto_key_iam_member" "crypto_key" { + crypto_key_id = google_kms_crypto_key.key.id + role = "roles/cloudkms.cryptoKeyEncrypter" + member = "user:jane@example.com" + + condition { + title = "expires_after_2019_12_31" + description = "Expiring at midnight of 2019-12-31" + expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")" + } +} +``` + +## Argument Reference + +The following arguments are supported: + +* `crypto_key_id` - (Required) The crypto key ID, in the form + `{project_id}/{location_name}/{key_ring_name}/{crypto_key_name}` or + `{location_name}/{key_ring_name}/{crypto_key_name}`. In the second form, + the provider's project setting will be used as a fallback. + +* `member/members` - (Required) Identities that will be granted the privilege in `role`. + Each entry can have one of the following values: + * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. + * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. + * **user:{emailid}**: An email address that represents a specific Google account. For example, jane@example.com or joe@example.com. + * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. + * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. + * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. + +* `role` - (Required) The role that should be applied. Note that custom roles must be of the format + `[projects|organizations]/{parent-name}/roles/{role-name}`. + +* `policy_data` - (Required only by `google_kms_crypto_key_iam_policy`) The policy data generated by + a `google_iam_policy` data source. + +* `condition` - (Optional, [Beta](https://terraform.io/docs/providers/google/provider_versions.html)) An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. + Structure is documented below. + +--- + +The `condition` block supports: + +* `expression` - (Required) Textual representation of an expression in Common Expression Language syntax. + +* `title` - (Required) A title for the expression, i.e. a short string describing its purpose. + +* `description` - (Optional) An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. + +~> **Warning:** Terraform considers the `role` and condition contents (`title`+`description`+`expression`) as the + identifier for the binding. This means that if any part of the condition is changed out-of-band, Terraform will + consider it to be an entirely different resource and will treat it as such. + +## Attributes Reference + +In addition to the arguments listed above, the following computed attributes are +exported: + +* `etag` - (Computed) The etag of the project's IAM policy. + +## Import + +IAM member imports use space-delimited identifiers; the resource in question, the role, and the account. This member resource can be imported using the `crypto_key_id`, role, and member identity e.g. + +``` +$ terraform import google_kms_crypto_key_iam_member.crypto_key "your-project-id/location-name/key-ring-name/key-name roles/viewer user:foo@example.com" +``` + +IAM binding imports use space-delimited identifiers; first the resource in question and then the role. These bindings can be imported using the `crypto_key_id` and role, e.g. + +``` +$ terraform import google_kms_crypto_key_iam_binding.crypto_key "your-project-id/location-name/key-ring-name/key-name roles/editor" +``` + +IAM policy imports use the identifier of the resource in question. This policy resource can be imported using the `crypto_key_id`, e.g. + +``` +$ terraform import google_kms_crypto_key_iam_policy.crypto_key your-project-id/location-name/key-ring-name/key-name +``` + +-> If you're importing a resource with beta features, make sure to include `-provider=google-beta` +as an argument so that Terraform uses the correct provider to import your resource. \ No newline at end of file diff --git a/third_party/terraform/website/docs/r/google_kms_crypto_key_iam_binding.html.markdown b/third_party/terraform/website/docs/r/google_kms_crypto_key_iam_binding.html.markdown deleted file mode 100644 index 23b020300a94..000000000000 --- a/third_party/terraform/website/docs/r/google_kms_crypto_key_iam_binding.html.markdown +++ /dev/null @@ -1,128 +0,0 @@ ---- -subcategory: "Cloud KMS" -layout: "google" -page_title: "Google: google_kms_crypto_key_iam_binding" -sidebar_current: "docs-google-kms-crypto-key-iam-binding" -description: |- - Allows management of a single binding with an IAM policy for a Google Cloud KMS crypto key ---- - -# google\_kms\_crypto\_key\_iam\_binding - -Allows creation and management of a single binding within IAM policy for -an existing Google Cloud KMS crypto key. - -~> **Note:** On create, this resource will overwrite members of any existing roles. - Use `terraform import` and inspect the `terraform plan` output to ensure - your existing members are preserved. - -## Example Usage - -```hcl -resource "google_kms_key_ring" "keyring" { - name = "keyring-example" - location = "global" -} - -resource "google_kms_crypto_key" "key" { - name = "crypto-key-example" - key_ring = google_kms_key_ring.keyring.id - rotation_period = "100000s" - - lifecycle { - prevent_destroy = true - } -} - -resource "google_kms_crypto_key_iam_binding" "crypto_key" { - crypto_key_id = "google_kms_crypto_key.key.id" - role = "roles/cloudkms.cryptoKeyEncrypter" - - members = [ - "user:alice@gmail.com", - ] -} -``` - -With IAM Conditions ([beta](https://terraform.io/docs/providers/google/provider_versions.html)): -```hcl -resource "google_kms_key_ring" "keyring" { - name = "keyring-example" - location = "global" -} - -resource "google_kms_crypto_key" "key" { - name = "crypto-key-example" - key_ring = google_kms_key_ring.keyring.id - rotation_period = "100000s" - - lifecycle { - prevent_destroy = true - } -} - -resource "google_kms_crypto_key_iam_binding" "crypto_key" { - crypto_key_id = "google_kms_crypto_key.key.id" - role = "roles/cloudkms.cryptoKeyEncrypter" - - members = [ - "user:alice@gmail.com", - ] - - condition { - title = "expires_after_2019_12_31" - description = "Expiring at midnight of 2019-12-31" - expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")" - } -} -``` - -## Argument Reference - -The following arguments are supported: - -* `members` - (Required) A list of users that the role should apply to. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding - -* `role` - (Required) The role that should be applied. Only one - `google_kms_crypto_key_iam_binding` can be used per role. Note that custom roles must be of the format - `[projects|organizations]/{parent-name}/roles/{role-name}`. - -* `crypto_key_id` - (Required) The crypto key ID, in the form - `{project_id}/{location_name}/{key_ring_name}/{crypto_key_name}` or - `{location_name}/{key_ring_name}/{crypto_key_name}`. - In the second form, the provider's project setting will be used as a fallback. - -* `condition` - (Optional, [Beta](https://terraform.io/docs/providers/google/provider_versions.html)) An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. - Structure is documented below. - ---- - -The `condition` block supports: - -* `expression` - (Required) Textual representation of an expression in Common Expression Language syntax. - -* `title` - (Required) A title for the expression, i.e. a short string describing its purpose. - -* `description` - (Optional) An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. - -~> **Warning:** Terraform considers the `role` and condition contents (`title`+`description`+`expression`) as the - identifier for the binding. This means that if any part of the condition is changed out-of-band, Terraform will - consider it to be an entirely different resource and will treat it as such. - -## Attributes Reference - -In addition to the arguments listed above, the following computed attributes are -exported: - -* `etag` - (Computed) The etag of the crypto key's IAM policy. - -## Import - -IAM binding imports use space-delimited identifiers; first the resource in question and then the role. These bindings can be imported using the `crypto_key_id` and role, e.g. - -``` -$ terraform import google_kms_crypto_key_iam_binding.crypto_key "my-gcp-project/us-central1/my-key-ring/my-crypto-key roles/editor" -``` - --> If you're importing a resource with beta features, make sure to include `-provider=google-beta` -as an argument so that Terraform uses the correct provider to import your resource. diff --git a/third_party/terraform/website/docs/r/google_kms_crypto_key_iam_member.html.markdown b/third_party/terraform/website/docs/r/google_kms_crypto_key_iam_member.html.markdown deleted file mode 100644 index 5c9b1fb0665f..000000000000 --- a/third_party/terraform/website/docs/r/google_kms_crypto_key_iam_member.html.markdown +++ /dev/null @@ -1,123 +0,0 @@ ---- -subcategory: "Cloud KMS" -layout: "google" -page_title: "Google: google_kms_crypto_key_iam_member" -sidebar_current: "docs-google-kms-crypto-key-iam-member" -description: |- - Allows management of a single member for a single binding on the IAM policy for a Google Cloud KMS crypto key. ---- - -# google\_kms\_crypto\_key\_iam\_member - -Allows creation and management of a single member for a single binding within -the IAM policy for an existing Google Cloud KMS crypto key. - -~> **Note:** This resource _must not_ be used in conjunction with - `google_kms_crypto_key_iam_policy` or they will fight over what your policy - should be. Similarly, roles controlled by `google_kms_crypto_key_iam_binding` - should not be assigned to using `google_kms_crypto_key_iam_member`. - -## Example Usage - -```hcl -resource "google_kms_key_ring" "keyring" { - name = "keyring-example" - location = "global" -} - -resource "google_kms_crypto_key" "key" { - name = "crypto-key-example" - key_ring = google_kms_key_ring.keyring.id - rotation_period = "100000s" - - lifecycle { - prevent_destroy = true - } -} - -resource "google_kms_crypto_key_iam_member" "crypto_key" { - crypto_key_id = "google_kms_crypto_key.key.id" - role = "roles/cloudkms.cryptoKeyEncrypter" - member = "user:alice@gmail.com" -} -``` - -With IAM Conditions ([beta](https://terraform.io/docs/providers/google/provider_versions.html)): -```hcl -resource "google_kms_key_ring" "keyring" { - name = "keyring-example" - location = "global" -} - -resource "google_kms_crypto_key" "key" { - name = "crypto-key-example" - key_ring = google_kms_key_ring.keyring.id - rotation_period = "100000s" - - lifecycle { - prevent_destroy = true - } -} - -resource "google_kms_crypto_key_iam_member" "crypto_key" { - crypto_key_id = "google_kms_crypto_key.key.id" - role = "roles/cloudkms.cryptoKeyEncrypter" - member = "user:alice@gmail.com" - - condition { - title = "expires_after_2019_12_31" - description = "Expiring at midnight of 2019-12-31" - expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")" - } -} -``` - -## Argument Reference - -The following arguments are supported: - -* `member` - (Required) The user that the role should apply to. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding - -* `role` - (Required) The role that should be applied. Note that custom roles must be of the format - `[projects|organizations]/{parent-name}/roles/{role-name}`. - -* `crypto_key_id` - (Required) The key ring ID, in the form - `{project_id}/{location_name}/{key_ring_name}/{crypto_key_name}` or - `{location_name}/{key_ring_name}/{crypto_key_name}`. In the second form, - the provider's project setting will be used as a fallback. - -* `condition` - (Optional, [Beta](https://terraform.io/docs/providers/google/provider_versions.html)) An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. - Structure is documented below. - ---- - -The `condition` block supports: - -* `expression` - (Required) Textual representation of an expression in Common Expression Language syntax. - -* `title` - (Required) A title for the expression, i.e. a short string describing its purpose. - -* `description` - (Optional) An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. - -~> **Warning:** Terraform considers the `role` and condition contents (`title`+`description`+`expression`) as the - identifier for the binding. This means that if any part of the condition is changed out-of-band, Terraform will - consider it to be an entirely different resource and will treat it as such. - - -## Attributes Reference - -In addition to the arguments listed above, the following computed attributes are -exported: - -* `etag` - (Computed) The etag of the project's IAM policy. - -## Import - -IAM member imports use space-delimited identifiers; the resource in question, the role, and the account. This member resource can be imported using the `crypto_key_id`, role, and member identity e.g. - -``` -$ terraform import google_kms_crypto_key_iam_member.member "your-project-id/location-name/key-ring-name/key-name roles/viewer user:foo@example.com" -``` - --> If you're importing a resource with beta features, make sure to include `-provider=google-beta` -as an argument so that Terraform uses the correct provider to import your resource. diff --git a/third_party/terraform/website/docs/r/google_kms_key_ring_iam.html.markdown b/third_party/terraform/website/docs/r/google_kms_key_ring_iam.html.markdown index 030fa6b8a01c..bed407fc272e 100644 --- a/third_party/terraform/website/docs/r/google_kms_key_ring_iam.html.markdown +++ b/third_party/terraform/website/docs/r/google_kms_key_ring_iam.html.markdown @@ -194,7 +194,7 @@ IAM binding imports use space-delimited identifiers; the resource in question an $ terraform import google_kms_key_ring_iam_binding.key_ring_iam "your-project-id/location-name/key-ring-name roles/viewer" ``` -IAM policy imports use the identifier of the resource in question. This policy resource can be imported using the `key_ring_id`, role, and account e.g. +IAM policy imports use the identifier of the resource in question. This policy resource can be imported using the `key_ring_id`, e.g. ``` $ terraform import google_kms_key_ring_iam_policy.key_ring_iam your-project-id/location-name/key-ring-name