Expand description
Three different resources help you manage your IAM policy for Compute Engine Snapshot. Each of these resources serves a different use case:
gcp.compute.SnapshotIamPolicy: Authoritative. Sets the IAM policy for the snapshot and replaces any existing policy already attached.gcp.compute.SnapshotIamBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the snapshot are preserved.gcp.compute.SnapshotIamMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the snapshot are preserved.
A data source can be used to retrieve policy data in advent you do not need creation
gcp.compute.SnapshotIamPolicy: Retrieves the IAM policy for the snapshot
Note:
gcp.compute.SnapshotIamPolicycannot be used in conjunction withgcp.compute.SnapshotIamBindingandgcp.compute.SnapshotIamMemberor they will fight over what your policy should be.
Note:
gcp.compute.SnapshotIamBindingresources can be used in conjunction withgcp.compute.SnapshotIamMemberresources only if they do not grant privilege to the same role.
§gcp.compute.SnapshotIamPolicy
resources:
policy:
type: gcp:compute:SnapshotIamPolicy
properties:
project: ${snapshot.project}
name: ${snapshot.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com§gcp.compute.SnapshotIamBinding
use pulumi_wasm_rust::Output;
use pulumi_wasm_rust::{add_export, pulumi_main};
#[pulumi_main]
fn test_main() -> Result<(), Error> {
let binding = snapshot_iam_binding::create(
"binding",
SnapshotIamBindingArgs::builder()
.members(vec!["user:jane@example.com",])
.name("${snapshot.name}")
.project("${snapshot.project}")
.role("roles/viewer")
.build_struct(),
);
}§gcp.compute.SnapshotIamMember
use pulumi_wasm_rust::Output;
use pulumi_wasm_rust::{add_export, pulumi_main};
#[pulumi_main]
fn test_main() -> Result<(), Error> {
let member = snapshot_iam_member::create(
"member",
SnapshotIamMemberArgs::builder()
.member("user:jane@example.com")
.name("${snapshot.name}")
.project("${snapshot.project}")
.role("roles/viewer")
.build_struct(),
);
}§This resource supports User Project Overrides.
§IAM policy for Compute Engine Snapshot
Three different resources help you manage your IAM policy for Compute Engine Snapshot. Each of these resources serves a different use case:
gcp.compute.SnapshotIamPolicy: Authoritative. Sets the IAM policy for the snapshot and replaces any existing policy already attached.gcp.compute.SnapshotIamBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the snapshot are preserved.gcp.compute.SnapshotIamMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the snapshot are preserved.
A data source can be used to retrieve policy data in advent you do not need creation
gcp.compute.SnapshotIamPolicy: Retrieves the IAM policy for the snapshot
Note:
gcp.compute.SnapshotIamPolicycannot be used in conjunction withgcp.compute.SnapshotIamBindingandgcp.compute.SnapshotIamMemberor they will fight over what your policy should be.
Note:
gcp.compute.SnapshotIamBindingresources can be used in conjunction withgcp.compute.SnapshotIamMemberresources only if they do not grant privilege to the same role.
§gcp.compute.SnapshotIamPolicy
resources:
policy:
type: gcp:compute:SnapshotIamPolicy
properties:
project: ${snapshot.project}
name: ${snapshot.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com§gcp.compute.SnapshotIamBinding
use pulumi_wasm_rust::Output;
use pulumi_wasm_rust::{add_export, pulumi_main};
#[pulumi_main]
fn test_main() -> Result<(), Error> {
let binding = snapshot_iam_binding::create(
"binding",
SnapshotIamBindingArgs::builder()
.members(vec!["user:jane@example.com",])
.name("${snapshot.name}")
.project("${snapshot.project}")
.role("roles/viewer")
.build_struct(),
);
}§gcp.compute.SnapshotIamMember
use pulumi_wasm_rust::Output;
use pulumi_wasm_rust::{add_export, pulumi_main};
#[pulumi_main]
fn test_main() -> Result<(), Error> {
let member = snapshot_iam_member::create(
"member",
SnapshotIamMemberArgs::builder()
.member("user:jane@example.com")
.name("${snapshot.name}")
.project("${snapshot.project}")
.role("roles/viewer")
.build_struct(),
);
}§Import
For all import syntaxes, the “resource in question” can take any of the following forms:
-
projects/{{project}}/global/snapshots/{{name}}
-
{{project}}/{{name}}
-
{{name}}
Any variables not passed in the import command will be taken from the provider configuration.
Compute Engine snapshot IAM resources can be imported using the resource identifiers, role, and member.
IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.
$ pulumi import gcp:compute/snapshotIamBinding:SnapshotIamBinding editor "projects/{{project}}/global/snapshots/{{snapshot}} roles/viewer user:jane@example.com"IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.
$ pulumi import gcp:compute/snapshotIamBinding:SnapshotIamBinding editor "projects/{{project}}/global/snapshots/{{snapshot}} roles/viewer"IAM policy imports use the identifier of the resource in question, e.g.
$ pulumi import gcp:compute/snapshotIamBinding:SnapshotIamBinding editor projects/{{project}}/global/snapshots/{{snapshot}}-> Custom Roles If you’re importing a IAM resource with a custom role, make sure to use the
full name of the custom role, e.g. [projects/my-project|organizations/my-org]/roles/my-custom-role.
Structs§
- Use builder syntax to set the inputs and finish with
build_struct().
Functions§
- Registers a new resource with the given unique name and arguments