import * as pulumi from "@pulumi/pulumi"; /** * Three different resources help you manage your IAM policy for Security Command Center (SCC) v2 API OrganizationSource. Each of these resources serves a different use case: * * * `gcp.securitycenter.V2OrganizationSourceIamPolicy`: Authoritative. Sets the IAM policy for the organizationsource and replaces any existing policy already attached. * * `gcp.securitycenter.V2OrganizationSourceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the organizationsource are preserved. * * `gcp.securitycenter.V2OrganizationSourceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the organizationsource are preserved. * * A data source can be used to retrieve policy data in advent you do not need creation * * * `gcp.securitycenter.V2OrganizationSourceIamPolicy`: Retrieves the IAM policy for the organizationsource * * > **Note:** `gcp.securitycenter.V2OrganizationSourceIamPolicy` **cannot** be used in conjunction with `gcp.securitycenter.V2OrganizationSourceIamBinding` and `gcp.securitycenter.V2OrganizationSourceIamMember` or they will fight over what your policy should be. * * > **Note:** `gcp.securitycenter.V2OrganizationSourceIamBinding` resources **can be** used in conjunction with `gcp.securitycenter.V2OrganizationSourceIamMember` resources **only if** they do not grant privilege to the same role. * * ## gcp.securitycenter.V2OrganizationSourceIamPolicy * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const admin = gcp.organizations.getIAMPolicy({ * bindings: [{ * role: "roles/viewer", * members: ["user:jane@example.com"], * }], * }); * const policy = new gcp.securitycenter.V2OrganizationSourceIamPolicy("policy", { * source: customSource.name, * policyData: admin.then(admin => admin.policyData), * }); * ``` * * ## gcp.securitycenter.V2OrganizationSourceIamBinding * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const binding = new gcp.securitycenter.V2OrganizationSourceIamBinding("binding", { * source: customSource.name, * role: "roles/viewer", * members: ["user:jane@example.com"], * }); * ``` * * ## gcp.securitycenter.V2OrganizationSourceIamMember * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const member = new gcp.securitycenter.V2OrganizationSourceIamMember("member", { * source: customSource.name, * role: "roles/viewer", * member: "user:jane@example.com", * }); * ``` * * ## > **Custom Roles** If you're importing a IAM resource with a custom role, make sure to use the * * full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`. * --- * * # IAM policy for Security Command Center (SCC) v2 API OrganizationSource * Three different resources help you manage your IAM policy for Security Command Center (SCC) v2 API OrganizationSource. Each of these resources serves a different use case: * * * `gcp.securitycenter.V2OrganizationSourceIamPolicy`: Authoritative. Sets the IAM policy for the organizationsource and replaces any existing policy already attached. * * `gcp.securitycenter.V2OrganizationSourceIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the organizationsource are preserved. * * `gcp.securitycenter.V2OrganizationSourceIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the organizationsource are preserved. * * A data source can be used to retrieve policy data in advent you do not need creation * * * `gcp.securitycenter.V2OrganizationSourceIamPolicy`: Retrieves the IAM policy for the organizationsource * * > **Note:** `gcp.securitycenter.V2OrganizationSourceIamPolicy` **cannot** be used in conjunction with `gcp.securitycenter.V2OrganizationSourceIamBinding` and `gcp.securitycenter.V2OrganizationSourceIamMember` or they will fight over what your policy should be. * * > **Note:** `gcp.securitycenter.V2OrganizationSourceIamBinding` resources **can be** used in conjunction with `gcp.securitycenter.V2OrganizationSourceIamMember` resources **only if** they do not grant privilege to the same role. * * ## gcp.securitycenter.V2OrganizationSourceIamPolicy * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const admin = gcp.organizations.getIAMPolicy({ * bindings: [{ * role: "roles/viewer", * members: ["user:jane@example.com"], * }], * }); * const policy = new gcp.securitycenter.V2OrganizationSourceIamPolicy("policy", { * source: customSource.name, * policyData: admin.then(admin => admin.policyData), * }); * ``` * * ## gcp.securitycenter.V2OrganizationSourceIamBinding * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const binding = new gcp.securitycenter.V2OrganizationSourceIamBinding("binding", { * source: customSource.name, * role: "roles/viewer", * members: ["user:jane@example.com"], * }); * ``` * * ## gcp.securitycenter.V2OrganizationSourceIamMember * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const member = new gcp.securitycenter.V2OrganizationSourceIamMember("member", { * source: customSource.name, * role: "roles/viewer", * member: "user:jane@example.com", * }); * ``` * * ## Import * * For all import syntaxes, the "resource in question" can take any of the following forms: * * * organizations/{{organization}}/sources/{{source}} * * * {{organization}}/{{source}} * * * {{source}} * * Any variables not passed in the import command will be taken from the provider configuration. * * Security Command Center (SCC) v2 API organizationsource IAM resources can be imported using the resource identifiers, role, and member. * * IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g. * * ```sh * $ pulumi import gcp:securitycenter/v2OrganizationSourceIamPolicy:V2OrganizationSourceIamPolicy editor "organizations/{{organization}}/sources/{{source}} roles/viewer user:jane@example.com" * ``` * * IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g. * * ```sh * $ pulumi import gcp:securitycenter/v2OrganizationSourceIamPolicy:V2OrganizationSourceIamPolicy editor "organizations/{{organization}}/sources/{{source}} roles/viewer" * ``` * * IAM policy imports use the identifier of the resource in question, e.g. * * ```sh * $ pulumi import gcp:securitycenter/v2OrganizationSourceIamPolicy:V2OrganizationSourceIamPolicy editor organizations/{{organization}}/sources/{{source}} * ``` * * -> **Custom Roles** If you're importing a IAM resource with a custom role, make sure to use the * * full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`. */ export declare class V2OrganizationSourceIamPolicy extends pulumi.CustomResource { /** * Get an existing V2OrganizationSourceIamPolicy resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: V2OrganizationSourceIamPolicyState, opts?: pulumi.CustomResourceOptions): V2OrganizationSourceIamPolicy; /** * Returns true if the given object is an instance of V2OrganizationSourceIamPolicy. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is V2OrganizationSourceIamPolicy; /** * (Computed) The etag of the IAM policy. */ readonly etag: pulumi.Output; readonly organization: pulumi.Output; /** * The policy data generated by * a `gcp.organizations.getIAMPolicy` data source. */ readonly policyData: pulumi.Output; /** * Used to find the parent resource to bind the IAM policy to */ readonly source: pulumi.Output; /** * Create a V2OrganizationSourceIamPolicy resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: V2OrganizationSourceIamPolicyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering V2OrganizationSourceIamPolicy resources. */ export interface V2OrganizationSourceIamPolicyState { /** * (Computed) The etag of the IAM policy. */ etag?: pulumi.Input; organization?: pulumi.Input; /** * The policy data generated by * a `gcp.organizations.getIAMPolicy` data source. */ policyData?: pulumi.Input; /** * Used to find the parent resource to bind the IAM policy to */ source?: pulumi.Input; } /** * The set of arguments for constructing a V2OrganizationSourceIamPolicy resource. */ export interface V2OrganizationSourceIamPolicyArgs { organization: pulumi.Input; /** * The policy data generated by * a `gcp.organizations.getIAMPolicy` data source. */ policyData: pulumi.Input; /** * Used to find the parent resource to bind the IAM policy to */ source: pulumi.Input; }