import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * An Entitlement defines the eligibility of a set of users to obtain a predefined access for some time possibly after going through an approval workflow. * * To get more information about Entitlement, see: * * * [API documentation](https://cloud.google.com/iam/docs/reference/pam/rest) * * How-to Guides * * [How to create an Entitlement](https://cloud.google.com/iam/docs/pam-create-entitlements) * * [Official Documentation](https://cloud.google.com/iam/docs/pam-overview) * * ## Example Usage * * ### Privileged Access Manager Entitlement Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const tfentitlement = new gcp.privilegedaccessmanager.Entitlement("tfentitlement", { * entitlementId: "example-entitlement", * location: "global", * maxRequestDuration: "43200s", * parent: "projects/my-project-name", * requesterJustificationConfig: { * unstructured: {}, * }, * eligibleUsers: [{ * principals: ["group:test@google.com"], * }], * privilegedAccess: { * gcpIamAccess: { * roleBindings: [{ * role: "roles/storage.admin", * conditionExpression: "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")", * }], * resource: "//cloudresourcemanager.googleapis.com/projects/my-project-name", * resourceType: "cloudresourcemanager.googleapis.com/Project", * }, * }, * additionalNotificationTargets: { * adminEmailRecipients: ["user@example.com"], * requesterEmailRecipients: ["user@example.com"], * }, * approvalWorkflow: { * manualApprovals: { * requireApproverJustification: true, * steps: [{ * approvalsNeeded: 1, * approverEmailRecipients: ["user@example.com"], * approvers: { * principals: ["group:test@google.com"], * }, * }], * }, * }, * }); * ``` * * ## Import * * Entitlement can be imported using any of these accepted formats: * * * `{{parent}}/locations/{{location}}/entitlements/{{entitlement_id}}` * * When using the `pulumi import` command, Entitlement can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:privilegedaccessmanager/entitlement:entitlement default {{parent}}/locations/{{location}}/entitlements/{{entitlement_id}} * ``` */ export declare class Entitlement extends pulumi.CustomResource { /** * Get an existing Entitlement resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: EntitlementState, opts?: pulumi.CustomResourceOptions): Entitlement; /** * Returns true if the given object is an instance of Entitlement. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Entitlement; /** * AdditionalNotificationTargets includes email addresses to be notified. * Structure is documented below. */ readonly additionalNotificationTargets: pulumi.Output; /** * The approvals needed before access will be granted to a requester. * No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting. * Structure is documented below. */ readonly approvalWorkflow: pulumi.Output; /** * Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. * Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z" */ readonly createTime: pulumi.Output; /** * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ readonly deletionPolicy: pulumi.Output; /** * Who can create Grants using Entitlement. This list should contain at most one entry * Structure is documented below. */ readonly eligibleUsers: pulumi.Output; /** * The ID to use for this Entitlement. This will become the last part of the resource name. * This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. * This value should be unique among all other Entitlements under the specified `parent`. */ readonly entitlementId: pulumi.Output; /** * For Resource freshness validation (https://google.aip.dev/154) */ readonly etag: pulumi.Output; /** * The region of the Entitlement resource. */ readonly location: pulumi.Output; /** * The maximum amount of time for which access would be granted for a request. * A requester can choose to ask for access for less than this duration but never more. * Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s" */ readonly maxRequestDuration: pulumi.Output; /** * Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. * Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}. */ readonly name: pulumi.Output; /** * Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number} */ readonly parent: pulumi.Output; /** * Privileged access that this service can be used to gate. * Structure is documented below. */ readonly privilegedAccess: pulumi.Output; /** * Defines the ways in which a requester should provide the justification while requesting for access. * Structure is documented below. */ readonly requesterJustificationConfig: pulumi.Output; /** * Output only. The current state of the Entitlement. */ readonly state: pulumi.Output; /** * Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. * Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". */ readonly updateTime: pulumi.Output; /** * Create a Entitlement resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: EntitlementArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering entitlement resources. */ export interface EntitlementState { /** * AdditionalNotificationTargets includes email addresses to be notified. * Structure is documented below. */ additionalNotificationTargets?: pulumi.Input; /** * The approvals needed before access will be granted to a requester. * No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting. * Structure is documented below. */ approvalWorkflow?: pulumi.Input; /** * Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. * Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z" */ createTime?: pulumi.Input; /** * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ deletionPolicy?: pulumi.Input; /** * Who can create Grants using Entitlement. This list should contain at most one entry * Structure is documented below. */ eligibleUsers?: pulumi.Input[] | undefined>; /** * The ID to use for this Entitlement. This will become the last part of the resource name. * This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. * This value should be unique among all other Entitlements under the specified `parent`. */ entitlementId?: pulumi.Input; /** * For Resource freshness validation (https://google.aip.dev/154) */ etag?: pulumi.Input; /** * The region of the Entitlement resource. */ location?: pulumi.Input; /** * The maximum amount of time for which access would be granted for a request. * A requester can choose to ask for access for less than this duration but never more. * Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s" */ maxRequestDuration?: pulumi.Input; /** * Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. * Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}. */ name?: pulumi.Input; /** * Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number} */ parent?: pulumi.Input; /** * Privileged access that this service can be used to gate. * Structure is documented below. */ privilegedAccess?: pulumi.Input; /** * Defines the ways in which a requester should provide the justification while requesting for access. * Structure is documented below. */ requesterJustificationConfig?: pulumi.Input; /** * Output only. The current state of the Entitlement. */ state?: pulumi.Input; /** * Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. * Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". */ updateTime?: pulumi.Input; } /** * The set of arguments for constructing a Entitlement resource. */ export interface EntitlementArgs { /** * AdditionalNotificationTargets includes email addresses to be notified. * Structure is documented below. */ additionalNotificationTargets?: pulumi.Input; /** * The approvals needed before access will be granted to a requester. * No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting. * Structure is documented below. */ approvalWorkflow?: pulumi.Input; /** * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ deletionPolicy?: pulumi.Input; /** * Who can create Grants using Entitlement. This list should contain at most one entry * Structure is documented below. */ eligibleUsers: pulumi.Input[]>; /** * The ID to use for this Entitlement. This will become the last part of the resource name. * This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. * This value should be unique among all other Entitlements under the specified `parent`. */ entitlementId: pulumi.Input; /** * The region of the Entitlement resource. */ location: pulumi.Input; /** * The maximum amount of time for which access would be granted for a request. * A requester can choose to ask for access for less than this duration but never more. * Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s" */ maxRequestDuration: pulumi.Input; /** * Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number} */ parent: pulumi.Input; /** * Privileged access that this service can be used to gate. * Structure is documented below. */ privilegedAccess: pulumi.Input; /** * Defines the ways in which a requester should provide the justification while requesting for access. * Structure is documented below. */ requesterJustificationConfig: pulumi.Input; } //# sourceMappingURL=entitlement.d.ts.map