v5.18.0/website/docs/r/iam_deny_policy.html.markdown - terraform-provider-google-beta - Git at Google

 ---
 # ----------------------------------------------------------------------------
 #
 #     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
 #
 # ----------------------------------------------------------------------------
 #
 #     This file is automatically generated by Magic Modules and manual
 #     changes will be clobbered when the file is regenerated.
 #
 #     Please read more about how to change this file in
 #     .github/CONTRIBUTING.md.
 #
 # ----------------------------------------------------------------------------
 subcategory: "Cloud IAM"
 description: |-
   Represents a collection of denial policies to apply to a given resource.
 ---

 # google\_iam\_deny\_policy

 Represents a collection of denial policies to apply to a given resource.


 To get more information about DenyPolicy, see:

 * [API documentation](https://cloud.google.com/iam/docs/reference/rest/v2/policies)
 * How-to Guides
     * [Permissions supported in deny policies](https://cloud.google.com/iam/docs/deny-permissions-support)

 ## Example Usage - Iam Deny Policy Basic


 ```hcl
 resource "google_project" "project" {
   project_id      = "my-project"
   name            = "my-project"
   org_id          = "123456789"
   billing_account = "000000-0000000-0000000-000000"
 }

 resource "google_iam_deny_policy" "example" {
   parent   = urlencode("cloudresourcemanager.googleapis.com/projects/${google_project.project.project_id}")
   name     = "my-deny-policy"
   display_name = "A deny rule"
   rules {
     description = "First rule"
     deny_rule {
       denied_principals = ["principalSet://goog/public:all"]
       denial_condition {
         title = "Some expr"
         expression = "!resource.matchTag('12345678/env', 'test')"
       }
       denied_permissions = ["cloudresourcemanager.googleapis.com/projects.update"]
     }
   }
   rules {
     description = "Second rule"
     deny_rule {
       denied_principals = ["principalSet://goog/public:all"]
       denial_condition {
         title = "Some expr"
         expression = "!resource.matchTag('12345678/env', 'test')"
       }
       denied_permissions = ["cloudresourcemanager.googleapis.com/projects.update"]
       exception_principals = ["principal://iam.googleapis.com/projects/-/serviceAccounts/${google_service_account.test-account.email}"]
     }
   }
 }

 resource "google_service_account" "test-account" {
   account_id   = "svc-acc"
   display_name = "Test Service Account"
   project      = google_project.project.project_id
 }
 ```

 ## Argument Reference

 The following arguments are supported:


 * `name` -
   (Required)
   The name of the policy.

 * `parent` -
   (Required)
   The attachment point is identified by its URL-encoded full resource name.

 * `rules` -
   (Required)
   Rules to be applied.
   Structure is [documented below](#nested_rules).


 <a name="nested_rules"></a>The `rules` block supports:

 * `description` -
   (Optional)
   The description of the rule.

 * `deny_rule` -
   (Optional)
   A deny rule in an IAM deny policy.
   Structure is [documented below](#nested_deny_rule).


 <a name="nested_deny_rule"></a>The `deny_rule` block supports:

 * `denied_principals` -
   (Optional)
   The identities that are prevented from using one or more permissions on Google Cloud resources.

 * `exception_principals` -
   (Optional)
   The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals.
   For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.

 * `denied_permissions` -
   (Optional)
   The permissions that are explicitly denied by this rule. Each permission uses the format `{service-fqdn}/{resource}.{verb}`,
   where `{service-fqdn}` is the fully qualified domain name for the service. For example, `iam.googleapis.com/roles.list`.

 * `exception_permissions` -
   (Optional)
   Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions.
   If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied.
   The excluded permissions can be specified using the same syntax as deniedPermissions.

 * `denial_condition` -
   (Optional)
   User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header.
   Structure is [documented below](#nested_denial_condition).


 <a name="nested_denial_condition"></a>The `denial_condition` block supports:

 * `expression` -
   (Required)
   Textual representation of an expression in Common Expression Language syntax.

 * `title` -
   (Optional)
   Title for the expression, i.e. a short string describing its purpose.
   This can be used e.g. in UIs which allow to enter the expression.

 * `description` -
   (Optional)
   Description of the expression. This is a longer text which describes the expression,
   e.g. when hovered over it in a UI.

 * `location` -
   (Optional)
   String indicating the location of the expression for error reporting,
   e.g. a file name and a position in the file.

 - - -


 * `display_name` -
   (Optional)
   The display name of the rule.


 ## Attributes Reference

 In addition to the arguments listed above, the following computed attributes are exported:

 * `id` - an identifier for the resource with format `{{parent}}/{{name}}`

 * `etag` -
   The hash of the resource. Used internally during updates.


 ## Timeouts

 This resource provides the following
 [Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

 - `create` - Default is 20 minutes.
 - `update` - Default is 20 minutes.
 - `delete` - Default is 20 minutes.

 ## Import


 DenyPolicy can be imported using any of these accepted formats:

 * `{{parent}}/{{name}}`


 In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import DenyPolicy using one of the formats above. For example:

 ```tf
 import {
   id = "{{parent}}/{{name}}"
   to = google_iam_deny_policy.default
 }
 ```

 When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), DenyPolicy can be imported using one of the formats above. For example:

 ```
 $ terraform import google_iam_deny_policy.default {{parent}}/{{name}}
 ```
	---
	# ----------------------------------------------------------------------------
	#
	# * AUTO GENERATED CODE * Type: MMv1 ***
	#
	# ----------------------------------------------------------------------------
	#
	# This file is automatically generated by Magic Modules and manual
	# changes will be clobbered when the file is regenerated.
	#
	# Please read more about how to change this file in
	# .github/CONTRIBUTING.md.
	#
	# ----------------------------------------------------------------------------
	subcategory: "Cloud IAM"
	description: \|-
	Represents a collection of denial policies to apply to a given resource.
	---

	# google\_iam\_deny\_policy

	Represents a collection of denial policies to apply to a given resource.


	To get more information about DenyPolicy, see:

	* [API documentation](https://cloud.google.com/iam/docs/reference/rest/v2/policies)
	* How-to Guides
	* [Permissions supported in deny policies](https://cloud.google.com/iam/docs/deny-permissions-support)

	## Example Usage - Iam Deny Policy Basic


	```hcl
	resource "google_project" "project" {
	project_id = "my-project"
	name = "my-project"
	org_id = "123456789"
	billing_account = "000000-0000000-0000000-000000"
	}

	resource "google_iam_deny_policy" "example" {
	parent = urlencode("cloudresourcemanager.googleapis.com/projects/${google_project.project.project_id}")
	name = "my-deny-policy"
	display_name = "A deny rule"
	rules {
	description = "First rule"
	deny_rule {
	denied_principals = ["principalSet://goog/public:all"]
	denial_condition {
	title = "Some expr"
	expression = "!resource.matchTag('12345678/env', 'test')"
	}
	denied_permissions = ["cloudresourcemanager.googleapis.com/projects.update"]
	}
	}
	rules {
	description = "Second rule"
	deny_rule {
	denied_principals = ["principalSet://goog/public:all"]
	denial_condition {
	title = "Some expr"
	expression = "!resource.matchTag('12345678/env', 'test')"
	}
	denied_permissions = ["cloudresourcemanager.googleapis.com/projects.update"]
	exception_principals = ["principal://iam.googleapis.com/projects/-/serviceAccounts/${google_service_account.test-account.email}"]
	}
	}
	}

	resource "google_service_account" "test-account" {
	account_id = "svc-acc"
	display_name = "Test Service Account"
	project = google_project.project.project_id
	}
	```

	## Argument Reference

	The following arguments are supported:


	* `name` -
	(Required)
	The name of the policy.

	* `parent` -
	(Required)
	The attachment point is identified by its URL-encoded full resource name.

	* `rules` -
	(Required)
	Rules to be applied.
	Structure is [documented below](#nested_rules).


	<a name="nested_rules"></a>The `rules` block supports:

	* `description` -
	(Optional)
	The description of the rule.

	* `deny_rule` -
	(Optional)
	A deny rule in an IAM deny policy.
	Structure is [documented below](#nested_deny_rule).


	<a name="nested_deny_rule"></a>The `deny_rule` block supports:

	* `denied_principals` -
	(Optional)
	The identities that are prevented from using one or more permissions on Google Cloud resources.

	* `exception_principals` -
	(Optional)
	The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals.
	For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.

	* `denied_permissions` -
	(Optional)
	The permissions that are explicitly denied by this rule. Each permission uses the format `{service-fqdn}/{resource}.{verb}`,
	where `{service-fqdn}` is the fully qualified domain name for the service. For example, `iam.googleapis.com/roles.list`.

	* `exception_permissions` -
	(Optional)
	Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions.
	If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied.
	The excluded permissions can be specified using the same syntax as deniedPermissions.

	* `denial_condition` -
	(Optional)
	User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header.
	Structure is [documented below](#nested_denial_condition).


	<a name="nested_denial_condition"></a>The `denial_condition` block supports:

	* `expression` -
	(Required)
	Textual representation of an expression in Common Expression Language syntax.

	* `title` -
	(Optional)
	Title for the expression, i.e. a short string describing its purpose.
	This can be used e.g. in UIs which allow to enter the expression.

	* `description` -
	(Optional)
	Description of the expression. This is a longer text which describes the expression,
	e.g. when hovered over it in a UI.

	* `location` -
	(Optional)
	String indicating the location of the expression for error reporting,
	e.g. a file name and a position in the file.

	- - -


	* `display_name` -
	(Optional)
	The display name of the rule.


	## Attributes Reference

	In addition to the arguments listed above, the following computed attributes are exported:

	* `id` - an identifier for the resource with format `{{parent}}/{{name}}`

	* `etag` -
	The hash of the resource. Used internally during updates.


	## Timeouts

	This resource provides the following
	[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

	- `create` - Default is 20 minutes.
	- `update` - Default is 20 minutes.
	- `delete` - Default is 20 minutes.

	## Import


	DenyPolicy can be imported using any of these accepted formats:

	* `{{parent}}/{{name}}`


	In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import DenyPolicy using one of the formats above. For example:

	```tf
	import {
	id = "{{parent}}/{{name}}"
	to = google_iam_deny_policy.default
	}
	```

	When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), DenyPolicy can be imported using one of the formats above. For example:

	```
	$ terraform import google_iam_deny_policy.default {{parent}}/{{name}}
	```