v5.18.0/website/docs/r/apigee_environment_iam.html.markdown - terraform-provider-google-beta - Git at Google

 ---
 # ----------------------------------------------------------------------------
 #
 #     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
 #
 # ----------------------------------------------------------------------------
 #
 #     This file is automatically generated by Magic Modules and manual
 #     changes will be clobbered when the file is regenerated.
 #
 #     Please read more about how to change this file in
 #     .github/CONTRIBUTING.md.
 #
 # ----------------------------------------------------------------------------
 subcategory: "Apigee"
 description: |-
   Collection of resources to manage IAM policy for Apigee Environment
 ---

 # IAM policy for Apigee Environment
 Three different resources help you manage your IAM policy for Apigee Environment. Each of these resources serves a different use case:

 * `google_apigee_environment_iam_policy`: Authoritative. Sets the IAM policy for the environment and replaces any existing policy already attached.
 * `google_apigee_environment_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the environment are preserved.
 * `google_apigee_environment_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the environment are preserved.

 A data source can be used to retrieve policy data in advent you do not need creation

 * `google_apigee_environment_iam_policy`: Retrieves the IAM policy for the environment

 ~> **Note:** `google_apigee_environment_iam_policy` **cannot** be used in conjunction with `google_apigee_environment_iam_binding` and `google_apigee_environment_iam_member` or they will fight over what your policy should be.

 ~> **Note:** `google_apigee_environment_iam_binding` resources **can be** used in conjunction with `google_apigee_environment_iam_member` resources **only if** they do not grant privilege to the same role.


 ## google\_apigee\_environment\_iam\_policy

 ```hcl
 data "google_iam_policy" "admin" {
   binding {
     role = "roles/viewer"
     members = [
       "user:jane@example.com",
     ]
   }
 }

 resource "google_apigee_environment_iam_policy" "policy" {
   org_id = google_apigee_environment.apigee_environment.org_id
   env_id = google_apigee_environment.apigee_environment.name
   policy_data = data.google_iam_policy.admin.policy_data
 }
 ```

 ## google\_apigee\_environment\_iam\_binding

 ```hcl
 resource "google_apigee_environment_iam_binding" "binding" {
   org_id = google_apigee_environment.apigee_environment.org_id
   env_id = google_apigee_environment.apigee_environment.name
   role = "roles/viewer"
   members = [
     "user:jane@example.com",
   ]
 }
 ```

 ## google\_apigee\_environment\_iam\_member

 ```hcl
 resource "google_apigee_environment_iam_member" "member" {
   org_id = google_apigee_environment.apigee_environment.org_id
   env_id = google_apigee_environment.apigee_environment.name
   role = "roles/viewer"
   member = "user:jane@example.com"
 }
 ```


 ## Argument Reference

 The following arguments are supported:

 * `env_id` - (Required) Used to find the parent resource to bind the IAM policy to

 * `member/members` - (Required) Identities that will be granted the privilege in `role`.
   Each entry can have one of the following values:
   * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
   * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
   * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
   * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
   * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
   * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
   * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
   * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
   * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

 * `role` - (Required) The role that should be applied. Only one
     `google_apigee_environment_iam_binding` can be used per role. Note that custom roles must be of the format
     `[projects|organizations]/{parent-name}/roles/{role-name}`.

 * `policy_data` - (Required only by `google_apigee_environment_iam_policy`) The policy data generated by
   a `google_iam_policy` data source.

 ## Attributes Reference

 In addition to the arguments listed above, the following computed attributes are
 exported:

 * `etag` - (Computed) The etag of the IAM policy.

 ## Import

 For all import syntaxes, the "resource in question" can take any of the following forms:

 * {{org_id}}/environments/{{name}}
 * {{name}}

 Any variables not passed in the import command will be taken from the provider configuration.

 Apigee environment IAM resources can be imported using the resource identifiers, role, and member.

 IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.
 ```
 $ terraform import google_apigee_environment_iam_member.editor "{{org_id}}/environments/{{environment}} roles/viewer user:jane@example.com"
 ```

 IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.
 ```
 $ terraform import google_apigee_environment_iam_binding.editor "{{org_id}}/environments/{{environment}} roles/viewer"
 ```

 IAM policy imports use the identifier of the resource in question, e.g.
 ```
 $ terraform import google_apigee_environment_iam_policy.editor {{org_id}}/environments/{{environment}}
 ```

 -> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
  full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
	---
	# ----------------------------------------------------------------------------
	#
	# * AUTO GENERATED CODE * Type: MMv1 ***
	#
	# ----------------------------------------------------------------------------
	#
	# This file is automatically generated by Magic Modules and manual
	# changes will be clobbered when the file is regenerated.
	#
	# Please read more about how to change this file in
	# .github/CONTRIBUTING.md.
	#
	# ----------------------------------------------------------------------------
	subcategory: "Apigee"
	description: \|-
	Collection of resources to manage IAM policy for Apigee Environment
	---

	# IAM policy for Apigee Environment
	Three different resources help you manage your IAM policy for Apigee Environment. Each of these resources serves a different use case:

	* `google_apigee_environment_iam_policy`: Authoritative. Sets the IAM policy for the environment and replaces any existing policy already attached.
	* `google_apigee_environment_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the environment are preserved.
	* `google_apigee_environment_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the environment are preserved.

	A data source can be used to retrieve policy data in advent you do not need creation

	* `google_apigee_environment_iam_policy`: Retrieves the IAM policy for the environment

	~> Note: `google_apigee_environment_iam_policy` cannot be used in conjunction with `google_apigee_environment_iam_binding` and `google_apigee_environment_iam_member` or they will fight over what your policy should be.

	~> Note: `google_apigee_environment_iam_binding` resources can be used in conjunction with `google_apigee_environment_iam_member` resources only if they do not grant privilege to the same role.




	## google\_apigee\_environment\_iam\_policy

	```hcl
	data "google_iam_policy" "admin" {
	binding {
	role = "roles/viewer"
	members = [
	"user:jane@example.com",
	]
	}
	}

	resource "google_apigee_environment_iam_policy" "policy" {
	org_id = google_apigee_environment.apigee_environment.org_id
	env_id = google_apigee_environment.apigee_environment.name
	policy_data = data.google_iam_policy.admin.policy_data
	}
	```

	## google\_apigee\_environment\_iam\_binding

	```hcl
	resource "google_apigee_environment_iam_binding" "binding" {
	org_id = google_apigee_environment.apigee_environment.org_id
	env_id = google_apigee_environment.apigee_environment.name
	role = "roles/viewer"
	members = [
	"user:jane@example.com",
	]
	}
	```

	## google\_apigee\_environment\_iam\_member

	```hcl
	resource "google_apigee_environment_iam_member" "member" {
	org_id = google_apigee_environment.apigee_environment.org_id
	env_id = google_apigee_environment.apigee_environment.name
	role = "roles/viewer"
	member = "user:jane@example.com"
	}
	```


	## Argument Reference

	The following arguments are supported:

	* `env_id` - (Required) Used to find the parent resource to bind the IAM policy to

	* `member/members` - (Required) Identities that will be granted the privilege in `role`.
	Each entry can have one of the following values:
	* allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.
	* allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	* user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	* serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	* group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
	* domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	* projectOwner:projectid: Owners of the given project. For example, "projectOwner:my-example-project"
	* projectEditor:projectid: Editors of the given project. For example, "projectEditor:my-example-project"
	* projectViewer:projectid: Viewers of the given project. For example, "projectViewer:my-example-project"

	* `role` - (Required) The role that should be applied. Only one
	`google_apigee_environment_iam_binding` can be used per role. Note that custom roles must be of the format
	`[projects\|organizations]/{parent-name}/roles/{role-name}`.

	* `policy_data` - (Required only by `google_apigee_environment_iam_policy`) The policy data generated by
	a `google_iam_policy` data source.

	## Attributes Reference

	In addition to the arguments listed above, the following computed attributes are
	exported:

	* `etag` - (Computed) The etag of the IAM policy.

	## Import

	For all import syntaxes, the "resource in question" can take any of the following forms:

	* {{org_id}}/environments/{{name}}
	* {{name}}

	Any variables not passed in the import command will be taken from the provider configuration.

	Apigee environment IAM resources can be imported using the resource identifiers, role, and member.

	IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.
	```
	$ terraform import google_apigee_environment_iam_member.editor "{{org_id}}/environments/{{environment}} roles/viewer user:jane@example.com"
	```

	IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.
	```
	$ terraform import google_apigee_environment_iam_binding.editor "{{org_id}}/environments/{{environment}} roles/viewer"
	```

	IAM policy imports use the identifier of the resource in question, e.g.
	```
	$ terraform import google_apigee_environment_iam_policy.editor {{org_id}}/environments/{{environment}}
	```

	-> Custom Roles: If you're importing a IAM resource with a custom role, make sure to use the
	full name of the custom role, e.g. `[projects/my-project\|organizations/my-org]/roles/my-custom-role`.