1. Packages
  2. OVH
  3. API Docs
  4. Iam
  5. Policy
OVHCloud v1.0.0 published on Wednesday, Oct 30, 2024 by OVHcloud

ovh.Iam.Policy

Explore with Pulumi AI

ovh logo
OVHCloud v1.0.0 published on Wednesday, Oct 30, 2024 by OVHcloud

    Creates an IAM policy.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as ovh from "@ovhcloud/pulumi-ovh";
    import * as ovh from "@pulumi/ovh";
    
    const account = ovh.Me.getMe({});
    const myGroup = new ovh.me.IdentityGroup("myGroup", {description: "my_group created in Terraform"});
    const manager = new ovh.iam.Policy("manager", {
        description: "Users are allowed to use the OVH manager",
        identities: [myGroup.GroupURN],
        resources: [account.then(account => account.AccountURN)],
        allows: [
            "account:apiovh:me/get",
            "account:apiovh:me/supportLevel/get",
            "account:apiovh:me/certificates/get",
            "account:apiovh:me/tag/get",
            "account:apiovh:services/get",
            "account:apiovh:*",
        ],
    });
    
    import pulumi
    import pulumi_ovh as ovh
    
    account = ovh.Me.get_me()
    my_group = ovh.me.IdentityGroup("myGroup", description="my_group created in Terraform")
    manager = ovh.iam.Policy("manager",
        description="Users are allowed to use the OVH manager",
        identities=[my_group.group_urn],
        resources=[account.account_urn],
        allows=[
            "account:apiovh:me/get",
            "account:apiovh:me/supportLevel/get",
            "account:apiovh:me/certificates/get",
            "account:apiovh:me/tag/get",
            "account:apiovh:services/get",
            "account:apiovh:*",
        ])
    
    package main
    
    import (
    	"github.com/ovh/pulumi-ovh/sdk/go/ovh/Iam"
    	"github.com/ovh/pulumi-ovh/sdk/go/ovh/Me"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		account, err := Me.GetMe(ctx, map[string]interface{}{}, nil)
    		if err != nil {
    			return err
    		}
    		myGroup, err := Me.NewIdentityGroup(ctx, "myGroup", &Me.IdentityGroupArgs{
    			Description: pulumi.String("my_group created in Terraform"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = Iam.NewPolicy(ctx, "manager", &Iam.PolicyArgs{
    			Description: pulumi.String("Users are allowed to use the OVH manager"),
    			Identities: pulumi.StringArray{
    				myGroup.GroupURN,
    			},
    			Resources: pulumi.StringArray{
    				pulumi.String(account.AccountURN),
    			},
    			Allows: pulumi.StringArray{
    				pulumi.String("account:apiovh:me/get"),
    				pulumi.String("account:apiovh:me/supportLevel/get"),
    				pulumi.String("account:apiovh:me/certificates/get"),
    				pulumi.String("account:apiovh:me/tag/get"),
    				pulumi.String("account:apiovh:services/get"),
    				pulumi.String("account:apiovh:*"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Ovh = Pulumi.Ovh;
    
    return await Deployment.RunAsync(() => 
    {
        var account = Ovh.Me.GetMe.Invoke();
    
        var myGroup = new Ovh.Me.IdentityGroup("myGroup", new()
        {
            Description = "my_group created in Terraform",
        });
    
        var manager = new Ovh.Iam.Policy("manager", new()
        {
            Description = "Users are allowed to use the OVH manager",
            Identities = new[]
            {
                myGroup.GroupURN,
            },
            Resources = new[]
            {
                account.Apply(getMeResult => getMeResult.AccountURN),
            },
            Allows = new[]
            {
                "account:apiovh:me/get",
                "account:apiovh:me/supportLevel/get",
                "account:apiovh:me/certificates/get",
                "account:apiovh:me/tag/get",
                "account:apiovh:services/get",
                "account:apiovh:*",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.ovh.Me.MeFunctions;
    import com.pulumi.ovh.Me.IdentityGroup;
    import com.pulumi.ovh.Me.IdentityGroupArgs;
    import com.pulumi.ovh.Iam.Policy;
    import com.pulumi.ovh.Iam.PolicyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var account = MeFunctions.getMe();
    
            var myGroup = new IdentityGroup("myGroup", IdentityGroupArgs.builder()
                .description("my_group created in Terraform")
                .build());
    
            var manager = new Policy("manager", PolicyArgs.builder()
                .description("Users are allowed to use the OVH manager")
                .identities(myGroup.GroupURN())
                .resources(account.applyValue(getMeResult -> getMeResult.AccountURN()))
                .allows(            
                    "account:apiovh:me/get",
                    "account:apiovh:me/supportLevel/get",
                    "account:apiovh:me/certificates/get",
                    "account:apiovh:me/tag/get",
                    "account:apiovh:services/get",
                    "account:apiovh:*")
                .build());
    
        }
    }
    
    resources:
      myGroup:
        type: ovh:Me:IdentityGroup
        properties:
          description: my_group created in Terraform
      manager:
        type: ovh:Iam:Policy
        properties:
          description: Users are allowed to use the OVH manager
          identities:
            - ${myGroup.GroupURN}
          resources:
            - ${account.AccountURN}
          # these are all the actions
          allows:
            - account:apiovh:me/get
            - account:apiovh:me/supportLevel/get
            - account:apiovh:me/certificates/get
            - account:apiovh:me/tag/get
            - account:apiovh:services/get
            - account:apiovh:*
    variables:
      account:
        fn::invoke:
          Function: ovh:Me:getMe
          Arguments: {}
    

    Create Policy Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new Policy(name: string, args: PolicyArgs, opts?: CustomResourceOptions);
    @overload
    def Policy(resource_name: str,
               args: PolicyArgs,
               opts: Optional[ResourceOptions] = None)
    
    @overload
    def Policy(resource_name: str,
               opts: Optional[ResourceOptions] = None,
               identities: Optional[Sequence[str]] = None,
               resources: Optional[Sequence[str]] = None,
               allows: Optional[Sequence[str]] = None,
               denies: Optional[Sequence[str]] = None,
               description: Optional[str] = None,
               excepts: Optional[Sequence[str]] = None,
               name: Optional[str] = None,
               permissions_groups: Optional[Sequence[str]] = None)
    func NewPolicy(ctx *Context, name string, args PolicyArgs, opts ...ResourceOption) (*Policy, error)
    public Policy(string name, PolicyArgs args, CustomResourceOptions? opts = null)
    public Policy(String name, PolicyArgs args)
    public Policy(String name, PolicyArgs args, CustomResourceOptions options)
    
    type: ovh:Iam:Policy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var policyResource = new Ovh.Iam.Policy("policyResource", new()
    {
        Identities = new[]
        {
            "string",
        },
        Resources = new[]
        {
            "string",
        },
        Allows = new[]
        {
            "string",
        },
        Denies = new[]
        {
            "string",
        },
        Description = "string",
        Excepts = new[]
        {
            "string",
        },
        Name = "string",
        PermissionsGroups = new[]
        {
            "string",
        },
    });
    
    example, err := Iam.NewPolicy(ctx, "policyResource", &Iam.PolicyArgs{
    	Identities: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	Resources: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	Allows: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	Denies: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	Description: pulumi.String("string"),
    	Excepts: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	Name: pulumi.String("string"),
    	PermissionsGroups: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    })
    
    var policyResource = new Policy("policyResource", PolicyArgs.builder()
        .identities("string")
        .resources("string")
        .allows("string")
        .denies("string")
        .description("string")
        .excepts("string")
        .name("string")
        .permissionsGroups("string")
        .build());
    
    policy_resource = ovh.iam.Policy("policyResource",
        identities=["string"],
        resources=["string"],
        allows=["string"],
        denies=["string"],
        description="string",
        excepts=["string"],
        name="string",
        permissions_groups=["string"])
    
    const policyResource = new ovh.iam.Policy("policyResource", {
        identities: ["string"],
        resources: ["string"],
        allows: ["string"],
        denies: ["string"],
        description: "string",
        excepts: ["string"],
        name: "string",
        permissionsGroups: ["string"],
    });
    
    type: ovh:Iam:Policy
    properties:
        allows:
            - string
        denies:
            - string
        description: string
        excepts:
            - string
        identities:
            - string
        name: string
        permissionsGroups:
            - string
        resources:
            - string
    

    Policy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The Policy resource accepts the following input properties:

    Identities List<string>
    List of identities affected by the policy
    Resources List<string>
    List of resources affected by the policy
    Allows List<string>
    List of actions allowed on resources by identities
    Denies List<string>
    List of actions that will always be denied even if also allowed by this policy or another one.
    Description string
    Description of the policy
    Excepts List<string>
    List of overrides of action that must not be allowed even if they are caught by allow. Only makes sens if allow contains wildcards.
    Name string
    Name of the policy, must be unique
    PermissionsGroups List<string>
    Set of permissions groups included in the policy. At evaluation, these permissions groups are each evaluated independently (notably, excepts actions only affect actions in the same permission group).
    Identities []string
    List of identities affected by the policy
    Resources []string
    List of resources affected by the policy
    Allows []string
    List of actions allowed on resources by identities
    Denies []string
    List of actions that will always be denied even if also allowed by this policy or another one.
    Description string
    Description of the policy
    Excepts []string
    List of overrides of action that must not be allowed even if they are caught by allow. Only makes sens if allow contains wildcards.
    Name string
    Name of the policy, must be unique
    PermissionsGroups []string
    Set of permissions groups included in the policy. At evaluation, these permissions groups are each evaluated independently (notably, excepts actions only affect actions in the same permission group).
    identities List<String>
    List of identities affected by the policy
    resources List<String>
    List of resources affected by the policy
    allows List<String>
    List of actions allowed on resources by identities
    denies List<String>
    List of actions that will always be denied even if also allowed by this policy or another one.
    description String
    Description of the policy
    excepts List<String>
    List of overrides of action that must not be allowed even if they are caught by allow. Only makes sens if allow contains wildcards.
    name String
    Name of the policy, must be unique
    permissionsGroups List<String>
    Set of permissions groups included in the policy. At evaluation, these permissions groups are each evaluated independently (notably, excepts actions only affect actions in the same permission group).
    identities string[]
    List of identities affected by the policy
    resources string[]
    List of resources affected by the policy
    allows string[]
    List of actions allowed on resources by identities
    denies string[]
    List of actions that will always be denied even if also allowed by this policy or another one.
    description string
    Description of the policy
    excepts string[]
    List of overrides of action that must not be allowed even if they are caught by allow. Only makes sens if allow contains wildcards.
    name string
    Name of the policy, must be unique
    permissionsGroups string[]
    Set of permissions groups included in the policy. At evaluation, these permissions groups are each evaluated independently (notably, excepts actions only affect actions in the same permission group).
    identities Sequence[str]
    List of identities affected by the policy
    resources Sequence[str]
    List of resources affected by the policy
    allows Sequence[str]
    List of actions allowed on resources by identities
    denies Sequence[str]
    List of actions that will always be denied even if also allowed by this policy or another one.
    description str
    Description of the policy
    excepts Sequence[str]
    List of overrides of action that must not be allowed even if they are caught by allow. Only makes sens if allow contains wildcards.
    name str
    Name of the policy, must be unique
    permissions_groups Sequence[str]
    Set of permissions groups included in the policy. At evaluation, these permissions groups are each evaluated independently (notably, excepts actions only affect actions in the same permission group).
    identities List<String>
    List of identities affected by the policy
    resources List<String>
    List of resources affected by the policy
    allows List<String>
    List of actions allowed on resources by identities
    denies List<String>
    List of actions that will always be denied even if also allowed by this policy or another one.
    description String
    Description of the policy
    excepts List<String>
    List of overrides of action that must not be allowed even if they are caught by allow. Only makes sens if allow contains wildcards.
    name String
    Name of the policy, must be unique
    permissionsGroups List<String>
    Set of permissions groups included in the policy. At evaluation, these permissions groups are each evaluated independently (notably, excepts actions only affect actions in the same permission group).

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Policy resource produces the following output properties:

    CreatedAt string
    Creation date of this group.
    Id string
    The provider-assigned unique ID for this managed resource.
    Owner string
    Owner of the policy.
    ReadOnly bool
    Indicates that the policy is a default one.
    UpdatedAt string
    Date of the last update of this group.
    CreatedAt string
    Creation date of this group.
    Id string
    The provider-assigned unique ID for this managed resource.
    Owner string
    Owner of the policy.
    ReadOnly bool
    Indicates that the policy is a default one.
    UpdatedAt string
    Date of the last update of this group.
    createdAt String
    Creation date of this group.
    id String
    The provider-assigned unique ID for this managed resource.
    owner String
    Owner of the policy.
    readOnly Boolean
    Indicates that the policy is a default one.
    updatedAt String
    Date of the last update of this group.
    createdAt string
    Creation date of this group.
    id string
    The provider-assigned unique ID for this managed resource.
    owner string
    Owner of the policy.
    readOnly boolean
    Indicates that the policy is a default one.
    updatedAt string
    Date of the last update of this group.
    created_at str
    Creation date of this group.
    id str
    The provider-assigned unique ID for this managed resource.
    owner str
    Owner of the policy.
    read_only bool
    Indicates that the policy is a default one.
    updated_at str
    Date of the last update of this group.
    createdAt String
    Creation date of this group.
    id String
    The provider-assigned unique ID for this managed resource.
    owner String
    Owner of the policy.
    readOnly Boolean
    Indicates that the policy is a default one.
    updatedAt String
    Date of the last update of this group.

    Look up Existing Policy Resource

    Get an existing Policy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: PolicyState, opts?: CustomResourceOptions): Policy
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            allows: Optional[Sequence[str]] = None,
            created_at: Optional[str] = None,
            denies: Optional[Sequence[str]] = None,
            description: Optional[str] = None,
            excepts: Optional[Sequence[str]] = None,
            identities: Optional[Sequence[str]] = None,
            name: Optional[str] = None,
            owner: Optional[str] = None,
            permissions_groups: Optional[Sequence[str]] = None,
            read_only: Optional[bool] = None,
            resources: Optional[Sequence[str]] = None,
            updated_at: Optional[str] = None) -> Policy
    func GetPolicy(ctx *Context, name string, id IDInput, state *PolicyState, opts ...ResourceOption) (*Policy, error)
    public static Policy Get(string name, Input<string> id, PolicyState? state, CustomResourceOptions? opts = null)
    public static Policy get(String name, Output<String> id, PolicyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Allows List<string>
    List of actions allowed on resources by identities
    CreatedAt string
    Creation date of this group.
    Denies List<string>
    List of actions that will always be denied even if also allowed by this policy or another one.
    Description string
    Description of the policy
    Excepts List<string>
    List of overrides of action that must not be allowed even if they are caught by allow. Only makes sens if allow contains wildcards.
    Identities List<string>
    List of identities affected by the policy
    Name string
    Name of the policy, must be unique
    Owner string
    Owner of the policy.
    PermissionsGroups List<string>
    Set of permissions groups included in the policy. At evaluation, these permissions groups are each evaluated independently (notably, excepts actions only affect actions in the same permission group).
    ReadOnly bool
    Indicates that the policy is a default one.
    Resources List<string>
    List of resources affected by the policy
    UpdatedAt string
    Date of the last update of this group.
    Allows []string
    List of actions allowed on resources by identities
    CreatedAt string
    Creation date of this group.
    Denies []string
    List of actions that will always be denied even if also allowed by this policy or another one.
    Description string
    Description of the policy
    Excepts []string
    List of overrides of action that must not be allowed even if they are caught by allow. Only makes sens if allow contains wildcards.
    Identities []string
    List of identities affected by the policy
    Name string
    Name of the policy, must be unique
    Owner string
    Owner of the policy.
    PermissionsGroups []string
    Set of permissions groups included in the policy. At evaluation, these permissions groups are each evaluated independently (notably, excepts actions only affect actions in the same permission group).
    ReadOnly bool
    Indicates that the policy is a default one.
    Resources []string
    List of resources affected by the policy
    UpdatedAt string
    Date of the last update of this group.
    allows List<String>
    List of actions allowed on resources by identities
    createdAt String
    Creation date of this group.
    denies List<String>
    List of actions that will always be denied even if also allowed by this policy or another one.
    description String
    Description of the policy
    excepts List<String>
    List of overrides of action that must not be allowed even if they are caught by allow. Only makes sens if allow contains wildcards.
    identities List<String>
    List of identities affected by the policy
    name String
    Name of the policy, must be unique
    owner String
    Owner of the policy.
    permissionsGroups List<String>
    Set of permissions groups included in the policy. At evaluation, these permissions groups are each evaluated independently (notably, excepts actions only affect actions in the same permission group).
    readOnly Boolean
    Indicates that the policy is a default one.
    resources List<String>
    List of resources affected by the policy
    updatedAt String
    Date of the last update of this group.
    allows string[]
    List of actions allowed on resources by identities
    createdAt string
    Creation date of this group.
    denies string[]
    List of actions that will always be denied even if also allowed by this policy or another one.
    description string
    Description of the policy
    excepts string[]
    List of overrides of action that must not be allowed even if they are caught by allow. Only makes sens if allow contains wildcards.
    identities string[]
    List of identities affected by the policy
    name string
    Name of the policy, must be unique
    owner string
    Owner of the policy.
    permissionsGroups string[]
    Set of permissions groups included in the policy. At evaluation, these permissions groups are each evaluated independently (notably, excepts actions only affect actions in the same permission group).
    readOnly boolean
    Indicates that the policy is a default one.
    resources string[]
    List of resources affected by the policy
    updatedAt string
    Date of the last update of this group.
    allows Sequence[str]
    List of actions allowed on resources by identities
    created_at str
    Creation date of this group.
    denies Sequence[str]
    List of actions that will always be denied even if also allowed by this policy or another one.
    description str
    Description of the policy
    excepts Sequence[str]
    List of overrides of action that must not be allowed even if they are caught by allow. Only makes sens if allow contains wildcards.
    identities Sequence[str]
    List of identities affected by the policy
    name str
    Name of the policy, must be unique
    owner str
    Owner of the policy.
    permissions_groups Sequence[str]
    Set of permissions groups included in the policy. At evaluation, these permissions groups are each evaluated independently (notably, excepts actions only affect actions in the same permission group).
    read_only bool
    Indicates that the policy is a default one.
    resources Sequence[str]
    List of resources affected by the policy
    updated_at str
    Date of the last update of this group.
    allows List<String>
    List of actions allowed on resources by identities
    createdAt String
    Creation date of this group.
    denies List<String>
    List of actions that will always be denied even if also allowed by this policy or another one.
    description String
    Description of the policy
    excepts List<String>
    List of overrides of action that must not be allowed even if they are caught by allow. Only makes sens if allow contains wildcards.
    identities List<String>
    List of identities affected by the policy
    name String
    Name of the policy, must be unique
    owner String
    Owner of the policy.
    permissionsGroups List<String>
    Set of permissions groups included in the policy. At evaluation, these permissions groups are each evaluated independently (notably, excepts actions only affect actions in the same permission group).
    readOnly Boolean
    Indicates that the policy is a default one.
    resources List<String>
    List of resources affected by the policy
    updatedAt String
    Date of the last update of this group.

    Package Details

    Repository
    ovh ovh/pulumi-ovh
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the ovh Terraform Provider.
    ovh logo
    OVHCloud v1.0.0 published on Wednesday, Oct 30, 2024 by OVHcloud