1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. privilegedaccessmanager
  5. Entitlement
Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi

gcp.privilegedaccessmanager.Entitlement

Explore with Pulumi AI

gcp logo
Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi

    An Entitlement defines the eligibility of a set of users to obtain a predefined access for some time possibly after going through an approval workflow.

    Example Usage

    Privileged Access Manager Entitlement Basic

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const tfentitlement = new gcp.privilegedaccessmanager.Entitlement("tfentitlement", {
        entitlementId: "example-entitlement",
        location: "global",
        maxRequestDuration: "43200s",
        parent: "projects/my-project-name",
        requesterJustificationConfig: {
            unstructured: {},
        },
        eligibleUsers: [{
            principals: ["group:test@google.com"],
        }],
        privilegedAccess: {
            gcpIamAccess: {
                roleBindings: [{
                    role: "roles/storage.admin",
                    conditionExpression: "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")",
                }],
                resource: "//cloudresourcemanager.googleapis.com/projects/my-project-name",
                resourceType: "cloudresourcemanager.googleapis.com/Project",
            },
        },
        additionalNotificationTargets: {
            adminEmailRecipients: ["user@example.com"],
            requesterEmailRecipients: ["user@example.com"],
        },
        approvalWorkflow: {
            manualApprovals: {
                requireApproverJustification: true,
                steps: [{
                    approvalsNeeded: 1,
                    approverEmailRecipients: ["user@example.com"],
                    approvers: {
                        principals: ["group:test@google.com"],
                    },
                }],
            },
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    tfentitlement = gcp.privilegedaccessmanager.Entitlement("tfentitlement",
        entitlement_id="example-entitlement",
        location="global",
        max_request_duration="43200s",
        parent="projects/my-project-name",
        requester_justification_config={
            "unstructured": {},
        },
        eligible_users=[{
            "principals": ["group:test@google.com"],
        }],
        privileged_access={
            "gcp_iam_access": {
                "role_bindings": [{
                    "role": "roles/storage.admin",
                    "condition_expression": "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")",
                }],
                "resource": "//cloudresourcemanager.googleapis.com/projects/my-project-name",
                "resource_type": "cloudresourcemanager.googleapis.com/Project",
            },
        },
        additional_notification_targets={
            "admin_email_recipients": ["user@example.com"],
            "requester_email_recipients": ["user@example.com"],
        },
        approval_workflow={
            "manual_approvals": {
                "require_approver_justification": True,
                "steps": [{
                    "approvals_needed": 1,
                    "approver_email_recipients": ["user@example.com"],
                    "approvers": {
                        "principals": ["group:test@google.com"],
                    },
                }],
            },
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/privilegedaccessmanager"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := privilegedaccessmanager.Newentitlement(ctx, "tfentitlement", &privilegedaccessmanager.entitlementArgs{
    			EntitlementId:      pulumi.String("example-entitlement"),
    			Location:           pulumi.String("global"),
    			MaxRequestDuration: pulumi.String("43200s"),
    			Parent:             pulumi.String("projects/my-project-name"),
    			RequesterJustificationConfig: &privilegedaccessmanager.EntitlementRequesterJustificationConfigArgs{
    				Unstructured: &privilegedaccessmanager.EntitlementRequesterJustificationConfigUnstructuredArgs{},
    			},
    			EligibleUsers: privilegedaccessmanager.EntitlementEligibleUserArray{
    				&privilegedaccessmanager.EntitlementEligibleUserArgs{
    					Principals: pulumi.StringArray{
    						pulumi.String("group:test@google.com"),
    					},
    				},
    			},
    			PrivilegedAccess: &privilegedaccessmanager.EntitlementPrivilegedAccessArgs{
    				GcpIamAccess: &privilegedaccessmanager.EntitlementPrivilegedAccessGcpIamAccessArgs{
    					RoleBindings: privilegedaccessmanager.EntitlementPrivilegedAccessGcpIamAccessRoleBindingArray{
    						&privilegedaccessmanager.EntitlementPrivilegedAccessGcpIamAccessRoleBindingArgs{
    							Role:                pulumi.String("roles/storage.admin"),
    							ConditionExpression: pulumi.String("request.time < timestamp(\"2024-04-23T18:30:00.000Z\")"),
    						},
    					},
    					Resource:     pulumi.String("//cloudresourcemanager.googleapis.com/projects/my-project-name"),
    					ResourceType: pulumi.String("cloudresourcemanager.googleapis.com/Project"),
    				},
    			},
    			AdditionalNotificationTargets: &privilegedaccessmanager.EntitlementAdditionalNotificationTargetsArgs{
    				AdminEmailRecipients: pulumi.StringArray{
    					pulumi.String("user@example.com"),
    				},
    				RequesterEmailRecipients: pulumi.StringArray{
    					pulumi.String("user@example.com"),
    				},
    			},
    			ApprovalWorkflow: &privilegedaccessmanager.EntitlementApprovalWorkflowArgs{
    				ManualApprovals: &privilegedaccessmanager.EntitlementApprovalWorkflowManualApprovalsArgs{
    					RequireApproverJustification: pulumi.Bool(true),
    					Steps: privilegedaccessmanager.EntitlementApprovalWorkflowManualApprovalsStepArray{
    						&privilegedaccessmanager.EntitlementApprovalWorkflowManualApprovalsStepArgs{
    							ApprovalsNeeded: pulumi.Int(1),
    							ApproverEmailRecipients: pulumi.StringArray{
    								pulumi.String("user@example.com"),
    							},
    							Approvers: &privilegedaccessmanager.EntitlementApprovalWorkflowManualApprovalsStepApproversArgs{
    								Principals: pulumi.StringArray{
    									pulumi.String("group:test@google.com"),
    								},
    							},
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var tfentitlement = new Gcp.PrivilegedAccessManager.Entitlement("tfentitlement", new()
        {
            EntitlementId = "example-entitlement",
            Location = "global",
            MaxRequestDuration = "43200s",
            Parent = "projects/my-project-name",
            RequesterJustificationConfig = new Gcp.PrivilegedAccessManager.Inputs.EntitlementRequesterJustificationConfigArgs
            {
                Unstructured = null,
            },
            EligibleUsers = new[]
            {
                new Gcp.PrivilegedAccessManager.Inputs.EntitlementEligibleUserArgs
                {
                    Principals = new[]
                    {
                        "group:test@google.com",
                    },
                },
            },
            PrivilegedAccess = new Gcp.PrivilegedAccessManager.Inputs.EntitlementPrivilegedAccessArgs
            {
                GcpIamAccess = new Gcp.PrivilegedAccessManager.Inputs.EntitlementPrivilegedAccessGcpIamAccessArgs
                {
                    RoleBindings = new[]
                    {
                        new Gcp.PrivilegedAccessManager.Inputs.EntitlementPrivilegedAccessGcpIamAccessRoleBindingArgs
                        {
                            Role = "roles/storage.admin",
                            ConditionExpression = "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")",
                        },
                    },
                    Resource = "//cloudresourcemanager.googleapis.com/projects/my-project-name",
                    ResourceType = "cloudresourcemanager.googleapis.com/Project",
                },
            },
            AdditionalNotificationTargets = new Gcp.PrivilegedAccessManager.Inputs.EntitlementAdditionalNotificationTargetsArgs
            {
                AdminEmailRecipients = new[]
                {
                    "user@example.com",
                },
                RequesterEmailRecipients = new[]
                {
                    "user@example.com",
                },
            },
            ApprovalWorkflow = new Gcp.PrivilegedAccessManager.Inputs.EntitlementApprovalWorkflowArgs
            {
                ManualApprovals = new Gcp.PrivilegedAccessManager.Inputs.EntitlementApprovalWorkflowManualApprovalsArgs
                {
                    RequireApproverJustification = true,
                    Steps = new[]
                    {
                        new Gcp.PrivilegedAccessManager.Inputs.EntitlementApprovalWorkflowManualApprovalsStepArgs
                        {
                            ApprovalsNeeded = 1,
                            ApproverEmailRecipients = new[]
                            {
                                "user@example.com",
                            },
                            Approvers = new Gcp.PrivilegedAccessManager.Inputs.EntitlementApprovalWorkflowManualApprovalsStepApproversArgs
                            {
                                Principals = new[]
                                {
                                    "group:test@google.com",
                                },
                            },
                        },
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.privilegedaccessmanager.entitlement;
    import com.pulumi.gcp.privilegedaccessmanager.EntitlementArgs;
    import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementRequesterJustificationConfigArgs;
    import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementRequesterJustificationConfigUnstructuredArgs;
    import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementEligibleUserArgs;
    import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementPrivilegedAccessArgs;
    import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementPrivilegedAccessGcpIamAccessArgs;
    import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementAdditionalNotificationTargetsArgs;
    import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementApprovalWorkflowArgs;
    import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementApprovalWorkflowManualApprovalsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var tfentitlement = new Entitlement("tfentitlement", EntitlementArgs.builder()
                .entitlementId("example-entitlement")
                .location("global")
                .maxRequestDuration("43200s")
                .parent("projects/my-project-name")
                .requesterJustificationConfig(EntitlementRequesterJustificationConfigArgs.builder()
                    .unstructured()
                    .build())
                .eligibleUsers(EntitlementEligibleUserArgs.builder()
                    .principals("group:test@google.com")
                    .build())
                .privilegedAccess(EntitlementPrivilegedAccessArgs.builder()
                    .gcpIamAccess(EntitlementPrivilegedAccessGcpIamAccessArgs.builder()
                        .roleBindings(EntitlementPrivilegedAccessGcpIamAccessRoleBindingArgs.builder()
                            .role("roles/storage.admin")
                            .conditionExpression("request.time < timestamp(\"2024-04-23T18:30:00.000Z\")")
                            .build())
                        .resource("//cloudresourcemanager.googleapis.com/projects/my-project-name")
                        .resourceType("cloudresourcemanager.googleapis.com/Project")
                        .build())
                    .build())
                .additionalNotificationTargets(EntitlementAdditionalNotificationTargetsArgs.builder()
                    .adminEmailRecipients("user@example.com")
                    .requesterEmailRecipients("user@example.com")
                    .build())
                .approvalWorkflow(EntitlementApprovalWorkflowArgs.builder()
                    .manualApprovals(EntitlementApprovalWorkflowManualApprovalsArgs.builder()
                        .requireApproverJustification(true)
                        .steps(EntitlementApprovalWorkflowManualApprovalsStepArgs.builder()
                            .approvalsNeeded(1)
                            .approverEmailRecipients("user@example.com")
                            .approvers(EntitlementApprovalWorkflowManualApprovalsStepApproversArgs.builder()
                                .principals("group:test@google.com")
                                .build())
                            .build())
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      tfentitlement:
        type: gcp:privilegedaccessmanager:entitlement
        properties:
          entitlementId: example-entitlement
          location: global
          maxRequestDuration: 43200s
          parent: projects/my-project-name
          requesterJustificationConfig:
            unstructured: {}
          eligibleUsers:
            - principals:
                - group:test@google.com
          privilegedAccess:
            gcpIamAccess:
              roleBindings:
                - role: roles/storage.admin
                  conditionExpression: request.time < timestamp("2024-04-23T18:30:00.000Z")
              resource: //cloudresourcemanager.googleapis.com/projects/my-project-name
              resourceType: cloudresourcemanager.googleapis.com/Project
          additionalNotificationTargets:
            adminEmailRecipients:
              - user@example.com
            requesterEmailRecipients:
              - user@example.com
          approvalWorkflow:
            manualApprovals:
              requireApproverJustification: true
              steps:
                - approvalsNeeded: 1
                  approverEmailRecipients:
                    - user@example.com
                  approvers:
                    principals:
                      - group:test@google.com
    

    Create Entitlement Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new Entitlement(name: string, args: EntitlementArgs, opts?: CustomResourceOptions);
    @overload
    def Entitlement(resource_name: str,
                    args: EntitlementArgs,
                    opts: Optional[ResourceOptions] = None)
    
    @overload
    def Entitlement(resource_name: str,
                    opts: Optional[ResourceOptions] = None,
                    eligible_users: Optional[Sequence[EntitlementEligibleUserArgs]] = None,
                    entitlement_id: Optional[str] = None,
                    location: Optional[str] = None,
                    max_request_duration: Optional[str] = None,
                    parent: Optional[str] = None,
                    privileged_access: Optional[EntitlementPrivilegedAccessArgs] = None,
                    requester_justification_config: Optional[EntitlementRequesterJustificationConfigArgs] = None,
                    additional_notification_targets: Optional[EntitlementAdditionalNotificationTargetsArgs] = None,
                    approval_workflow: Optional[EntitlementApprovalWorkflowArgs] = None)
    func NewEntitlement(ctx *Context, name string, args EntitlementArgs, opts ...ResourceOption) (*Entitlement, error)
    public Entitlement(string name, EntitlementArgs args, CustomResourceOptions? opts = null)
    public Entitlement(String name, EntitlementArgs args)
    public Entitlement(String name, EntitlementArgs args, CustomResourceOptions options)
    
    type: gcp:privilegedaccessmanager/entitlement:entitlement
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args EntitlementArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args EntitlementArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args EntitlementArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args EntitlementArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args EntitlementArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Entitlement Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The Entitlement resource accepts the following input properties:

    EligibleUsers List<EntitlementEligibleUserArgs>
    Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
    EntitlementId string
    The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
    Location string
    The region of the Entitlement resource.
    MaxRequestDuration string
    The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
    Parent string
    Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
    PrivilegedAccess EntitlementPrivilegedAccessArgs
    Privileged access that this service can be used to gate. Structure is documented below.
    RequesterJustificationConfig EntitlementRequesterJustificationConfigArgs
    Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
    AdditionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs
    AdditionalNotificationTargets includes email addresses to be notified.
    ApprovalWorkflow EntitlementApprovalWorkflowArgs
    The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
    EligibleUsers []EntitlementEligibleUserArgs
    Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
    EntitlementId string
    The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
    Location string
    The region of the Entitlement resource.
    MaxRequestDuration string
    The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
    Parent string
    Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
    PrivilegedAccess EntitlementPrivilegedAccessArgs
    Privileged access that this service can be used to gate. Structure is documented below.
    RequesterJustificationConfig EntitlementRequesterJustificationConfigArgs
    Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
    AdditionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs
    AdditionalNotificationTargets includes email addresses to be notified.
    ApprovalWorkflow EntitlementApprovalWorkflowArgs
    The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
    eligibleUsers List<EntitlementEligibleUserArgs>
    Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
    entitlementId String
    The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
    location String
    The region of the Entitlement resource.
    maxRequestDuration String
    The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
    parent String
    Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
    privilegedAccess EntitlementPrivilegedAccessArgs
    Privileged access that this service can be used to gate. Structure is documented below.
    requesterJustificationConfig EntitlementRequesterJustificationConfigArgs
    Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
    additionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs
    AdditionalNotificationTargets includes email addresses to be notified.
    approvalWorkflow EntitlementApprovalWorkflowArgs
    The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
    eligibleUsers EntitlementEligibleUserArgs[]
    Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
    entitlementId string
    The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
    location string
    The region of the Entitlement resource.
    maxRequestDuration string
    The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
    parent string
    Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
    privilegedAccess EntitlementPrivilegedAccessArgs
    Privileged access that this service can be used to gate. Structure is documented below.
    requesterJustificationConfig EntitlementRequesterJustificationConfigArgs
    Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
    additionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs
    AdditionalNotificationTargets includes email addresses to be notified.
    approvalWorkflow EntitlementApprovalWorkflowArgs
    The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
    eligible_users Sequence[EntitlementEligibleUserArgs]
    Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
    entitlement_id str
    The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
    location str
    The region of the Entitlement resource.
    max_request_duration str
    The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
    parent str
    Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
    privileged_access EntitlementPrivilegedAccessArgs
    Privileged access that this service can be used to gate. Structure is documented below.
    requester_justification_config EntitlementRequesterJustificationConfigArgs
    Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
    additional_notification_targets EntitlementAdditionalNotificationTargetsArgs
    AdditionalNotificationTargets includes email addresses to be notified.
    approval_workflow EntitlementApprovalWorkflowArgs
    The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
    eligibleUsers List<Property Map>
    Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
    entitlementId String
    The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
    location String
    The region of the Entitlement resource.
    maxRequestDuration String
    The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
    parent String
    Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
    privilegedAccess Property Map
    Privileged access that this service can be used to gate. Structure is documented below.
    requesterJustificationConfig Property Map
    Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
    additionalNotificationTargets Property Map
    AdditionalNotificationTargets includes email addresses to be notified.
    approvalWorkflow Property Map
    The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Entitlement resource produces the following output properties:

    CreateTime string
    Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
    Etag string
    For Resource freshness validation (https://google.aip.dev/154)
    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
    State string
    Output only. The current state of the Entitlement.
    UpdateTime string
    Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    CreateTime string
    Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
    Etag string
    For Resource freshness validation (https://google.aip.dev/154)
    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
    State string
    Output only. The current state of the Entitlement.
    UpdateTime string
    Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    createTime String
    Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
    etag String
    For Resource freshness validation (https://google.aip.dev/154)
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
    state String
    Output only. The current state of the Entitlement.
    updateTime String
    Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    createTime string
    Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
    etag string
    For Resource freshness validation (https://google.aip.dev/154)
    id string
    The provider-assigned unique ID for this managed resource.
    name string
    Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
    state string
    Output only. The current state of the Entitlement.
    updateTime string
    Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    create_time str
    Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
    etag str
    For Resource freshness validation (https://google.aip.dev/154)
    id str
    The provider-assigned unique ID for this managed resource.
    name str
    Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
    state str
    Output only. The current state of the Entitlement.
    update_time str
    Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    createTime String
    Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
    etag String
    For Resource freshness validation (https://google.aip.dev/154)
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
    state String
    Output only. The current state of the Entitlement.
    updateTime String
    Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

    Look up Existing Entitlement Resource

    Get an existing Entitlement resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: EntitlementState, opts?: CustomResourceOptions): Entitlement
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            additional_notification_targets: Optional[EntitlementAdditionalNotificationTargetsArgs] = None,
            approval_workflow: Optional[EntitlementApprovalWorkflowArgs] = None,
            create_time: Optional[str] = None,
            eligible_users: Optional[Sequence[EntitlementEligibleUserArgs]] = None,
            entitlement_id: Optional[str] = None,
            etag: Optional[str] = None,
            location: Optional[str] = None,
            max_request_duration: Optional[str] = None,
            name: Optional[str] = None,
            parent: Optional[str] = None,
            privileged_access: Optional[EntitlementPrivilegedAccessArgs] = None,
            requester_justification_config: Optional[EntitlementRequesterJustificationConfigArgs] = None,
            state: Optional[str] = None,
            update_time: Optional[str] = None) -> Entitlement
    func GetEntitlement(ctx *Context, name string, id IDInput, state *EntitlementState, opts ...ResourceOption) (*Entitlement, error)
    public static Entitlement Get(string name, Input<string> id, EntitlementState? state, CustomResourceOptions? opts = null)
    public static Entitlement get(String name, Output<String> id, EntitlementState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AdditionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs
    AdditionalNotificationTargets includes email addresses to be notified.
    ApprovalWorkflow EntitlementApprovalWorkflowArgs
    The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
    CreateTime string
    Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
    EligibleUsers List<EntitlementEligibleUserArgs>
    Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
    EntitlementId string
    The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
    Etag string
    For Resource freshness validation (https://google.aip.dev/154)
    Location string
    The region of the Entitlement resource.
    MaxRequestDuration string
    The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
    Name string
    Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
    Parent string
    Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
    PrivilegedAccess EntitlementPrivilegedAccessArgs
    Privileged access that this service can be used to gate. Structure is documented below.
    RequesterJustificationConfig EntitlementRequesterJustificationConfigArgs
    Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
    State string
    Output only. The current state of the Entitlement.
    UpdateTime string
    Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    AdditionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs
    AdditionalNotificationTargets includes email addresses to be notified.
    ApprovalWorkflow EntitlementApprovalWorkflowArgs
    The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
    CreateTime string
    Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
    EligibleUsers []EntitlementEligibleUserArgs
    Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
    EntitlementId string
    The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
    Etag string
    For Resource freshness validation (https://google.aip.dev/154)
    Location string
    The region of the Entitlement resource.
    MaxRequestDuration string
    The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
    Name string
    Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
    Parent string
    Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
    PrivilegedAccess EntitlementPrivilegedAccessArgs
    Privileged access that this service can be used to gate. Structure is documented below.
    RequesterJustificationConfig EntitlementRequesterJustificationConfigArgs
    Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
    State string
    Output only. The current state of the Entitlement.
    UpdateTime string
    Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    additionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs
    AdditionalNotificationTargets includes email addresses to be notified.
    approvalWorkflow EntitlementApprovalWorkflowArgs
    The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
    createTime String
    Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
    eligibleUsers List<EntitlementEligibleUserArgs>
    Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
    entitlementId String
    The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
    etag String
    For Resource freshness validation (https://google.aip.dev/154)
    location String
    The region of the Entitlement resource.
    maxRequestDuration String
    The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
    name String
    Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
    parent String
    Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
    privilegedAccess EntitlementPrivilegedAccessArgs
    Privileged access that this service can be used to gate. Structure is documented below.
    requesterJustificationConfig EntitlementRequesterJustificationConfigArgs
    Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
    state String
    Output only. The current state of the Entitlement.
    updateTime String
    Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    additionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs
    AdditionalNotificationTargets includes email addresses to be notified.
    approvalWorkflow EntitlementApprovalWorkflowArgs
    The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
    createTime string
    Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
    eligibleUsers EntitlementEligibleUserArgs[]
    Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
    entitlementId string
    The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
    etag string
    For Resource freshness validation (https://google.aip.dev/154)
    location string
    The region of the Entitlement resource.
    maxRequestDuration string
    The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
    name string
    Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
    parent string
    Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
    privilegedAccess EntitlementPrivilegedAccessArgs
    Privileged access that this service can be used to gate. Structure is documented below.
    requesterJustificationConfig EntitlementRequesterJustificationConfigArgs
    Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
    state string
    Output only. The current state of the Entitlement.
    updateTime string
    Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    additional_notification_targets EntitlementAdditionalNotificationTargetsArgs
    AdditionalNotificationTargets includes email addresses to be notified.
    approval_workflow EntitlementApprovalWorkflowArgs
    The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
    create_time str
    Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
    eligible_users Sequence[EntitlementEligibleUserArgs]
    Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
    entitlement_id str
    The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
    etag str
    For Resource freshness validation (https://google.aip.dev/154)
    location str
    The region of the Entitlement resource.
    max_request_duration str
    The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
    name str
    Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
    parent str
    Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
    privileged_access EntitlementPrivilegedAccessArgs
    Privileged access that this service can be used to gate. Structure is documented below.
    requester_justification_config EntitlementRequesterJustificationConfigArgs
    Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
    state str
    Output only. The current state of the Entitlement.
    update_time str
    Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    additionalNotificationTargets Property Map
    AdditionalNotificationTargets includes email addresses to be notified.
    approvalWorkflow Property Map
    The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
    createTime String
    Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
    eligibleUsers List<Property Map>
    Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
    entitlementId String
    The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
    etag String
    For Resource freshness validation (https://google.aip.dev/154)
    location String
    The region of the Entitlement resource.
    maxRequestDuration String
    The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
    name String
    Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
    parent String
    Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
    privilegedAccess Property Map
    Privileged access that this service can be used to gate. Structure is documented below.
    requesterJustificationConfig Property Map
    Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
    state String
    Output only. The current state of the Entitlement.
    updateTime String
    Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

    Supporting Types

    EntitlementAdditionalNotificationTargets, EntitlementAdditionalNotificationTargetsArgs

    AdminEmailRecipients List<string>
    Optional. Additional email addresses to be notified when a principal(requester) is granted access.
    RequesterEmailRecipients List<string>
    Optional. Additional email address to be notified about an eligible entitlement.
    AdminEmailRecipients []string
    Optional. Additional email addresses to be notified when a principal(requester) is granted access.
    RequesterEmailRecipients []string
    Optional. Additional email address to be notified about an eligible entitlement.
    adminEmailRecipients List<String>
    Optional. Additional email addresses to be notified when a principal(requester) is granted access.
    requesterEmailRecipients List<String>
    Optional. Additional email address to be notified about an eligible entitlement.
    adminEmailRecipients string[]
    Optional. Additional email addresses to be notified when a principal(requester) is granted access.
    requesterEmailRecipients string[]
    Optional. Additional email address to be notified about an eligible entitlement.
    admin_email_recipients Sequence[str]
    Optional. Additional email addresses to be notified when a principal(requester) is granted access.
    requester_email_recipients Sequence[str]
    Optional. Additional email address to be notified about an eligible entitlement.
    adminEmailRecipients List<String>
    Optional. Additional email addresses to be notified when a principal(requester) is granted access.
    requesterEmailRecipients List<String>
    Optional. Additional email address to be notified about an eligible entitlement.

    EntitlementApprovalWorkflow, EntitlementApprovalWorkflowArgs

    ManualApprovals EntitlementApprovalWorkflowManualApprovals
    A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant. The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step. This can be used to create approval workflows such as

    • Require an approval from any user in a group G.
    • Require an approval from any k number of users from a Group G.
    • Require an approval from any user in a group G and then from a user U. etc. A single user might be part of approvers ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.
    ManualApprovals EntitlementApprovalWorkflowManualApprovals
    A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant. The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step. This can be used to create approval workflows such as

    • Require an approval from any user in a group G.
    • Require an approval from any k number of users from a Group G.
    • Require an approval from any user in a group G and then from a user U. etc. A single user might be part of approvers ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.
    manualApprovals EntitlementApprovalWorkflowManualApprovals
    A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant. The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step. This can be used to create approval workflows such as

    • Require an approval from any user in a group G.
    • Require an approval from any k number of users from a Group G.
    • Require an approval from any user in a group G and then from a user U. etc. A single user might be part of approvers ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.
    manualApprovals EntitlementApprovalWorkflowManualApprovals
    A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant. The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step. This can be used to create approval workflows such as

    • Require an approval from any user in a group G.
    • Require an approval from any k number of users from a Group G.
    • Require an approval from any user in a group G and then from a user U. etc. A single user might be part of approvers ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.
    manual_approvals EntitlementApprovalWorkflowManualApprovals
    A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant. The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step. This can be used to create approval workflows such as

    • Require an approval from any user in a group G.
    • Require an approval from any k number of users from a Group G.
    • Require an approval from any user in a group G and then from a user U. etc. A single user might be part of approvers ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.
    manualApprovals Property Map
    A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant. The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step. This can be used to create approval workflows such as

    • Require an approval from any user in a group G.
    • Require an approval from any k number of users from a Group G.
    • Require an approval from any user in a group G and then from a user U. etc. A single user might be part of approvers ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.

    EntitlementApprovalWorkflowManualApprovals, EntitlementApprovalWorkflowManualApprovalsArgs

    Steps List<EntitlementApprovalWorkflowManualApprovalsStep>
    List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
    RequireApproverJustification bool
    Optional. Do the approvers need to provide a justification for their actions?
    Steps []EntitlementApprovalWorkflowManualApprovalsStep
    List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
    RequireApproverJustification bool
    Optional. Do the approvers need to provide a justification for their actions?
    steps List<EntitlementApprovalWorkflowManualApprovalsStep>
    List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
    requireApproverJustification Boolean
    Optional. Do the approvers need to provide a justification for their actions?
    steps EntitlementApprovalWorkflowManualApprovalsStep[]
    List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
    requireApproverJustification boolean
    Optional. Do the approvers need to provide a justification for their actions?
    steps Sequence[EntitlementApprovalWorkflowManualApprovalsStep]
    List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
    require_approver_justification bool
    Optional. Do the approvers need to provide a justification for their actions?
    steps List<Property Map>
    List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
    requireApproverJustification Boolean
    Optional. Do the approvers need to provide a justification for their actions?

    EntitlementApprovalWorkflowManualApprovalsStep, EntitlementApprovalWorkflowManualApprovalsStepArgs

    Approvers EntitlementApprovalWorkflowManualApprovalsStepApprovers
    The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
    ApprovalsNeeded int
    How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
    ApproverEmailRecipients List<string>
    Optional. Additional email addresses to be notified when a grant is pending approval.
    Approvers EntitlementApprovalWorkflowManualApprovalsStepApprovers
    The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
    ApprovalsNeeded int
    How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
    ApproverEmailRecipients []string
    Optional. Additional email addresses to be notified when a grant is pending approval.
    approvers EntitlementApprovalWorkflowManualApprovalsStepApprovers
    The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
    approvalsNeeded Integer
    How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
    approverEmailRecipients List<String>
    Optional. Additional email addresses to be notified when a grant is pending approval.
    approvers EntitlementApprovalWorkflowManualApprovalsStepApprovers
    The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
    approvalsNeeded number
    How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
    approverEmailRecipients string[]
    Optional. Additional email addresses to be notified when a grant is pending approval.
    approvers EntitlementApprovalWorkflowManualApprovalsStepApprovers
    The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
    approvals_needed int
    How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
    approver_email_recipients Sequence[str]
    Optional. Additional email addresses to be notified when a grant is pending approval.
    approvers Property Map
    The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
    approvalsNeeded Number
    How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
    approverEmailRecipients List<String>
    Optional. Additional email addresses to be notified when a grant is pending approval.

    EntitlementApprovalWorkflowManualApprovalsStepApprovers, EntitlementApprovalWorkflowManualApprovalsStepApproversArgs

    Principals List<string>
    Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1
    Principals []string
    Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1
    principals List<String>
    Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1
    principals string[]
    Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1
    principals Sequence[str]
    Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1
    principals List<String>
    Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1

    EntitlementEligibleUser, EntitlementEligibleUserArgs

    Principals List<string>
    Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"
    Principals []string
    Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"
    principals List<String>
    Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"
    principals string[]
    Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"
    principals Sequence[str]
    Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"
    principals List<String>
    Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"

    EntitlementPrivilegedAccess, EntitlementPrivilegedAccessArgs

    GcpIamAccess EntitlementPrivilegedAccessGcpIamAccess
    GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.
    GcpIamAccess EntitlementPrivilegedAccessGcpIamAccess
    GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.
    gcpIamAccess EntitlementPrivilegedAccessGcpIamAccess
    GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.
    gcpIamAccess EntitlementPrivilegedAccessGcpIamAccess
    GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.
    gcp_iam_access EntitlementPrivilegedAccessGcpIamAccess
    GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.
    gcpIamAccess Property Map
    GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.

    EntitlementPrivilegedAccessGcpIamAccess, EntitlementPrivilegedAccessGcpIamAccessArgs

    Resource string
    Name of the resource.
    ResourceType string
    The type of this resource.
    RoleBindings List<EntitlementPrivilegedAccessGcpIamAccessRoleBinding>
    Role bindings to be created on successful grant. Structure is documented below.
    Resource string
    Name of the resource.
    ResourceType string
    The type of this resource.
    RoleBindings []EntitlementPrivilegedAccessGcpIamAccessRoleBinding
    Role bindings to be created on successful grant. Structure is documented below.
    resource String
    Name of the resource.
    resourceType String
    The type of this resource.
    roleBindings List<EntitlementPrivilegedAccessGcpIamAccessRoleBinding>
    Role bindings to be created on successful grant. Structure is documented below.
    resource string
    Name of the resource.
    resourceType string
    The type of this resource.
    roleBindings EntitlementPrivilegedAccessGcpIamAccessRoleBinding[]
    Role bindings to be created on successful grant. Structure is documented below.
    resource str
    Name of the resource.
    resource_type str
    The type of this resource.
    role_bindings Sequence[EntitlementPrivilegedAccessGcpIamAccessRoleBinding]
    Role bindings to be created on successful grant. Structure is documented below.
    resource String
    Name of the resource.
    resourceType String
    The type of this resource.
    roleBindings List<Property Map>
    Role bindings to be created on successful grant. Structure is documented below.

    EntitlementPrivilegedAccessGcpIamAccessRoleBinding, EntitlementPrivilegedAccessGcpIamAccessRoleBindingArgs

    Role string
    IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
    ConditionExpression string
    The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.
    Role string
    IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
    ConditionExpression string
    The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.
    role String
    IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
    conditionExpression String
    The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.
    role string
    IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
    conditionExpression string
    The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.
    role str
    IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
    condition_expression str
    The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.
    role String
    IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
    conditionExpression String
    The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.

    EntitlementRequesterJustificationConfig, EntitlementRequesterJustificationConfigArgs

    NotMandatory EntitlementRequesterJustificationConfigNotMandatory
    The justification is not mandatory but can be provided in any of the supported formats.
    Unstructured EntitlementRequesterJustificationConfigUnstructured
    The requester has to provide a justification in the form of free flowing text.


    NotMandatory EntitlementRequesterJustificationConfigNotMandatory
    The justification is not mandatory but can be provided in any of the supported formats.
    Unstructured EntitlementRequesterJustificationConfigUnstructured
    The requester has to provide a justification in the form of free flowing text.


    notMandatory EntitlementRequesterJustificationConfigNotMandatory
    The justification is not mandatory but can be provided in any of the supported formats.
    unstructured EntitlementRequesterJustificationConfigUnstructured
    The requester has to provide a justification in the form of free flowing text.


    notMandatory EntitlementRequesterJustificationConfigNotMandatory
    The justification is not mandatory but can be provided in any of the supported formats.
    unstructured EntitlementRequesterJustificationConfigUnstructured
    The requester has to provide a justification in the form of free flowing text.


    not_mandatory EntitlementRequesterJustificationConfigNotMandatory
    The justification is not mandatory but can be provided in any of the supported formats.
    unstructured EntitlementRequesterJustificationConfigUnstructured
    The requester has to provide a justification in the form of free flowing text.


    notMandatory Property Map
    The justification is not mandatory but can be provided in any of the supported formats.
    unstructured Property Map
    The requester has to provide a justification in the form of free flowing text.


    Import

    Entitlement can be imported using any of these accepted formats:

    • {{parent}}/locations/{{location}}/entitlements/{{entitlement_id}}

    When using the pulumi import command, Entitlement can be imported using one of the formats above. For example:

    $ pulumi import gcp:privilegedaccessmanager/entitlement:entitlement default {{parent}}/locations/{{location}}/entitlements/{{entitlement_id}}
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi