gcp.privilegedaccessmanager.Entitlement
Explore with Pulumi AI
An Entitlement defines the eligibility of a set of users to obtain a predefined access for some time possibly after going through an approval workflow.
Example Usage
Privileged Access Manager Entitlement Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const tfentitlement = new gcp.privilegedaccessmanager.Entitlement("tfentitlement", {
entitlementId: "example-entitlement",
location: "global",
maxRequestDuration: "43200s",
parent: "projects/my-project-name",
requesterJustificationConfig: {
unstructured: {},
},
eligibleUsers: [{
principals: ["group:test@google.com"],
}],
privilegedAccess: {
gcpIamAccess: {
roleBindings: [{
role: "roles/storage.admin",
conditionExpression: "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")",
}],
resource: "//cloudresourcemanager.googleapis.com/projects/my-project-name",
resourceType: "cloudresourcemanager.googleapis.com/Project",
},
},
additionalNotificationTargets: {
adminEmailRecipients: ["user@example.com"],
requesterEmailRecipients: ["user@example.com"],
},
approvalWorkflow: {
manualApprovals: {
requireApproverJustification: true,
steps: [{
approvalsNeeded: 1,
approverEmailRecipients: ["user@example.com"],
approvers: {
principals: ["group:test@google.com"],
},
}],
},
},
});
import pulumi
import pulumi_gcp as gcp
tfentitlement = gcp.privilegedaccessmanager.Entitlement("tfentitlement",
entitlement_id="example-entitlement",
location="global",
max_request_duration="43200s",
parent="projects/my-project-name",
requester_justification_config={
"unstructured": {},
},
eligible_users=[{
"principals": ["group:test@google.com"],
}],
privileged_access={
"gcp_iam_access": {
"role_bindings": [{
"role": "roles/storage.admin",
"condition_expression": "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")",
}],
"resource": "//cloudresourcemanager.googleapis.com/projects/my-project-name",
"resource_type": "cloudresourcemanager.googleapis.com/Project",
},
},
additional_notification_targets={
"admin_email_recipients": ["user@example.com"],
"requester_email_recipients": ["user@example.com"],
},
approval_workflow={
"manual_approvals": {
"require_approver_justification": True,
"steps": [{
"approvals_needed": 1,
"approver_email_recipients": ["user@example.com"],
"approvers": {
"principals": ["group:test@google.com"],
},
}],
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/privilegedaccessmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := privilegedaccessmanager.Newentitlement(ctx, "tfentitlement", &privilegedaccessmanager.entitlementArgs{
EntitlementId: pulumi.String("example-entitlement"),
Location: pulumi.String("global"),
MaxRequestDuration: pulumi.String("43200s"),
Parent: pulumi.String("projects/my-project-name"),
RequesterJustificationConfig: &privilegedaccessmanager.EntitlementRequesterJustificationConfigArgs{
Unstructured: &privilegedaccessmanager.EntitlementRequesterJustificationConfigUnstructuredArgs{},
},
EligibleUsers: privilegedaccessmanager.EntitlementEligibleUserArray{
&privilegedaccessmanager.EntitlementEligibleUserArgs{
Principals: pulumi.StringArray{
pulumi.String("group:test@google.com"),
},
},
},
PrivilegedAccess: &privilegedaccessmanager.EntitlementPrivilegedAccessArgs{
GcpIamAccess: &privilegedaccessmanager.EntitlementPrivilegedAccessGcpIamAccessArgs{
RoleBindings: privilegedaccessmanager.EntitlementPrivilegedAccessGcpIamAccessRoleBindingArray{
&privilegedaccessmanager.EntitlementPrivilegedAccessGcpIamAccessRoleBindingArgs{
Role: pulumi.String("roles/storage.admin"),
ConditionExpression: pulumi.String("request.time < timestamp(\"2024-04-23T18:30:00.000Z\")"),
},
},
Resource: pulumi.String("//cloudresourcemanager.googleapis.com/projects/my-project-name"),
ResourceType: pulumi.String("cloudresourcemanager.googleapis.com/Project"),
},
},
AdditionalNotificationTargets: &privilegedaccessmanager.EntitlementAdditionalNotificationTargetsArgs{
AdminEmailRecipients: pulumi.StringArray{
pulumi.String("user@example.com"),
},
RequesterEmailRecipients: pulumi.StringArray{
pulumi.String("user@example.com"),
},
},
ApprovalWorkflow: &privilegedaccessmanager.EntitlementApprovalWorkflowArgs{
ManualApprovals: &privilegedaccessmanager.EntitlementApprovalWorkflowManualApprovalsArgs{
RequireApproverJustification: pulumi.Bool(true),
Steps: privilegedaccessmanager.EntitlementApprovalWorkflowManualApprovalsStepArray{
&privilegedaccessmanager.EntitlementApprovalWorkflowManualApprovalsStepArgs{
ApprovalsNeeded: pulumi.Int(1),
ApproverEmailRecipients: pulumi.StringArray{
pulumi.String("user@example.com"),
},
Approvers: &privilegedaccessmanager.EntitlementApprovalWorkflowManualApprovalsStepApproversArgs{
Principals: pulumi.StringArray{
pulumi.String("group:test@google.com"),
},
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var tfentitlement = new Gcp.PrivilegedAccessManager.Entitlement("tfentitlement", new()
{
EntitlementId = "example-entitlement",
Location = "global",
MaxRequestDuration = "43200s",
Parent = "projects/my-project-name",
RequesterJustificationConfig = new Gcp.PrivilegedAccessManager.Inputs.EntitlementRequesterJustificationConfigArgs
{
Unstructured = null,
},
EligibleUsers = new[]
{
new Gcp.PrivilegedAccessManager.Inputs.EntitlementEligibleUserArgs
{
Principals = new[]
{
"group:test@google.com",
},
},
},
PrivilegedAccess = new Gcp.PrivilegedAccessManager.Inputs.EntitlementPrivilegedAccessArgs
{
GcpIamAccess = new Gcp.PrivilegedAccessManager.Inputs.EntitlementPrivilegedAccessGcpIamAccessArgs
{
RoleBindings = new[]
{
new Gcp.PrivilegedAccessManager.Inputs.EntitlementPrivilegedAccessGcpIamAccessRoleBindingArgs
{
Role = "roles/storage.admin",
ConditionExpression = "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")",
},
},
Resource = "//cloudresourcemanager.googleapis.com/projects/my-project-name",
ResourceType = "cloudresourcemanager.googleapis.com/Project",
},
},
AdditionalNotificationTargets = new Gcp.PrivilegedAccessManager.Inputs.EntitlementAdditionalNotificationTargetsArgs
{
AdminEmailRecipients = new[]
{
"user@example.com",
},
RequesterEmailRecipients = new[]
{
"user@example.com",
},
},
ApprovalWorkflow = new Gcp.PrivilegedAccessManager.Inputs.EntitlementApprovalWorkflowArgs
{
ManualApprovals = new Gcp.PrivilegedAccessManager.Inputs.EntitlementApprovalWorkflowManualApprovalsArgs
{
RequireApproverJustification = true,
Steps = new[]
{
new Gcp.PrivilegedAccessManager.Inputs.EntitlementApprovalWorkflowManualApprovalsStepArgs
{
ApprovalsNeeded = 1,
ApproverEmailRecipients = new[]
{
"user@example.com",
},
Approvers = new Gcp.PrivilegedAccessManager.Inputs.EntitlementApprovalWorkflowManualApprovalsStepApproversArgs
{
Principals = new[]
{
"group:test@google.com",
},
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.privilegedaccessmanager.entitlement;
import com.pulumi.gcp.privilegedaccessmanager.EntitlementArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementRequesterJustificationConfigArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementRequesterJustificationConfigUnstructuredArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementEligibleUserArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementPrivilegedAccessArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementPrivilegedAccessGcpIamAccessArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementAdditionalNotificationTargetsArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementApprovalWorkflowArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementApprovalWorkflowManualApprovalsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var tfentitlement = new Entitlement("tfentitlement", EntitlementArgs.builder()
.entitlementId("example-entitlement")
.location("global")
.maxRequestDuration("43200s")
.parent("projects/my-project-name")
.requesterJustificationConfig(EntitlementRequesterJustificationConfigArgs.builder()
.unstructured()
.build())
.eligibleUsers(EntitlementEligibleUserArgs.builder()
.principals("group:test@google.com")
.build())
.privilegedAccess(EntitlementPrivilegedAccessArgs.builder()
.gcpIamAccess(EntitlementPrivilegedAccessGcpIamAccessArgs.builder()
.roleBindings(EntitlementPrivilegedAccessGcpIamAccessRoleBindingArgs.builder()
.role("roles/storage.admin")
.conditionExpression("request.time < timestamp(\"2024-04-23T18:30:00.000Z\")")
.build())
.resource("//cloudresourcemanager.googleapis.com/projects/my-project-name")
.resourceType("cloudresourcemanager.googleapis.com/Project")
.build())
.build())
.additionalNotificationTargets(EntitlementAdditionalNotificationTargetsArgs.builder()
.adminEmailRecipients("user@example.com")
.requesterEmailRecipients("user@example.com")
.build())
.approvalWorkflow(EntitlementApprovalWorkflowArgs.builder()
.manualApprovals(EntitlementApprovalWorkflowManualApprovalsArgs.builder()
.requireApproverJustification(true)
.steps(EntitlementApprovalWorkflowManualApprovalsStepArgs.builder()
.approvalsNeeded(1)
.approverEmailRecipients("user@example.com")
.approvers(EntitlementApprovalWorkflowManualApprovalsStepApproversArgs.builder()
.principals("group:test@google.com")
.build())
.build())
.build())
.build())
.build());
}
}
resources:
tfentitlement:
type: gcp:privilegedaccessmanager:entitlement
properties:
entitlementId: example-entitlement
location: global
maxRequestDuration: 43200s
parent: projects/my-project-name
requesterJustificationConfig:
unstructured: {}
eligibleUsers:
- principals:
- group:test@google.com
privilegedAccess:
gcpIamAccess:
roleBindings:
- role: roles/storage.admin
conditionExpression: request.time < timestamp("2024-04-23T18:30:00.000Z")
resource: //cloudresourcemanager.googleapis.com/projects/my-project-name
resourceType: cloudresourcemanager.googleapis.com/Project
additionalNotificationTargets:
adminEmailRecipients:
- user@example.com
requesterEmailRecipients:
- user@example.com
approvalWorkflow:
manualApprovals:
requireApproverJustification: true
steps:
- approvalsNeeded: 1
approverEmailRecipients:
- user@example.com
approvers:
principals:
- group:test@google.com
Create Entitlement Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Entitlement(name: string, args: EntitlementArgs, opts?: CustomResourceOptions);
@overload
def Entitlement(resource_name: str,
args: EntitlementArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Entitlement(resource_name: str,
opts: Optional[ResourceOptions] = None,
eligible_users: Optional[Sequence[EntitlementEligibleUserArgs]] = None,
entitlement_id: Optional[str] = None,
location: Optional[str] = None,
max_request_duration: Optional[str] = None,
parent: Optional[str] = None,
privileged_access: Optional[EntitlementPrivilegedAccessArgs] = None,
requester_justification_config: Optional[EntitlementRequesterJustificationConfigArgs] = None,
additional_notification_targets: Optional[EntitlementAdditionalNotificationTargetsArgs] = None,
approval_workflow: Optional[EntitlementApprovalWorkflowArgs] = None)
func NewEntitlement(ctx *Context, name string, args EntitlementArgs, opts ...ResourceOption) (*Entitlement, error)
public Entitlement(string name, EntitlementArgs args, CustomResourceOptions? opts = null)
public Entitlement(String name, EntitlementArgs args)
public Entitlement(String name, EntitlementArgs args, CustomResourceOptions options)
type: gcp:privilegedaccessmanager/entitlement:entitlement
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args EntitlementArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args EntitlementArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args EntitlementArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args EntitlementArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args EntitlementArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Entitlement Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Entitlement resource accepts the following input properties:
- Eligible
Users List<EntitlementEligible User Args> - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- Entitlement
Id string - The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - Location string
- The region of the Entitlement resource.
- Max
Request stringDuration - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- Parent string
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- Privileged
Access EntitlementPrivileged Access Args - Privileged access that this service can be used to gate. Structure is documented below.
- Requester
Justification EntitlementConfig Requester Justification Config Args - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- Additional
Notification EntitlementTargets Additional Notification Targets Args - AdditionalNotificationTargets includes email addresses to be notified.
- Approval
Workflow EntitlementApproval Workflow Args - The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
- Eligible
Users []EntitlementEligible User Args - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- Entitlement
Id string - The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - Location string
- The region of the Entitlement resource.
- Max
Request stringDuration - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- Parent string
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- Privileged
Access EntitlementPrivileged Access Args - Privileged access that this service can be used to gate. Structure is documented below.
- Requester
Justification EntitlementConfig Requester Justification Config Args - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- Additional
Notification EntitlementTargets Additional Notification Targets Args - AdditionalNotificationTargets includes email addresses to be notified.
- Approval
Workflow EntitlementApproval Workflow Args - The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
- eligible
Users List<EntitlementEligible User Args> - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- entitlement
Id String - The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - location String
- The region of the Entitlement resource.
- max
Request StringDuration - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- parent String
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- privileged
Access EntitlementPrivileged Access Args - Privileged access that this service can be used to gate. Structure is documented below.
- requester
Justification EntitlementConfig Requester Justification Config Args - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- additional
Notification EntitlementTargets Additional Notification Targets Args - AdditionalNotificationTargets includes email addresses to be notified.
- approval
Workflow EntitlementApproval Workflow Args - The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
- eligible
Users EntitlementEligible User Args[] - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- entitlement
Id string - The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - location string
- The region of the Entitlement resource.
- max
Request stringDuration - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- parent string
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- privileged
Access EntitlementPrivileged Access Args - Privileged access that this service can be used to gate. Structure is documented below.
- requester
Justification EntitlementConfig Requester Justification Config Args - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- additional
Notification EntitlementTargets Additional Notification Targets Args - AdditionalNotificationTargets includes email addresses to be notified.
- approval
Workflow EntitlementApproval Workflow Args - The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
- eligible_
users Sequence[EntitlementEligible User Args] - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- entitlement_
id str - The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - location str
- The region of the Entitlement resource.
- max_
request_ strduration - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- parent str
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- privileged_
access EntitlementPrivileged Access Args - Privileged access that this service can be used to gate. Structure is documented below.
- requester_
justification_ Entitlementconfig Requester Justification Config Args - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- additional_
notification_ Entitlementtargets Additional Notification Targets Args - AdditionalNotificationTargets includes email addresses to be notified.
- approval_
workflow EntitlementApproval Workflow Args - The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
- eligible
Users List<Property Map> - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- entitlement
Id String - The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - location String
- The region of the Entitlement resource.
- max
Request StringDuration - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- parent String
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- privileged
Access Property Map - Privileged access that this service can be used to gate. Structure is documented below.
- requester
Justification Property MapConfig - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- additional
Notification Property MapTargets - AdditionalNotificationTargets includes email addresses to be notified.
- approval
Workflow Property Map - The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
Outputs
All input properties are implicitly available as output properties. Additionally, the Entitlement resource produces the following output properties:
- Create
Time string - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- Etag string
- For Resource freshness validation (https://google.aip.dev/154)
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- State string
- Output only. The current state of the Entitlement.
- Update
Time string - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- Create
Time string - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- Etag string
- For Resource freshness validation (https://google.aip.dev/154)
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- State string
- Output only. The current state of the Entitlement.
- Update
Time string - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- create
Time String - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- etag String
- For Resource freshness validation (https://google.aip.dev/154)
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- state String
- Output only. The current state of the Entitlement.
- update
Time String - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- create
Time string - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- etag string
- For Resource freshness validation (https://google.aip.dev/154)
- id string
- The provider-assigned unique ID for this managed resource.
- name string
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- state string
- Output only. The current state of the Entitlement.
- update
Time string - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- create_
time str - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- etag str
- For Resource freshness validation (https://google.aip.dev/154)
- id str
- The provider-assigned unique ID for this managed resource.
- name str
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- state str
- Output only. The current state of the Entitlement.
- update_
time str - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- create
Time String - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- etag String
- For Resource freshness validation (https://google.aip.dev/154)
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- state String
- Output only. The current state of the Entitlement.
- update
Time String - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
Look up Existing Entitlement Resource
Get an existing Entitlement resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: EntitlementState, opts?: CustomResourceOptions): Entitlement
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
additional_notification_targets: Optional[EntitlementAdditionalNotificationTargetsArgs] = None,
approval_workflow: Optional[EntitlementApprovalWorkflowArgs] = None,
create_time: Optional[str] = None,
eligible_users: Optional[Sequence[EntitlementEligibleUserArgs]] = None,
entitlement_id: Optional[str] = None,
etag: Optional[str] = None,
location: Optional[str] = None,
max_request_duration: Optional[str] = None,
name: Optional[str] = None,
parent: Optional[str] = None,
privileged_access: Optional[EntitlementPrivilegedAccessArgs] = None,
requester_justification_config: Optional[EntitlementRequesterJustificationConfigArgs] = None,
state: Optional[str] = None,
update_time: Optional[str] = None) -> Entitlement
func GetEntitlement(ctx *Context, name string, id IDInput, state *EntitlementState, opts ...ResourceOption) (*Entitlement, error)
public static Entitlement Get(string name, Input<string> id, EntitlementState? state, CustomResourceOptions? opts = null)
public static Entitlement get(String name, Output<String> id, EntitlementState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Additional
Notification EntitlementTargets Additional Notification Targets Args - AdditionalNotificationTargets includes email addresses to be notified.
- Approval
Workflow EntitlementApproval Workflow Args - The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
- Create
Time string - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- Eligible
Users List<EntitlementEligible User Args> - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- Entitlement
Id string - The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - Etag string
- For Resource freshness validation (https://google.aip.dev/154)
- Location string
- The region of the Entitlement resource.
- Max
Request stringDuration - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- Name string
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- Parent string
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- Privileged
Access EntitlementPrivileged Access Args - Privileged access that this service can be used to gate. Structure is documented below.
- Requester
Justification EntitlementConfig Requester Justification Config Args - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- State string
- Output only. The current state of the Entitlement.
- Update
Time string - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- Additional
Notification EntitlementTargets Additional Notification Targets Args - AdditionalNotificationTargets includes email addresses to be notified.
- Approval
Workflow EntitlementApproval Workflow Args - The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
- Create
Time string - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- Eligible
Users []EntitlementEligible User Args - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- Entitlement
Id string - The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - Etag string
- For Resource freshness validation (https://google.aip.dev/154)
- Location string
- The region of the Entitlement resource.
- Max
Request stringDuration - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- Name string
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- Parent string
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- Privileged
Access EntitlementPrivileged Access Args - Privileged access that this service can be used to gate. Structure is documented below.
- Requester
Justification EntitlementConfig Requester Justification Config Args - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- State string
- Output only. The current state of the Entitlement.
- Update
Time string - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- additional
Notification EntitlementTargets Additional Notification Targets Args - AdditionalNotificationTargets includes email addresses to be notified.
- approval
Workflow EntitlementApproval Workflow Args - The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
- create
Time String - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- eligible
Users List<EntitlementEligible User Args> - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- entitlement
Id String - The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - etag String
- For Resource freshness validation (https://google.aip.dev/154)
- location String
- The region of the Entitlement resource.
- max
Request StringDuration - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- name String
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- parent String
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- privileged
Access EntitlementPrivileged Access Args - Privileged access that this service can be used to gate. Structure is documented below.
- requester
Justification EntitlementConfig Requester Justification Config Args - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- state String
- Output only. The current state of the Entitlement.
- update
Time String - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- additional
Notification EntitlementTargets Additional Notification Targets Args - AdditionalNotificationTargets includes email addresses to be notified.
- approval
Workflow EntitlementApproval Workflow Args - The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
- create
Time string - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- eligible
Users EntitlementEligible User Args[] - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- entitlement
Id string - The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - etag string
- For Resource freshness validation (https://google.aip.dev/154)
- location string
- The region of the Entitlement resource.
- max
Request stringDuration - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- name string
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- parent string
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- privileged
Access EntitlementPrivileged Access Args - Privileged access that this service can be used to gate. Structure is documented below.
- requester
Justification EntitlementConfig Requester Justification Config Args - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- state string
- Output only. The current state of the Entitlement.
- update
Time string - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- additional_
notification_ Entitlementtargets Additional Notification Targets Args - AdditionalNotificationTargets includes email addresses to be notified.
- approval_
workflow EntitlementApproval Workflow Args - The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
- create_
time str - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- eligible_
users Sequence[EntitlementEligible User Args] - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- entitlement_
id str - The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - etag str
- For Resource freshness validation (https://google.aip.dev/154)
- location str
- The region of the Entitlement resource.
- max_
request_ strduration - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- name str
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- parent str
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- privileged_
access EntitlementPrivileged Access Args - Privileged access that this service can be used to gate. Structure is documented below.
- requester_
justification_ Entitlementconfig Requester Justification Config Args - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- state str
- Output only. The current state of the Entitlement.
- update_
time str - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- additional
Notification Property MapTargets - AdditionalNotificationTargets includes email addresses to be notified.
- approval
Workflow Property Map - The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
- create
Time String - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- eligible
Users List<Property Map> - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- entitlement
Id String - The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - etag String
- For Resource freshness validation (https://google.aip.dev/154)
- location String
- The region of the Entitlement resource.
- max
Request StringDuration - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- name String
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- parent String
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- privileged
Access Property Map - Privileged access that this service can be used to gate. Structure is documented below.
- requester
Justification Property MapConfig - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- state String
- Output only. The current state of the Entitlement.
- update
Time String - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
Supporting Types
EntitlementAdditionalNotificationTargets, EntitlementAdditionalNotificationTargetsArgs
- Admin
Email List<string>Recipients - Optional. Additional email addresses to be notified when a principal(requester) is granted access.
- Requester
Email List<string>Recipients - Optional. Additional email address to be notified about an eligible entitlement.
- Admin
Email []stringRecipients - Optional. Additional email addresses to be notified when a principal(requester) is granted access.
- Requester
Email []stringRecipients - Optional. Additional email address to be notified about an eligible entitlement.
- admin
Email List<String>Recipients - Optional. Additional email addresses to be notified when a principal(requester) is granted access.
- requester
Email List<String>Recipients - Optional. Additional email address to be notified about an eligible entitlement.
- admin
Email string[]Recipients - Optional. Additional email addresses to be notified when a principal(requester) is granted access.
- requester
Email string[]Recipients - Optional. Additional email address to be notified about an eligible entitlement.
- admin_
email_ Sequence[str]recipients - Optional. Additional email addresses to be notified when a principal(requester) is granted access.
- requester_
email_ Sequence[str]recipients - Optional. Additional email address to be notified about an eligible entitlement.
- admin
Email List<String>Recipients - Optional. Additional email addresses to be notified when a principal(requester) is granted access.
- requester
Email List<String>Recipients - Optional. Additional email address to be notified about an eligible entitlement.
EntitlementApprovalWorkflow, EntitlementApprovalWorkflowArgs
- Manual
Approvals EntitlementApproval Workflow Manual Approvals - A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant.
The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step.
This can be used to create approval workflows such as
- Require an approval from any user in a group G.
- Require an approval from any k number of users from a Group G.
- Require an approval from any user in a group G and then from a user U. etc.
A single user might be part of
approvers
ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.
- Manual
Approvals EntitlementApproval Workflow Manual Approvals - A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant.
The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step.
This can be used to create approval workflows such as
- Require an approval from any user in a group G.
- Require an approval from any k number of users from a Group G.
- Require an approval from any user in a group G and then from a user U. etc.
A single user might be part of
approvers
ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.
- manual
Approvals EntitlementApproval Workflow Manual Approvals - A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant.
The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step.
This can be used to create approval workflows such as
- Require an approval from any user in a group G.
- Require an approval from any k number of users from a Group G.
- Require an approval from any user in a group G and then from a user U. etc.
A single user might be part of
approvers
ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.
- manual
Approvals EntitlementApproval Workflow Manual Approvals - A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant.
The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step.
This can be used to create approval workflows such as
- Require an approval from any user in a group G.
- Require an approval from any k number of users from a Group G.
- Require an approval from any user in a group G and then from a user U. etc.
A single user might be part of
approvers
ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.
- manual_
approvals EntitlementApproval Workflow Manual Approvals - A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant.
The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step.
This can be used to create approval workflows such as
- Require an approval from any user in a group G.
- Require an approval from any k number of users from a Group G.
- Require an approval from any user in a group G and then from a user U. etc.
A single user might be part of
approvers
ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.
- manual
Approvals Property Map - A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant.
The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step.
This can be used to create approval workflows such as
- Require an approval from any user in a group G.
- Require an approval from any k number of users from a Group G.
- Require an approval from any user in a group G and then from a user U. etc.
A single user might be part of
approvers
ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.
EntitlementApprovalWorkflowManualApprovals, EntitlementApprovalWorkflowManualApprovalsArgs
- Steps
List<Entitlement
Approval Workflow Manual Approvals Step> - List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
- Require
Approver boolJustification - Optional. Do the approvers need to provide a justification for their actions?
- Steps
[]Entitlement
Approval Workflow Manual Approvals Step - List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
- Require
Approver boolJustification - Optional. Do the approvers need to provide a justification for their actions?
- steps
List<Entitlement
Approval Workflow Manual Approvals Step> - List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
- require
Approver BooleanJustification - Optional. Do the approvers need to provide a justification for their actions?
- steps
Entitlement
Approval Workflow Manual Approvals Step[] - List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
- require
Approver booleanJustification - Optional. Do the approvers need to provide a justification for their actions?
- steps
Sequence[Entitlement
Approval Workflow Manual Approvals Step] - List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
- require_
approver_ booljustification - Optional. Do the approvers need to provide a justification for their actions?
- steps List<Property Map>
- List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
- require
Approver BooleanJustification - Optional. Do the approvers need to provide a justification for their actions?
EntitlementApprovalWorkflowManualApprovalsStep, EntitlementApprovalWorkflowManualApprovalsStepArgs
- Approvers
Entitlement
Approval Workflow Manual Approvals Step Approvers - The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
- Approvals
Needed int - How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
- Approver
Email List<string>Recipients - Optional. Additional email addresses to be notified when a grant is pending approval.
- Approvers
Entitlement
Approval Workflow Manual Approvals Step Approvers - The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
- Approvals
Needed int - How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
- Approver
Email []stringRecipients - Optional. Additional email addresses to be notified when a grant is pending approval.
- approvers
Entitlement
Approval Workflow Manual Approvals Step Approvers - The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
- approvals
Needed Integer - How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
- approver
Email List<String>Recipients - Optional. Additional email addresses to be notified when a grant is pending approval.
- approvers
Entitlement
Approval Workflow Manual Approvals Step Approvers - The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
- approvals
Needed number - How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
- approver
Email string[]Recipients - Optional. Additional email addresses to be notified when a grant is pending approval.
- approvers
Entitlement
Approval Workflow Manual Approvals Step Approvers - The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
- approvals_
needed int - How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
- approver_
email_ Sequence[str]recipients - Optional. Additional email addresses to be notified when a grant is pending approval.
- approvers Property Map
- The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
- approvals
Needed Number - How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
- approver
Email List<String>Recipients - Optional. Additional email addresses to be notified when a grant is pending approval.
EntitlementApprovalWorkflowManualApprovalsStepApprovers, EntitlementApprovalWorkflowManualApprovalsStepApproversArgs
- Principals List<string>
- Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1
- Principals []string
- Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1
- principals List<String>
- Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1
- principals string[]
- Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1
- principals Sequence[str]
- Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1
- principals List<String>
- Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1
EntitlementEligibleUser, EntitlementEligibleUserArgs
- Principals List<string>
- Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"
- Principals []string
- Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"
- principals List<String>
- Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"
- principals string[]
- Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"
- principals Sequence[str]
- Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"
- principals List<String>
- Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"
EntitlementPrivilegedAccess, EntitlementPrivilegedAccessArgs
- Gcp
Iam EntitlementAccess Privileged Access Gcp Iam Access - GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.
- Gcp
Iam EntitlementAccess Privileged Access Gcp Iam Access - GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.
- gcp
Iam EntitlementAccess Privileged Access Gcp Iam Access - GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.
- gcp
Iam EntitlementAccess Privileged Access Gcp Iam Access - GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.
- gcp_
iam_ Entitlementaccess Privileged Access Gcp Iam Access - GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.
- gcp
Iam Property MapAccess - GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.
EntitlementPrivilegedAccessGcpIamAccess, EntitlementPrivilegedAccessGcpIamAccessArgs
- Resource string
- Name of the resource.
- Resource
Type string - The type of this resource.
- Role
Bindings List<EntitlementPrivileged Access Gcp Iam Access Role Binding> - Role bindings to be created on successful grant. Structure is documented below.
- Resource string
- Name of the resource.
- Resource
Type string - The type of this resource.
- Role
Bindings []EntitlementPrivileged Access Gcp Iam Access Role Binding - Role bindings to be created on successful grant. Structure is documented below.
- resource String
- Name of the resource.
- resource
Type String - The type of this resource.
- role
Bindings List<EntitlementPrivileged Access Gcp Iam Access Role Binding> - Role bindings to be created on successful grant. Structure is documented below.
- resource string
- Name of the resource.
- resource
Type string - The type of this resource.
- role
Bindings EntitlementPrivileged Access Gcp Iam Access Role Binding[] - Role bindings to be created on successful grant. Structure is documented below.
- resource str
- Name of the resource.
- resource_
type str - The type of this resource.
- role_
bindings Sequence[EntitlementPrivileged Access Gcp Iam Access Role Binding] - Role bindings to be created on successful grant. Structure is documented below.
- resource String
- Name of the resource.
- resource
Type String - The type of this resource.
- role
Bindings List<Property Map> - Role bindings to be created on successful grant. Structure is documented below.
EntitlementPrivilegedAccessGcpIamAccessRoleBinding, EntitlementPrivilegedAccessGcpIamAccessRoleBindingArgs
- Role string
- IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
- Condition
Expression string - The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.
- Role string
- IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
- Condition
Expression string - The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.
- role String
- IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
- condition
Expression String - The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.
- role string
- IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
- condition
Expression string - The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.
- role str
- IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
- condition_
expression str - The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.
- role String
- IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
- condition
Expression String - The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.
EntitlementRequesterJustificationConfig, EntitlementRequesterJustificationConfigArgs
- Not
Mandatory EntitlementRequester Justification Config Not Mandatory - The justification is not mandatory but can be provided in any of the supported formats.
- Unstructured
Entitlement
Requester Justification Config Unstructured - The requester has to provide a justification in the form of free flowing text.
- Not
Mandatory EntitlementRequester Justification Config Not Mandatory - The justification is not mandatory but can be provided in any of the supported formats.
- Unstructured
Entitlement
Requester Justification Config Unstructured - The requester has to provide a justification in the form of free flowing text.
- not
Mandatory EntitlementRequester Justification Config Not Mandatory - The justification is not mandatory but can be provided in any of the supported formats.
- unstructured
Entitlement
Requester Justification Config Unstructured - The requester has to provide a justification in the form of free flowing text.
- not
Mandatory EntitlementRequester Justification Config Not Mandatory - The justification is not mandatory but can be provided in any of the supported formats.
- unstructured
Entitlement
Requester Justification Config Unstructured - The requester has to provide a justification in the form of free flowing text.
- not_
mandatory EntitlementRequester Justification Config Not Mandatory - The justification is not mandatory but can be provided in any of the supported formats.
- unstructured
Entitlement
Requester Justification Config Unstructured - The requester has to provide a justification in the form of free flowing text.
- not
Mandatory Property Map - The justification is not mandatory but can be provided in any of the supported formats.
- unstructured Property Map
- The requester has to provide a justification in the form of free flowing text.
Import
Entitlement can be imported using any of these accepted formats:
{{parent}}/locations/{{location}}/entitlements/{{entitlement_id}}
When using the pulumi import
command, Entitlement can be imported using one of the formats above. For example:
$ pulumi import gcp:privilegedaccessmanager/entitlement:entitlement default {{parent}}/locations/{{location}}/entitlements/{{entitlement_id}}
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-beta
Terraform Provider.