forked from hashicorp/terraform-provider-google
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
IAM resources for KMS KeyRIng and CryptoKey (hashicorp#781)
* Add IAM bindings and member resources for KMS KeyRings * Add IAM bindings and member resources for KMS CryptoKeys * Docs for key ring and crypto key IAM resources * Exctract KMS policy conversions to helper functions * Split iam_binding and iam_member tests for KMS * Docs for kms IAM member resources * Run KMS IAM tests in own project
- Loading branch information
1 parent
e9e7fcc
commit 2f48211
Showing
5 changed files
with
199 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| --- | ||
| layout: "google" | ||
| page_title: "Google: google_kms_crypto_key_iam_binding" | ||
| sidebar_current: "docs-google-kms-crypto-key-iam-binding" | ||
| description: |- | ||
| Allows management of a single binding with an IAM policy for a Google Cloud KMS crypto key | ||
| --- | ||
|
|
||
| # google\_kms\_crypto\_key\_iam\_binding | ||
|
|
||
| Allows creation and management of a single binding within IAM policy for | ||
| an existing Google Cloud KMS crypto key. | ||
|
|
||
| ## Example Usage | ||
|
|
||
| ```hcl | ||
| resource "google_kms_crypto_key_binding" "crypto_key" { | ||
| crypto_key_id = "your-crypto-key-id" | ||
| role = "roles/editor" | ||
| members = [ | ||
| "user:[email protected]", | ||
| ] | ||
| } | ||
| ``` | ||
|
|
||
| ## Argument Reference | ||
|
|
||
| The following arguments are supported: | ||
|
|
||
| * `members` - (Required) A list of users that the role should apply to. | ||
|
|
||
| * `role` - (Required) The role that should be applied. Only one | ||
| `google_kms_crypto_key_iam_binding` can be used per role. | ||
|
|
||
| * `crypto_key_id` - (Required) The crypto key ID, in the form | ||
| `{project_id}/{location_name}/{key_ring_name}/{crypto_key_name}` or | ||
| `{location_name}/{key_ring_name}/{crypto_key_name}`. | ||
| In the second form, the provider's project setting will be used as a fallback. | ||
|
|
||
| ## Attributes Reference | ||
|
|
||
| In addition to the arguments listed above, the following computed attributes are | ||
| exported: | ||
|
|
||
| * `etag` - (Computed) The etag of the crypto key's IAM policy. | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| --- | ||
| layout: "google" | ||
| page_title: "Google: google_kms_crypto_key_iam_member" | ||
| sidebar_current: "docs-google-kms-crypto-key-iam-member" | ||
| description: |- | ||
| Allows management of a single member for a single binding on the IAM policy for a Google Cloud KMS crypto key. | ||
| --- | ||
|
|
||
| # google\_kms\_crypto\_key\_iam\_member | ||
|
|
||
| Allows creation and management of a single member for a single binding within | ||
| the IAM policy for an existing Google Cloud KMS crypto key. | ||
|
|
||
| ~> **Note:** This resource _must not_ be used in conjunction with | ||
| `google_kms_crypto_key_iam_policy` or they will fight over what your policy | ||
| should be. Similarly, roles controlled by `google_kms_crypto_key_iam_binding` | ||
| should not be assigned to using `google_kms_crypto_key_iam_member`. | ||
|
|
||
| ## Example Usage | ||
|
|
||
| ```hcl | ||
| resource "google_kms_crypto_key_iam_member" "crypto_key" { | ||
| crypto_key_id = "your-crypto-key-id" | ||
| role = "roles/editor" | ||
| member = "user:[email protected]" | ||
| } | ||
| ``` | ||
|
|
||
| ## Argument Reference | ||
|
|
||
| The following arguments are supported: | ||
|
|
||
| * `member` - (Required) The user that the role should apply to. | ||
|
|
||
| * `role` - (Required) The role that should be applied. | ||
|
|
||
| * `crypto_key_id` - (Required) The key ring ID, in the form | ||
| `{project_id}/{location_name}/{key_ring_name}/{crypto_key_name}` or | ||
| `{location_name}/{key_ring_name}/{crypto_key_name}`. In the second form, | ||
| the provider's project setting will be used as a fallback. | ||
|
|
||
| ## Attributes Reference | ||
|
|
||
| In addition to the arguments listed above, the following computed attributes are | ||
| exported: | ||
|
|
||
| * `etag` - (Computed) The etag of the project's IAM policy. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| --- | ||
| layout: "google" | ||
| page_title: "Google: google_kms_key_ring_iam_binding" | ||
| sidebar_current: "docs-google-kms-key-ring-iam-binding" | ||
| description: |- | ||
| Allows management of a single binding with an IAM policy for a Google Cloud KMS key ring | ||
| --- | ||
|
|
||
| # google\_kms\_key\_ring\_iam\_binding | ||
|
|
||
| Allows creation and management of a single binding within IAM policy for | ||
| an existing Google Cloud KMS key ring. | ||
|
|
||
| ## Example Usage | ||
|
|
||
| ```hcl | ||
| resource "google_kms_key_ring_binding" "key_ring" { | ||
| key_ring_id = "your-key-ring-id" | ||
| role = "roles/editor" | ||
| members = [ | ||
| "user:[email protected]", | ||
| ] | ||
| } | ||
| ``` | ||
|
|
||
| ## Argument Reference | ||
|
|
||
| The following arguments are supported: | ||
|
|
||
| * `members` - (Required) A list of users that the role should apply to. | ||
|
|
||
| * `role` - (Required) The role that should be applied. Only one | ||
| `google_kms_key_ring_iam_binding` can be used per role. | ||
|
|
||
| * `key_ring_id` - (Required) The key ring ID, in the form | ||
| `{project_id}/{location_name}/{key_ring_name}` or | ||
| `{location_name}/{key_ring_name}`. In the second form, the provider's | ||
| project setting will be used as a fallback. | ||
| ## Attributes Reference | ||
|
|
||
| In addition to the arguments listed above, the following computed attributes are | ||
| exported: | ||
|
|
||
| * `etag` - (Computed) The etag of the key ring's IAM policy. | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| --- | ||
| layout: "google" | ||
| page_title: "Google: google_kms_key_ring_iam_member" | ||
| sidebar_current: "docs-google-kms-key-ring-iam-member" | ||
| description: |- | ||
| Allows management of a single member for a single binding on the IAM policy for a Google Cloud KMS key ring. | ||
| --- | ||
|
|
||
| # google\_kms\_key\_ring\_iam\_member | ||
|
|
||
| Allows creation and management of a single member for a single binding within | ||
| the IAM policy for an existing Google Cloud KMS key ring. | ||
|
|
||
| ~> **Note:** This resource _must not_ be used in conjunction with | ||
| `google_kms_key_ring_iam_policy` or they will fight over what your policy | ||
| should be. Similarly, roles controlled by `google_kms_key_ring_iam_binding` | ||
| should not be assigned to using `google_kms_key_ring_iam_member`. | ||
|
|
||
| ## Example Usage | ||
|
|
||
| ```hcl | ||
| resource "google_kms_key_ring_iam_member" "key_ring" { | ||
| key_ring_id = "your-key-ring-id" | ||
| role = "roles/editor" | ||
| member = "user:[email protected]" | ||
| } | ||
| ``` | ||
|
|
||
| ## Argument Reference | ||
|
|
||
| The following arguments are supported: | ||
|
|
||
| * `member` - (Required) The user that the role should apply to. | ||
|
|
||
| * `role` - (Required) The role that should be applied. | ||
|
|
||
| * `key_ring_id` - (Required) The key ring ID, in the form | ||
| `{project_id}/{location_name}/{key_ring_name}` or | ||
| `{location_name}/{key_ring_name}`. In the second form, the provider's | ||
| project setting will be used as a fallback. | ||
|
|
||
| ## Attributes Reference | ||
|
|
||
| In addition to the arguments listed above, the following computed attributes are | ||
| exported: | ||
|
|
||
| * `etag` - (Computed) The etag of the project's IAM policy. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters