| --- |
| # ---------------------------------------------------------------------------- |
| # |
| # *** AUTO GENERATED CODE *** Type: MMv1 *** |
| # |
| # ---------------------------------------------------------------------------- |
| # |
| # This file is automatically generated by Magic Modules and manual |
| # changes will be clobbered when the file is regenerated. |
| # |
| # Please read more about how to change this file in |
| # .github/CONTRIBUTING.md. |
| # |
| # ---------------------------------------------------------------------------- |
| subcategory: "Cloud Healthcare" |
| description: |- |
| Collection of resources to manage IAM policy for Cloud Healthcare ConsentStore |
| --- |
| |
| # IAM policy for Cloud Healthcare ConsentStore |
| Three different resources help you manage your IAM policy for Cloud Healthcare ConsentStore. Each of these resources serves a different use case: |
| |
| * `google_healthcare_consent_store_iam_policy`: Authoritative. Sets the IAM policy for the consentstore and replaces any existing policy already attached. |
| * `google_healthcare_consent_store_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the consentstore are preserved. |
| * `google_healthcare_consent_store_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the consentstore are preserved. |
| |
| A data source can be used to retrieve policy data in advent you do not need creation |
| |
| * `google_healthcare_consent_store_iam_policy`: Retrieves the IAM policy for the consentstore |
| |
| ~> **Note:** `google_healthcare_consent_store_iam_policy` **cannot** be used in conjunction with `google_healthcare_consent_store_iam_binding` and `google_healthcare_consent_store_iam_member` or they will fight over what your policy should be. |
| |
| ~> **Note:** `google_healthcare_consent_store_iam_binding` resources **can be** used in conjunction with `google_healthcare_consent_store_iam_member` resources **only if** they do not grant privilege to the same role. |
| |
| |
| |
| |
| ## google\_healthcare\_consent\_store\_iam\_policy |
| |
| ```hcl |
| data "google_iam_policy" "admin" { |
| binding { |
| role = "roles/viewer" |
| members = [ |
| "user:jane@example.com", |
| ] |
| } |
| } |
| |
| resource "google_healthcare_consent_store_iam_policy" "policy" { |
| dataset = google_healthcare_consent_store.my-consent.dataset |
| consent_store_id = google_healthcare_consent_store.my-consent.name |
| policy_data = data.google_iam_policy.admin.policy_data |
| } |
| ``` |
| |
| ## google\_healthcare\_consent\_store\_iam\_binding |
| |
| ```hcl |
| resource "google_healthcare_consent_store_iam_binding" "binding" { |
| dataset = google_healthcare_consent_store.my-consent.dataset |
| consent_store_id = google_healthcare_consent_store.my-consent.name |
| role = "roles/viewer" |
| members = [ |
| "user:jane@example.com", |
| ] |
| } |
| ``` |
| |
| ## google\_healthcare\_consent\_store\_iam\_member |
| |
| ```hcl |
| resource "google_healthcare_consent_store_iam_member" "member" { |
| dataset = google_healthcare_consent_store.my-consent.dataset |
| consent_store_id = google_healthcare_consent_store.my-consent.name |
| role = "roles/viewer" |
| member = "user:jane@example.com" |
| } |
| ``` |
| |
| |
| ## Argument Reference |
| |
| The following arguments are supported: |
| |
| * `consent_store_id` - (Required) Used to find the parent resource to bind the IAM policy to |
| * `dataset` - (Required) Identifies the dataset addressed by this request. Must be in the format |
| 'projects/{project}/locations/{location}/datasets/{dataset}' |
| Used to find the parent resource to bind the IAM policy to |
| |
| * `member/members` - (Required) Identities that will be granted the privilege in `role`. |
| Each entry can have one of the following values: |
| * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. |
| * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. |
| * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. |
| * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. |
| * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. |
| * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. |
| * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" |
| * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" |
| * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project" |
| |
| * `role` - (Required) The role that should be applied. Only one |
| `google_healthcare_consent_store_iam_binding` can be used per role. Note that custom roles must be of the format |
| `[projects|organizations]/{parent-name}/roles/{role-name}`. |
| |
| * `policy_data` - (Required only by `google_healthcare_consent_store_iam_policy`) The policy data generated by |
| a `google_iam_policy` data source. |
| |
| ## Attributes Reference |
| |
| In addition to the arguments listed above, the following computed attributes are |
| exported: |
| |
| * `etag` - (Computed) The etag of the IAM policy. |
| |
| ## Import |
| |
| For all import syntaxes, the "resource in question" can take any of the following forms: |
| |
| * {{dataset}}/consentStores/{{name}} |
| * {{name}} |
| |
| Any variables not passed in the import command will be taken from the provider configuration. |
| |
| Cloud Healthcare consentstore IAM resources can be imported using the resource identifiers, role, and member. |
| |
| IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g. |
| ``` |
| $ terraform import google_healthcare_consent_store_iam_member.editor "{{dataset}}/consentStores/{{consent_store}} roles/viewer user:jane@example.com" |
| ``` |
| |
| IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g. |
| ``` |
| $ terraform import google_healthcare_consent_store_iam_binding.editor "{{dataset}}/consentStores/{{consent_store}} roles/viewer" |
| ``` |
| |
| IAM policy imports use the identifier of the resource in question, e.g. |
| ``` |
| $ terraform import google_healthcare_consent_store_iam_policy.editor {{dataset}}/consentStores/{{consent_store}} |
| ``` |
| |
| -> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the |
| full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`. |