import * as pulumi from "@pulumi/pulumi";
import * as inputs from "../types/input";
import * as outputs from "../types/output";
/**
 * Represents a collection of denial policies to apply to a given resource.
 *
 * To get more information about DenyPolicy, see:
 *
 * * [API documentation](https://cloud.google.com/iam/docs/reference/rest/v2/policies)
 * * How-to Guides
 *     * [Permissions supported in deny policies](https://cloud.google.com/iam/docs/deny-permissions-support)
 *
 * ## Example Usage
 *
 * ### Iam Deny Policy Basic
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 * import * as std from "@pulumi/std";
 *
 * const project = new gcp.organizations.Project("project", {
 *     projectId: "my-project",
 *     name: "my-project",
 *     orgId: "123456789",
 *     billingAccount: "000000-0000000-0000000-000000",
 *     deletionPolicy: "DELETE",
 * });
 * const test_account = new gcp.serviceaccount.Account("test-account", {
 *     accountId: "svc-acc",
 *     displayName: "Test Service Account",
 *     project: project.projectId,
 * });
 * const example = new gcp.iam.DenyPolicy("example", {
 *     parent: std.urlencodeOutput({
 *         input: pulumi.interpolate`cloudresourcemanager.googleapis.com/projects/${project.projectId}`,
 *     }).apply(invoke => invoke.result),
 *     name: "my-deny-policy",
 *     displayName: "A deny rule",
 *     rules: [
 *         {
 *             description: "First rule",
 *             denyRule: {
 *                 deniedPrincipals: ["principalSet://goog/public:all"],
 *                 denialCondition: {
 *                     title: "Some expr",
 *                     expression: "!resource.matchTag('12345678/env', 'test')",
 *                 },
 *                 deniedPermissions: ["cloudresourcemanager.googleapis.com/projects.update"],
 *             },
 *         },
 *         {
 *             description: "Second rule",
 *             denyRule: {
 *                 deniedPrincipals: ["principalSet://goog/public:all"],
 *                 denialCondition: {
 *                     title: "Some expr",
 *                     expression: "!resource.matchTag('12345678/env', 'test')",
 *                 },
 *                 deniedPermissions: ["cloudresourcemanager.googleapis.com/projects.update"],
 *                 exceptionPrincipals: [pulumi.interpolate`principal://iam.googleapis.com/projects/-/serviceAccounts/${test_account.email}`],
 *             },
 *         },
 *     ],
 * });
 * ```
 *
 * ## Import
 *
 * DenyPolicy can be imported using any of these accepted formats:
 *
 * * `{{parent}}/{{name}}`
 *
 * When using the `pulumi import` command, DenyPolicy can be imported using one of the formats above. For example:
 *
 * ```sh
 * $ pulumi import gcp:iam/denyPolicy:DenyPolicy default {{parent}}/{{name}}
 * ```
 */
export declare class DenyPolicy extends pulumi.CustomResource {
    /**
     * Get an existing DenyPolicy resource's state with the given name, ID, and optional extra
     * properties used to qualify the lookup.
     *
     * @param name The _unique_ name of the resulting resource.
     * @param id The _unique_ provider ID of the resource to lookup.
     * @param state Any extra arguments used during the lookup.
     * @param opts Optional settings to control the behavior of the CustomResource.
     */
    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: DenyPolicyState, opts?: pulumi.CustomResourceOptions): DenyPolicy;
    /**
     * Returns true if the given object is an instance of DenyPolicy.  This is designed to work even
     * when multiple copies of the Pulumi SDK have been loaded into the same process.
     */
    static isInstance(obj: any): obj is DenyPolicy;
    /**
     * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE.
     * When a 'terraform destroy' or 'pulumi up' would delete the resource,
     * the command will fail if this field is set to "PREVENT" in Terraform state.
     * When set to "ABANDON", the command will remove the resource from Terraform
     * management without updating or deleting the resource in the API.
     * When set to "DELETE", deleting the resource is allowed.
     */
    readonly deletionPolicy: pulumi.Output<string>;
    /**
     * The display name of the rule.
     */
    readonly displayName: pulumi.Output<string | undefined>;
    /**
     * The hash of the resource. Used internally during updates.
     */
    readonly etag: pulumi.Output<string>;
    /**
     * The name of the policy.
     */
    readonly name: pulumi.Output<string>;
    /**
     * The attachment point is identified by its URL-encoded full resource name.
     */
    readonly parent: pulumi.Output<string>;
    /**
     * Rules to be applied.
     * Structure is documented below.
     */
    readonly rules: pulumi.Output<outputs.iam.DenyPolicyRule[]>;
    /**
     * Create a DenyPolicy resource with the given unique name, arguments, and options.
     *
     * @param name The _unique_ name of the resource.
     * @param args The arguments to use to populate this resource's properties.
     * @param opts A bag of options that control this resource's behavior.
     */
    constructor(name: string, args: DenyPolicyArgs, opts?: pulumi.CustomResourceOptions);
}
/**
 * Input properties used for looking up and filtering DenyPolicy resources.
 */
export interface DenyPolicyState {
    /**
     * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE.
     * When a 'terraform destroy' or 'pulumi up' would delete the resource,
     * the command will fail if this field is set to "PREVENT" in Terraform state.
     * When set to "ABANDON", the command will remove the resource from Terraform
     * management without updating or deleting the resource in the API.
     * When set to "DELETE", deleting the resource is allowed.
     */
    deletionPolicy?: pulumi.Input<string | undefined>;
    /**
     * The display name of the rule.
     */
    displayName?: pulumi.Input<string | undefined>;
    /**
     * The hash of the resource. Used internally during updates.
     */
    etag?: pulumi.Input<string | undefined>;
    /**
     * The name of the policy.
     */
    name?: pulumi.Input<string | undefined>;
    /**
     * The attachment point is identified by its URL-encoded full resource name.
     */
    parent?: pulumi.Input<string | undefined>;
    /**
     * Rules to be applied.
     * Structure is documented below.
     */
    rules?: pulumi.Input<pulumi.Input<inputs.iam.DenyPolicyRule>[] | undefined>;
}
/**
 * The set of arguments for constructing a DenyPolicy resource.
 */
export interface DenyPolicyArgs {
    /**
     * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE.
     * When a 'terraform destroy' or 'pulumi up' would delete the resource,
     * the command will fail if this field is set to "PREVENT" in Terraform state.
     * When set to "ABANDON", the command will remove the resource from Terraform
     * management without updating or deleting the resource in the API.
     * When set to "DELETE", deleting the resource is allowed.
     */
    deletionPolicy?: pulumi.Input<string | undefined>;
    /**
     * The display name of the rule.
     */
    displayName?: pulumi.Input<string | undefined>;
    /**
     * The name of the policy.
     */
    name?: pulumi.Input<string | undefined>;
    /**
     * The attachment point is identified by its URL-encoded full resource name.
     */
    parent: pulumi.Input<string>;
    /**
     * Rules to be applied.
     * Structure is documented below.
     */
    rules: pulumi.Input<pulumi.Input<inputs.iam.DenyPolicyRule>[]>;
}
//# sourceMappingURL=denyPolicy.d.ts.map