gcp.privilegedaccessmanager.Entitlement
Explore with Pulumi AI
An Entitlement defines the eligibility of a set of users to obtain a predefined access for some time possibly after going through an approval workflow.
To get more information about Entitlement, see:
Example Usage
Privileged Access Manager Entitlement Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const tfentitlement = new gcp.privilegedaccessmanager.Entitlement("tfentitlement", {
entitlementId: "example-entitlement",
location: "global",
maxRequestDuration: "43200s",
parent: "projects/my-project-name",
requesterJustificationConfig: {
unstructured: {},
},
eligibleUsers: [{
principals: ["group:test@google.com"],
}],
privilegedAccess: {
gcpIamAccess: {
roleBindings: [{
role: "roles/storage.admin",
conditionExpression: "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")",
}],
resource: "//cloudresourcemanager.googleapis.com/projects/my-project-name",
resourceType: "cloudresourcemanager.googleapis.com/Project",
},
},
additionalNotificationTargets: {
adminEmailRecipients: ["user@example.com"],
requesterEmailRecipients: ["user@example.com"],
},
approvalWorkflow: {
manualApprovals: {
requireApproverJustification: true,
steps: [{
approvalsNeeded: 1,
approverEmailRecipients: ["user@example.com"],
approvers: {
principals: ["group:test@google.com"],
},
}],
},
},
});
import pulumi
import pulumi_gcp as gcp
tfentitlement = gcp.privilegedaccessmanager.Entitlement("tfentitlement",
entitlement_id="example-entitlement",
location="global",
max_request_duration="43200s",
parent="projects/my-project-name",
requester_justification_config={
"unstructured": {},
},
eligible_users=[{
"principals": ["group:test@google.com"],
}],
privileged_access={
"gcp_iam_access": {
"role_bindings": [{
"role": "roles/storage.admin",
"condition_expression": "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")",
}],
"resource": "//cloudresourcemanager.googleapis.com/projects/my-project-name",
"resource_type": "cloudresourcemanager.googleapis.com/Project",
},
},
additional_notification_targets={
"admin_email_recipients": ["user@example.com"],
"requester_email_recipients": ["user@example.com"],
},
approval_workflow={
"manual_approvals": {
"require_approver_justification": True,
"steps": [{
"approvals_needed": 1,
"approver_email_recipients": ["user@example.com"],
"approvers": {
"principals": ["group:test@google.com"],
},
}],
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/privilegedaccessmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := privilegedaccessmanager.Newentitlement(ctx, "tfentitlement", &privilegedaccessmanager.entitlementArgs{
EntitlementId: pulumi.String("example-entitlement"),
Location: pulumi.String("global"),
MaxRequestDuration: pulumi.String("43200s"),
Parent: pulumi.String("projects/my-project-name"),
RequesterJustificationConfig: &privilegedaccessmanager.EntitlementRequesterJustificationConfigArgs{
Unstructured: &privilegedaccessmanager.EntitlementRequesterJustificationConfigUnstructuredArgs{},
},
EligibleUsers: privilegedaccessmanager.EntitlementEligibleUserArray{
&privilegedaccessmanager.EntitlementEligibleUserArgs{
Principals: pulumi.StringArray{
pulumi.String("group:test@google.com"),
},
},
},
PrivilegedAccess: &privilegedaccessmanager.EntitlementPrivilegedAccessArgs{
GcpIamAccess: &privilegedaccessmanager.EntitlementPrivilegedAccessGcpIamAccessArgs{
RoleBindings: privilegedaccessmanager.EntitlementPrivilegedAccessGcpIamAccessRoleBindingArray{
&privilegedaccessmanager.EntitlementPrivilegedAccessGcpIamAccessRoleBindingArgs{
Role: pulumi.String("roles/storage.admin"),
ConditionExpression: pulumi.String("request.time < timestamp(\"2024-04-23T18:30:00.000Z\")"),
},
},
Resource: pulumi.String("//cloudresourcemanager.googleapis.com/projects/my-project-name"),
ResourceType: pulumi.String("cloudresourcemanager.googleapis.com/Project"),
},
},
AdditionalNotificationTargets: &privilegedaccessmanager.EntitlementAdditionalNotificationTargetsArgs{
AdminEmailRecipients: pulumi.StringArray{
pulumi.String("user@example.com"),
},
RequesterEmailRecipients: pulumi.StringArray{
pulumi.String("user@example.com"),
},
},
ApprovalWorkflow: &privilegedaccessmanager.EntitlementApprovalWorkflowArgs{
ManualApprovals: &privilegedaccessmanager.EntitlementApprovalWorkflowManualApprovalsArgs{
RequireApproverJustification: pulumi.Bool(true),
Steps: privilegedaccessmanager.EntitlementApprovalWorkflowManualApprovalsStepArray{
&privilegedaccessmanager.EntitlementApprovalWorkflowManualApprovalsStepArgs{
ApprovalsNeeded: pulumi.Int(1),
ApproverEmailRecipients: pulumi.StringArray{
pulumi.String("user@example.com"),
},
Approvers: &privilegedaccessmanager.EntitlementApprovalWorkflowManualApprovalsStepApproversArgs{
Principals: pulumi.StringArray{
pulumi.String("group:test@google.com"),
},
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var tfentitlement = new Gcp.PrivilegedAccessManager.Entitlement("tfentitlement", new()
{
EntitlementId = "example-entitlement",
Location = "global",
MaxRequestDuration = "43200s",
Parent = "projects/my-project-name",
RequesterJustificationConfig = new Gcp.PrivilegedAccessManager.Inputs.EntitlementRequesterJustificationConfigArgs
{
Unstructured = null,
},
EligibleUsers = new[]
{
new Gcp.PrivilegedAccessManager.Inputs.EntitlementEligibleUserArgs
{
Principals = new[]
{
"group:test@google.com",
},
},
},
PrivilegedAccess = new Gcp.PrivilegedAccessManager.Inputs.EntitlementPrivilegedAccessArgs
{
GcpIamAccess = new Gcp.PrivilegedAccessManager.Inputs.EntitlementPrivilegedAccessGcpIamAccessArgs
{
RoleBindings = new[]
{
new Gcp.PrivilegedAccessManager.Inputs.EntitlementPrivilegedAccessGcpIamAccessRoleBindingArgs
{
Role = "roles/storage.admin",
ConditionExpression = "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")",
},
},
Resource = "//cloudresourcemanager.googleapis.com/projects/my-project-name",
ResourceType = "cloudresourcemanager.googleapis.com/Project",
},
},
AdditionalNotificationTargets = new Gcp.PrivilegedAccessManager.Inputs.EntitlementAdditionalNotificationTargetsArgs
{
AdminEmailRecipients = new[]
{
"user@example.com",
},
RequesterEmailRecipients = new[]
{
"user@example.com",
},
},
ApprovalWorkflow = new Gcp.PrivilegedAccessManager.Inputs.EntitlementApprovalWorkflowArgs
{
ManualApprovals = new Gcp.PrivilegedAccessManager.Inputs.EntitlementApprovalWorkflowManualApprovalsArgs
{
RequireApproverJustification = true,
Steps = new[]
{
new Gcp.PrivilegedAccessManager.Inputs.EntitlementApprovalWorkflowManualApprovalsStepArgs
{
ApprovalsNeeded = 1,
ApproverEmailRecipients = new[]
{
"user@example.com",
},
Approvers = new Gcp.PrivilegedAccessManager.Inputs.EntitlementApprovalWorkflowManualApprovalsStepApproversArgs
{
Principals = new[]
{
"group:test@google.com",
},
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.privilegedaccessmanager.entitlement;
import com.pulumi.gcp.privilegedaccessmanager.entitlementArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementRequesterJustificationConfigArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementRequesterJustificationConfigUnstructuredArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementEligibleUserArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementPrivilegedAccessArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementPrivilegedAccessGcpIamAccessArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementAdditionalNotificationTargetsArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementApprovalWorkflowArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementApprovalWorkflowManualApprovalsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var tfentitlement = new Entitlement("tfentitlement", EntitlementArgs.builder()
.entitlementId("example-entitlement")
.location("global")
.maxRequestDuration("43200s")
.parent("projects/my-project-name")
.requesterJustificationConfig(EntitlementRequesterJustificationConfigArgs.builder()
.unstructured(EntitlementRequesterJustificationConfigUnstructuredArgs.builder()
.build())
.build())
.eligibleUsers(EntitlementEligibleUserArgs.builder()
.principals("group:test@google.com")
.build())
.privilegedAccess(EntitlementPrivilegedAccessArgs.builder()
.gcpIamAccess(EntitlementPrivilegedAccessGcpIamAccessArgs.builder()
.roleBindings(EntitlementPrivilegedAccessGcpIamAccessRoleBindingArgs.builder()
.role("roles/storage.admin")
.conditionExpression("request.time < timestamp(\"2024-04-23T18:30:00.000Z\")")
.build())
.resource("//cloudresourcemanager.googleapis.com/projects/my-project-name")
.resourceType("cloudresourcemanager.googleapis.com/Project")
.build())
.build())
.additionalNotificationTargets(EntitlementAdditionalNotificationTargetsArgs.builder()
.adminEmailRecipients("user@example.com")
.requesterEmailRecipients("user@example.com")
.build())
.approvalWorkflow(EntitlementApprovalWorkflowArgs.builder()
.manualApprovals(EntitlementApprovalWorkflowManualApprovalsArgs.builder()
.requireApproverJustification(true)
.steps(EntitlementApprovalWorkflowManualApprovalsStepArgs.builder()
.approvalsNeeded(1)
.approverEmailRecipients("user@example.com")
.approvers(EntitlementApprovalWorkflowManualApprovalsStepApproversArgs.builder()
.principals("group:test@google.com")
.build())
.build())
.build())
.build())
.build());
}
}
resources:
tfentitlement:
type: gcp:privilegedaccessmanager:entitlement
properties:
entitlementId: example-entitlement
location: global
maxRequestDuration: 43200s
parent: projects/my-project-name
requesterJustificationConfig:
unstructured: {}
eligibleUsers:
- principals:
- group:test@google.com
privilegedAccess:
gcpIamAccess:
roleBindings:
- role: roles/storage.admin
conditionExpression: request.time < timestamp("2024-04-23T18:30:00.000Z")
resource: //cloudresourcemanager.googleapis.com/projects/my-project-name
resourceType: cloudresourcemanager.googleapis.com/Project
additionalNotificationTargets:
adminEmailRecipients:
- user@example.com
requesterEmailRecipients:
- user@example.com
approvalWorkflow:
manualApprovals:
requireApproverJustification: true
steps:
- approvalsNeeded: 1
approverEmailRecipients:
- user@example.com
approvers:
principals:
- group:test@google.com
Create Entitlement Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Entitlement(name: string, args: EntitlementArgs, opts?: CustomResourceOptions);
@overload
def Entitlement(resource_name: str,
args: EntitlementArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Entitlement(resource_name: str,
opts: Optional[ResourceOptions] = None,
eligible_users: Optional[Sequence[EntitlementEligibleUserArgs]] = None,
entitlement_id: Optional[str] = None,
location: Optional[str] = None,
max_request_duration: Optional[str] = None,
parent: Optional[str] = None,
privileged_access: Optional[EntitlementPrivilegedAccessArgs] = None,
requester_justification_config: Optional[EntitlementRequesterJustificationConfigArgs] = None,
additional_notification_targets: Optional[EntitlementAdditionalNotificationTargetsArgs] = None,
approval_workflow: Optional[EntitlementApprovalWorkflowArgs] = None)
func NewEntitlement(ctx *Context, name string, args EntitlementArgs, opts ...ResourceOption) (*Entitlement, error)
public Entitlement(string name, EntitlementArgs args, CustomResourceOptions? opts = null)
public Entitlement(String name, EntitlementArgs args)
public Entitlement(String name, EntitlementArgs args, CustomResourceOptions options)
type: gcp:privilegedaccessmanager/entitlement:entitlement
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name
This property is required. string - The unique name of the resource.
- args
This property is required. EntitlementArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name
This property is required. str - The unique name of the resource.
- args
This property is required. EntitlementArgs - The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. EntitlementArgs - The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. EntitlementArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name
This property is required. String - The unique name of the resource.
- args
This property is required. EntitlementArgs - The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Entitlement Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Entitlement resource accepts the following input properties:
- Eligible
Users This property is required. List<EntitlementEligible User Args> - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- Entitlement
Id This property is required. Changes to this property will trigger replacement.
- The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - Location
This property is required. Changes to this property will trigger replacement.
- The region of the Entitlement resource.
- Max
Request Duration This property is required. string - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- Parent
This property is required. Changes to this property will trigger replacement.
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- Privileged
Access This property is required. EntitlementPrivileged Access Args - Privileged access that this service can be used to gate. Structure is documented below.
- Requester
Justification Config This property is required. EntitlementRequester Justification Config Args - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- Additional
Notification EntitlementTargets Additional Notification Targets Args - AdditionalNotificationTargets includes email addresses to be notified.
- Approval
Workflow Changes to this property will trigger replacement.
Approval Workflow Args - The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
- Eligible
Users This property is required. []EntitlementEligible User Args - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- Entitlement
Id This property is required. Changes to this property will trigger replacement.
- The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - Location
This property is required. Changes to this property will trigger replacement.
- The region of the Entitlement resource.
- Max
Request Duration This property is required. string - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- Parent
This property is required. Changes to this property will trigger replacement.
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- Privileged
Access This property is required. EntitlementPrivileged Access Args - Privileged access that this service can be used to gate. Structure is documented below.
- Requester
Justification Config This property is required. EntitlementRequester Justification Config Args - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- Additional
Notification EntitlementTargets Additional Notification Targets Args - AdditionalNotificationTargets includes email addresses to be notified.
- Approval
Workflow Changes to this property will trigger replacement.
Approval Workflow Args - The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
- eligible
Users This property is required. List<EntitlementEligible User Args> - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- entitlement
Id This property is required. Changes to this property will trigger replacement.
- The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - location
This property is required. Changes to this property will trigger replacement.
- The region of the Entitlement resource.
- max
Request Duration This property is required. String - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- parent
This property is required. Changes to this property will trigger replacement.
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- privileged
Access This property is required. EntitlementPrivileged Access Args - Privileged access that this service can be used to gate. Structure is documented below.
- requester
Justification Config This property is required. EntitlementRequester Justification Config Args - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- additional
Notification EntitlementTargets Additional Notification Targets Args - AdditionalNotificationTargets includes email addresses to be notified.
- approval
Workflow Changes to this property will trigger replacement.
Approval Workflow Args - The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
- eligible
Users This property is required. EntitlementEligible User Args[] - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- entitlement
Id This property is required. Changes to this property will trigger replacement.
- The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - location
This property is required. Changes to this property will trigger replacement.
- The region of the Entitlement resource.
- max
Request Duration This property is required. string - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- parent
This property is required. Changes to this property will trigger replacement.
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- privileged
Access This property is required. EntitlementPrivileged Access Args - Privileged access that this service can be used to gate. Structure is documented below.
- requester
Justification Config This property is required. EntitlementRequester Justification Config Args - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- additional
Notification EntitlementTargets Additional Notification Targets Args - AdditionalNotificationTargets includes email addresses to be notified.
- approval
Workflow Changes to this property will trigger replacement.
Approval Workflow Args - The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
- eligible_
users This property is required. Sequence[EntitlementEligible User Args] - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- entitlement_
id This property is required. Changes to this property will trigger replacement.
- The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - location
This property is required. Changes to this property will trigger replacement.
- The region of the Entitlement resource.
- max_
request_ duration This property is required. str - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- parent
This property is required. Changes to this property will trigger replacement.
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- privileged_
access This property is required. EntitlementPrivileged Access Args - Privileged access that this service can be used to gate. Structure is documented below.
- requester_
justification_ config This property is required. EntitlementRequester Justification Config Args - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- additional_
notification_ Entitlementtargets Additional Notification Targets Args - AdditionalNotificationTargets includes email addresses to be notified.
- approval_
workflow Changes to this property will trigger replacement.
Approval Workflow Args - The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
- eligible
Users This property is required. List<Property Map> - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- entitlement
Id This property is required. Changes to this property will trigger replacement.
- The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - location
This property is required. Changes to this property will trigger replacement.
- The region of the Entitlement resource.
- max
Request Duration This property is required. String - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- parent
This property is required. Changes to this property will trigger replacement.
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- privileged
Access This property is required. Property Map - Privileged access that this service can be used to gate. Structure is documented below.
- requester
Justification Config This property is required. Property Map - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- additional
Notification Property MapTargets - AdditionalNotificationTargets includes email addresses to be notified.
- approval
Workflow Changes to this property will trigger replacement.
- The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
Outputs
All input properties are implicitly available as output properties. Additionally, the Entitlement resource produces the following output properties:
- Create
Time string - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- Etag string
- For Resource freshness validation (https://google.aip.dev/154)
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- State string
- Output only. The current state of the Entitlement.
- Update
Time string - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- Create
Time string - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- Etag string
- For Resource freshness validation (https://google.aip.dev/154)
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- State string
- Output only. The current state of the Entitlement.
- Update
Time string - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- create
Time String - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- etag String
- For Resource freshness validation (https://google.aip.dev/154)
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- state String
- Output only. The current state of the Entitlement.
- update
Time String - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- create
Time string - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- etag string
- For Resource freshness validation (https://google.aip.dev/154)
- id string
- The provider-assigned unique ID for this managed resource.
- name string
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- state string
- Output only. The current state of the Entitlement.
- update
Time string - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- create_
time str - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- etag str
- For Resource freshness validation (https://google.aip.dev/154)
- id str
- The provider-assigned unique ID for this managed resource.
- name str
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- state str
- Output only. The current state of the Entitlement.
- update_
time str - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- create
Time String - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- etag String
- For Resource freshness validation (https://google.aip.dev/154)
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- state String
- Output only. The current state of the Entitlement.
- update
Time String - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
Look up Existing Entitlement Resource
Get an existing Entitlement resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: EntitlementState, opts?: CustomResourceOptions): Entitlement
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
additional_notification_targets: Optional[EntitlementAdditionalNotificationTargetsArgs] = None,
approval_workflow: Optional[EntitlementApprovalWorkflowArgs] = None,
create_time: Optional[str] = None,
eligible_users: Optional[Sequence[EntitlementEligibleUserArgs]] = None,
entitlement_id: Optional[str] = None,
etag: Optional[str] = None,
location: Optional[str] = None,
max_request_duration: Optional[str] = None,
name: Optional[str] = None,
parent: Optional[str] = None,
privileged_access: Optional[EntitlementPrivilegedAccessArgs] = None,
requester_justification_config: Optional[EntitlementRequesterJustificationConfigArgs] = None,
state: Optional[str] = None,
update_time: Optional[str] = None) -> Entitlement
func GetEntitlement(ctx *Context, name string, id IDInput, state *EntitlementState, opts ...ResourceOption) (*Entitlement, error)
public static Entitlement Get(string name, Input<string> id, EntitlementState? state, CustomResourceOptions? opts = null)
public static Entitlement get(String name, Output<String> id, EntitlementState state, CustomResourceOptions options)
resources: _: type: gcp:privilegedaccessmanager/entitlement:entitlement get: id: ${id}
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Additional
Notification EntitlementTargets Additional Notification Targets Args - AdditionalNotificationTargets includes email addresses to be notified.
- Approval
Workflow Changes to this property will trigger replacement.
Approval Workflow Args - The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
- Create
Time string - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- Eligible
Users List<EntitlementEligible User Args> - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- Entitlement
Id Changes to this property will trigger replacement.
- The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - Etag string
- For Resource freshness validation (https://google.aip.dev/154)
- Location
Changes to this property will trigger replacement.
- The region of the Entitlement resource.
- Max
Request stringDuration - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- Name string
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- Parent
Changes to this property will trigger replacement.
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- Privileged
Access EntitlementPrivileged Access Args - Privileged access that this service can be used to gate. Structure is documented below.
- Requester
Justification EntitlementConfig Requester Justification Config Args - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- State string
- Output only. The current state of the Entitlement.
- Update
Time string - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- Additional
Notification EntitlementTargets Additional Notification Targets Args - AdditionalNotificationTargets includes email addresses to be notified.
- Approval
Workflow Changes to this property will trigger replacement.
Approval Workflow Args - The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
- Create
Time string - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- Eligible
Users []EntitlementEligible User Args - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- Entitlement
Id Changes to this property will trigger replacement.
- The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - Etag string
- For Resource freshness validation (https://google.aip.dev/154)
- Location
Changes to this property will trigger replacement.
- The region of the Entitlement resource.
- Max
Request stringDuration - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- Name string
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- Parent
Changes to this property will trigger replacement.
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- Privileged
Access EntitlementPrivileged Access Args - Privileged access that this service can be used to gate. Structure is documented below.
- Requester
Justification EntitlementConfig Requester Justification Config Args - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- State string
- Output only. The current state of the Entitlement.
- Update
Time string - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- additional
Notification EntitlementTargets Additional Notification Targets Args - AdditionalNotificationTargets includes email addresses to be notified.
- approval
Workflow Changes to this property will trigger replacement.
Approval Workflow Args - The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
- create
Time String - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- eligible
Users List<EntitlementEligible User Args> - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- entitlement
Id Changes to this property will trigger replacement.
- The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - etag String
- For Resource freshness validation (https://google.aip.dev/154)
- location
Changes to this property will trigger replacement.
- The region of the Entitlement resource.
- max
Request StringDuration - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- name String
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- parent
Changes to this property will trigger replacement.
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- privileged
Access EntitlementPrivileged Access Args - Privileged access that this service can be used to gate. Structure is documented below.
- requester
Justification EntitlementConfig Requester Justification Config Args - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- state String
- Output only. The current state of the Entitlement.
- update
Time String - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- additional
Notification EntitlementTargets Additional Notification Targets Args - AdditionalNotificationTargets includes email addresses to be notified.
- approval
Workflow Changes to this property will trigger replacement.
Approval Workflow Args - The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
- create
Time string - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- eligible
Users EntitlementEligible User Args[] - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- entitlement
Id Changes to this property will trigger replacement.
- The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - etag string
- For Resource freshness validation (https://google.aip.dev/154)
- location
Changes to this property will trigger replacement.
- The region of the Entitlement resource.
- max
Request stringDuration - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- name string
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- parent
Changes to this property will trigger replacement.
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- privileged
Access EntitlementPrivileged Access Args - Privileged access that this service can be used to gate. Structure is documented below.
- requester
Justification EntitlementConfig Requester Justification Config Args - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- state string
- Output only. The current state of the Entitlement.
- update
Time string - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- additional_
notification_ Entitlementtargets Additional Notification Targets Args - AdditionalNotificationTargets includes email addresses to be notified.
- approval_
workflow Changes to this property will trigger replacement.
Approval Workflow Args - The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
- create_
time str - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- eligible_
users Sequence[EntitlementEligible User Args] - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- entitlement_
id Changes to this property will trigger replacement.
- The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - etag str
- For Resource freshness validation (https://google.aip.dev/154)
- location
Changes to this property will trigger replacement.
- The region of the Entitlement resource.
- max_
request_ strduration - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- name str
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- parent
Changes to this property will trigger replacement.
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- privileged_
access EntitlementPrivileged Access Args - Privileged access that this service can be used to gate. Structure is documented below.
- requester_
justification_ Entitlementconfig Requester Justification Config Args - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- state str
- Output only. The current state of the Entitlement.
- update_
time str - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- additional
Notification Property MapTargets - AdditionalNotificationTargets includes email addresses to be notified.
- approval
Workflow Changes to this property will trigger replacement.
- The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
- create
Time String - Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
- eligible
Users List<Property Map> - Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
- entitlement
Id Changes to this property will trigger replacement.
- The ID to use for this Entitlement. This will become the last part of the resource name.
This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
This value should be unique among all other Entitlements under the specified
parent
. - etag String
- For Resource freshness validation (https://google.aip.dev/154)
- location
Changes to this property will trigger replacement.
- The region of the Entitlement resource.
- max
Request StringDuration - The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
- name String
- Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
- parent
Changes to this property will trigger replacement.
- Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
- privileged
Access Property Map - Privileged access that this service can be used to gate. Structure is documented below.
- requester
Justification Property MapConfig - Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
- state String
- Output only. The current state of the Entitlement.
- update
Time String - Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
Supporting Types
EntitlementAdditionalNotificationTargets, EntitlementAdditionalNotificationTargetsArgs
- Admin
Email List<string>Recipients - Optional. Additional email addresses to be notified when a principal(requester) is granted access.
- Requester
Email List<string>Recipients - Optional. Additional email address to be notified about an eligible entitlement.
- Admin
Email []stringRecipients - Optional. Additional email addresses to be notified when a principal(requester) is granted access.
- Requester
Email []stringRecipients - Optional. Additional email address to be notified about an eligible entitlement.
- admin
Email List<String>Recipients - Optional. Additional email addresses to be notified when a principal(requester) is granted access.
- requester
Email List<String>Recipients - Optional. Additional email address to be notified about an eligible entitlement.
- admin
Email string[]Recipients - Optional. Additional email addresses to be notified when a principal(requester) is granted access.
- requester
Email string[]Recipients - Optional. Additional email address to be notified about an eligible entitlement.
- admin_
email_ Sequence[str]recipients - Optional. Additional email addresses to be notified when a principal(requester) is granted access.
- requester_
email_ Sequence[str]recipients - Optional. Additional email address to be notified about an eligible entitlement.
- admin
Email List<String>Recipients - Optional. Additional email addresses to be notified when a principal(requester) is granted access.
- requester
Email List<String>Recipients - Optional. Additional email address to be notified about an eligible entitlement.
EntitlementApprovalWorkflow, EntitlementApprovalWorkflowArgs
- Manual
Approvals This property is required. EntitlementApproval Workflow Manual Approvals - A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant.
The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step.
This can be used to create approval workflows such as
- Require an approval from any user in a group G.
- Require an approval from any k number of users from a Group G.
- Require an approval from any user in a group G and then from a user U. etc.
A single user might be part of
approvers
ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.
- Manual
Approvals This property is required. EntitlementApproval Workflow Manual Approvals - A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant.
The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step.
This can be used to create approval workflows such as
- Require an approval from any user in a group G.
- Require an approval from any k number of users from a Group G.
- Require an approval from any user in a group G and then from a user U. etc.
A single user might be part of
approvers
ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.
- manual
Approvals This property is required. EntitlementApproval Workflow Manual Approvals - A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant.
The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step.
This can be used to create approval workflows such as
- Require an approval from any user in a group G.
- Require an approval from any k number of users from a Group G.
- Require an approval from any user in a group G and then from a user U. etc.
A single user might be part of
approvers
ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.
- manual
Approvals This property is required. EntitlementApproval Workflow Manual Approvals - A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant.
The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step.
This can be used to create approval workflows such as
- Require an approval from any user in a group G.
- Require an approval from any k number of users from a Group G.
- Require an approval from any user in a group G and then from a user U. etc.
A single user might be part of
approvers
ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.
- manual_
approvals This property is required. EntitlementApproval Workflow Manual Approvals - A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant.
The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step.
This can be used to create approval workflows such as
- Require an approval from any user in a group G.
- Require an approval from any k number of users from a Group G.
- Require an approval from any user in a group G and then from a user U. etc.
A single user might be part of
approvers
ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.
- manual
Approvals This property is required. Property Map - A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant.
The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step.
This can be used to create approval workflows such as
- Require an approval from any user in a group G.
- Require an approval from any k number of users from a Group G.
- Require an approval from any user in a group G and then from a user U. etc.
A single user might be part of
approvers
ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.
EntitlementApprovalWorkflowManualApprovals, EntitlementApprovalWorkflowManualApprovalsArgs
- Steps
This property is required. List<EntitlementApproval Workflow Manual Approvals Step> - List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
- Require
Approver boolJustification - Optional. Do the approvers need to provide a justification for their actions?
- Steps
This property is required. []EntitlementApproval Workflow Manual Approvals Step - List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
- Require
Approver boolJustification - Optional. Do the approvers need to provide a justification for their actions?
- steps
This property is required. List<EntitlementApproval Workflow Manual Approvals Step> - List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
- require
Approver BooleanJustification - Optional. Do the approvers need to provide a justification for their actions?
- steps
This property is required. EntitlementApproval Workflow Manual Approvals Step[] - List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
- require
Approver booleanJustification - Optional. Do the approvers need to provide a justification for their actions?
- steps
This property is required. Sequence[EntitlementApproval Workflow Manual Approvals Step] - List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
- require_
approver_ booljustification - Optional. Do the approvers need to provide a justification for their actions?
- steps
This property is required. List<Property Map> - List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
- require
Approver BooleanJustification - Optional. Do the approvers need to provide a justification for their actions?
EntitlementApprovalWorkflowManualApprovalsStep, EntitlementApprovalWorkflowManualApprovalsStepArgs
- Approvers
This property is required. EntitlementApproval Workflow Manual Approvals Step Approvers - The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
- Approvals
Needed int - How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
- Approver
Email List<string>Recipients - Optional. Additional email addresses to be notified when a grant is pending approval.
- Approvers
This property is required. EntitlementApproval Workflow Manual Approvals Step Approvers - The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
- Approvals
Needed int - How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
- Approver
Email []stringRecipients - Optional. Additional email addresses to be notified when a grant is pending approval.
- approvers
This property is required. EntitlementApproval Workflow Manual Approvals Step Approvers - The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
- approvals
Needed Integer - How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
- approver
Email List<String>Recipients - Optional. Additional email addresses to be notified when a grant is pending approval.
- approvers
This property is required. EntitlementApproval Workflow Manual Approvals Step Approvers - The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
- approvals
Needed number - How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
- approver
Email string[]Recipients - Optional. Additional email addresses to be notified when a grant is pending approval.
- approvers
This property is required. EntitlementApproval Workflow Manual Approvals Step Approvers - The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
- approvals_
needed int - How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
- approver_
email_ Sequence[str]recipients - Optional. Additional email addresses to be notified when a grant is pending approval.
- approvers
This property is required. Property Map - The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
- approvals
Needed Number - How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
- approver
Email List<String>Recipients - Optional. Additional email addresses to be notified when a grant is pending approval.
EntitlementApprovalWorkflowManualApprovalsStepApprovers, EntitlementApprovalWorkflowManualApprovalsStepApproversArgs
- Principals
This property is required. List<string> - Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1
- Principals
This property is required. []string - Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1
- principals
This property is required. List<String> - Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1
- principals
This property is required. string[] - Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1
- principals
This property is required. Sequence[str] - Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1
- principals
This property is required. List<String> - Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1
EntitlementEligibleUser, EntitlementEligibleUserArgs
- Principals
This property is required. List<string> - Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"
- Principals
This property is required. []string - Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"
- principals
This property is required. List<String> - Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"
- principals
This property is required. string[] - Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"
- principals
This property is required. Sequence[str] - Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"
- principals
This property is required. List<String> - Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"
EntitlementPrivilegedAccess, EntitlementPrivilegedAccessArgs
- Gcp
Iam Access This property is required. EntitlementPrivileged Access Gcp Iam Access - GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.
- Gcp
Iam Access This property is required. EntitlementPrivileged Access Gcp Iam Access - GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.
- gcp
Iam Access This property is required. EntitlementPrivileged Access Gcp Iam Access - GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.
- gcp
Iam Access This property is required. EntitlementPrivileged Access Gcp Iam Access - GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.
- gcp_
iam_ access This property is required. EntitlementPrivileged Access Gcp Iam Access - GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.
- gcp
Iam Access This property is required. Property Map - GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.
EntitlementPrivilegedAccessGcpIamAccess, EntitlementPrivilegedAccessGcpIamAccessArgs
- Resource
This property is required. string - Name of the resource.
- Resource
Type This property is required. string - The type of this resource.
- Role
Bindings This property is required. List<EntitlementPrivileged Access Gcp Iam Access Role Binding> - Role bindings to be created on successful grant. Structure is documented below.
- Resource
This property is required. string - Name of the resource.
- Resource
Type This property is required. string - The type of this resource.
- Role
Bindings This property is required. []EntitlementPrivileged Access Gcp Iam Access Role Binding - Role bindings to be created on successful grant. Structure is documented below.
- resource
This property is required. String - Name of the resource.
- resource
Type This property is required. String - The type of this resource.
- role
Bindings This property is required. List<EntitlementPrivileged Access Gcp Iam Access Role Binding> - Role bindings to be created on successful grant. Structure is documented below.
- resource
This property is required. string - Name of the resource.
- resource
Type This property is required. string - The type of this resource.
- role
Bindings This property is required. EntitlementPrivileged Access Gcp Iam Access Role Binding[] - Role bindings to be created on successful grant. Structure is documented below.
- resource
This property is required. str - Name of the resource.
- resource_
type This property is required. str - The type of this resource.
- role_
bindings This property is required. Sequence[EntitlementPrivileged Access Gcp Iam Access Role Binding] - Role bindings to be created on successful grant. Structure is documented below.
- resource
This property is required. String - Name of the resource.
- resource
Type This property is required. String - The type of this resource.
- role
Bindings This property is required. List<Property Map> - Role bindings to be created on successful grant. Structure is documented below.
EntitlementPrivilegedAccessGcpIamAccessRoleBinding, EntitlementPrivilegedAccessGcpIamAccessRoleBindingArgs
- Role
This property is required. string - IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
- Condition
Expression string - The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.
- Role
This property is required. string - IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
- Condition
Expression string - The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.
- role
This property is required. String - IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
- condition
Expression String - The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.
- role
This property is required. string - IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
- condition
Expression string - The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.
- role
This property is required. str - IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
- condition_
expression str - The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.
- role
This property is required. String - IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
- condition
Expression String - The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.
EntitlementRequesterJustificationConfig, EntitlementRequesterJustificationConfigArgs
- Not
Mandatory EntitlementRequester Justification Config Not Mandatory - The justification is not mandatory but can be provided in any of the supported formats.
- Unstructured
Entitlement
Requester Justification Config Unstructured - The requester has to provide a justification in the form of free flowing text.
- Not
Mandatory EntitlementRequester Justification Config Not Mandatory - The justification is not mandatory but can be provided in any of the supported formats.
- Unstructured
Entitlement
Requester Justification Config Unstructured - The requester has to provide a justification in the form of free flowing text.
- not
Mandatory EntitlementRequester Justification Config Not Mandatory - The justification is not mandatory but can be provided in any of the supported formats.
- unstructured
Entitlement
Requester Justification Config Unstructured - The requester has to provide a justification in the form of free flowing text.
- not
Mandatory EntitlementRequester Justification Config Not Mandatory - The justification is not mandatory but can be provided in any of the supported formats.
- unstructured
Entitlement
Requester Justification Config Unstructured - The requester has to provide a justification in the form of free flowing text.
- not_
mandatory EntitlementRequester Justification Config Not Mandatory - The justification is not mandatory but can be provided in any of the supported formats.
- unstructured
Entitlement
Requester Justification Config Unstructured - The requester has to provide a justification in the form of free flowing text.
- not
Mandatory Property Map - The justification is not mandatory but can be provided in any of the supported formats.
- unstructured Property Map
- The requester has to provide a justification in the form of free flowing text.
Import
Entitlement can be imported using any of these accepted formats:
{{parent}}/locations/{{location}}/entitlements/{{entitlement_id}}
When using the pulumi import
command, Entitlement can be imported using one of the formats above. For example:
$ pulumi import gcp:privilegedaccessmanager/entitlement:entitlement default {{parent}}/locations/{{location}}/entitlements/{{entitlement_id}}
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-beta
Terraform Provider.