import * as pulumi from "@pulumi/pulumi"; /** * Three different resources help you manage your IAM policy for a Spanner instance. Each of these resources serves a different use case: * * * `gcp.spanner.InstanceIAMPolicy`: Authoritative. Sets the IAM policy for the instance and replaces any existing policy already attached. * * > **Warning:** It's entirely possibly to lock yourself out of your instance using `gcp.spanner.InstanceIAMPolicy`. Any permissions granted by default will be removed unless you include them in your config. * * * `gcp.spanner.InstanceIAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the instance are preserved. * * `gcp.spanner.InstanceIAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the instance are preserved. * * > **Note:** `gcp.spanner.InstanceIAMPolicy` **cannot** be used in conjunction with `gcp.spanner.InstanceIAMBinding` and `gcp.spanner.InstanceIAMMember` or they will fight over what your policy should be. * * > **Note:** `gcp.spanner.InstanceIAMBinding` resources **can be** used in conjunction with `gcp.spanner.InstanceIAMMember` resources **only if** they do not grant privilege to the same role. * * ## gcp.spanner.InstanceIAMPolicy * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const admin = gcp.organizations.getIAMPolicy({ * bindings: [{ * role: "roles/editor", * members: ["user:jane@example.com"], * }], * }); * const instance = new gcp.spanner.InstanceIAMPolicy("instance", { * instance: "your-instance-name", * policyData: admin.then(admin => admin.policyData), * }); * ``` * * ## gcp.spanner.InstanceIAMBinding * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const instance = new gcp.spanner.InstanceIAMBinding("instance", { * instance: "your-instance-name", * role: "roles/spanner.databaseAdmin", * members: ["user:jane@example.com"], * }); * ``` * * ## gcp.spanner.InstanceIAMMember * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const instance = new gcp.spanner.InstanceIAMMember("instance", { * instance: "your-instance-name", * role: "roles/spanner.databaseAdmin", * member: "user:jane@example.com", * }); * ``` * * ## This resource supports User Project Overrides. * * - * * # IAM policy for Spanner Instances * * Three different resources help you manage your IAM policy for a Spanner instance. Each of these resources serves a different use case: * * * `gcp.spanner.InstanceIAMPolicy`: Authoritative. Sets the IAM policy for the instance and replaces any existing policy already attached. * * > **Warning:** It's entirely possibly to lock yourself out of your instance using `gcp.spanner.InstanceIAMPolicy`. Any permissions granted by default will be removed unless you include them in your config. * * * `gcp.spanner.InstanceIAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the instance are preserved. * * `gcp.spanner.InstanceIAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the instance are preserved. * * > **Note:** `gcp.spanner.InstanceIAMPolicy` **cannot** be used in conjunction with `gcp.spanner.InstanceIAMBinding` and `gcp.spanner.InstanceIAMMember` or they will fight over what your policy should be. * * > **Note:** `gcp.spanner.InstanceIAMBinding` resources **can be** used in conjunction with `gcp.spanner.InstanceIAMMember` resources **only if** they do not grant privilege to the same role. * * ## gcp.spanner.InstanceIAMPolicy * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const admin = gcp.organizations.getIAMPolicy({ * bindings: [{ * role: "roles/editor", * members: ["user:jane@example.com"], * }], * }); * const instance = new gcp.spanner.InstanceIAMPolicy("instance", { * instance: "your-instance-name", * policyData: admin.then(admin => admin.policyData), * }); * ``` * * ## gcp.spanner.InstanceIAMBinding * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const instance = new gcp.spanner.InstanceIAMBinding("instance", { * instance: "your-instance-name", * role: "roles/spanner.databaseAdmin", * members: ["user:jane@example.com"], * }); * ``` * * ## gcp.spanner.InstanceIAMMember * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const instance = new gcp.spanner.InstanceIAMMember("instance", { * instance: "your-instance-name", * role: "roles/spanner.databaseAdmin", * member: "user:jane@example.com", * }); * ``` * * ## Import * * > **Custom Roles** If you're importing a IAM resource with a custom role, make sure to use the * full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`. */ export declare class InstanceIAMPolicy extends pulumi.CustomResource { /** * Get an existing InstanceIAMPolicy resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: InstanceIAMPolicyState, opts?: pulumi.CustomResourceOptions): InstanceIAMPolicy; /** * Returns true if the given object is an instance of InstanceIAMPolicy. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is InstanceIAMPolicy; /** * (Computed) The etag of the instance's IAM policy. */ readonly etag: pulumi.Output; /** * The name of the instance. */ readonly instance: pulumi.Output; /** * The policy data generated by * a `gcp.organizations.getIAMPolicy` data source. */ readonly policyData: pulumi.Output; /** * The ID of the project in which the resource belongs. If it * is not provided, the provider project is used. */ readonly project: pulumi.Output; /** * Create a InstanceIAMPolicy resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: InstanceIAMPolicyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering InstanceIAMPolicy resources. */ export interface InstanceIAMPolicyState { /** * (Computed) The etag of the instance's IAM policy. */ etag?: pulumi.Input; /** * The name of the instance. */ instance?: pulumi.Input; /** * The policy data generated by * a `gcp.organizations.getIAMPolicy` data source. */ policyData?: pulumi.Input; /** * The ID of the project in which the resource belongs. If it * is not provided, the provider project is used. */ project?: pulumi.Input; } /** * The set of arguments for constructing a InstanceIAMPolicy resource. */ export interface InstanceIAMPolicyArgs { /** * The name of the instance. */ instance: pulumi.Input; /** * The policy data generated by * a `gcp.organizations.getIAMPolicy` data source. */ policyData: pulumi.Input; /** * The ID of the project in which the resource belongs. If it * is not provided, the provider project is used. */ project?: pulumi.Input; } //# sourceMappingURL=instanceIAMPolicy.d.ts.map