---
# ----------------------------------------------------------------------------
#
#     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
#
# ----------------------------------------------------------------------------
#
#     This file is automatically generated by Magic Modules and manual
#     changes will be clobbered when the file is regenerated.
#
#     Please read more about how to change this file in
#     .github/CONTRIBUTING.md.
#
# ----------------------------------------------------------------------------
subcategory: "Cloud IAM"
description: |-
  Represents a collection of access boundary policies to apply to a given resource.
---

# google\_iam\_access\_boundary\_policy

Represents a collection of access boundary policies to apply to a given resource.
**NOTE**: This is a private feature and users should contact GCP support
if they would like to test it.


## Example Usage - Iam Access Boundary Policy Basic


```hcl
resource "google_project" "project" {
  project_id      = "my-project"
  name            = "my-project"
  org_id          = "123456789"
  billing_account = "000000-0000000-0000000-000000"
}

resource "google_access_context_manager_access_level" "test-access" {
  parent = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}"
  name   = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/accessLevels/chromeos_no_lock"
  title  = "chromeos_no_lock"
  basic {
    conditions {
      device_policy {
        require_screen_lock = true
        os_constraints {
          os_type = "DESKTOP_CHROME_OS"
        }
      }
      regions = [
        "CH",
        "IT",
        "US",
      ]
    }
  }
}

resource "google_access_context_manager_access_policy" "access-policy" {
  parent = "organizations/${google_project.project.org_id}"
  title  = "my policy"
}

resource "google_iam_access_boundary_policy" "example" {
  parent   = urlencode("cloudresourcemanager.googleapis.com/projects/${google_project.project.project_id}")
  name     = "my-ab-policy"
  display_name = "My AB policy"
  rules {
    description = "AB rule"
    access_boundary_rule {
      available_resource = "*"
      available_permissions = ["*"]
      availability_condition {
        title = "Access level expr"
        expression = "request.matchAccessLevels('${google_project.project.org_id}', ['${google_access_context_manager_access_level.test-access.name}'])"
      }
    }
  }
}
```

## Argument Reference

The following arguments are supported:


* `name` -
  (Required)
  The name of the policy.

* `parent` -
  (Required)
  The attachment point is identified by its URL-encoded full resource name.

* `rules` -
  (Required)
  Rules to be applied.
  Structure is [documented below](#nested_rules).


<a name="nested_rules"></a>The `rules` block supports:

* `description` -
  (Optional)
  The description of the rule.

* `access_boundary_rule` -
  (Optional)
  An access boundary rule in an IAM policy.
  Structure is [documented below](#nested_access_boundary_rule).


<a name="nested_access_boundary_rule"></a>The `access_boundary_rule` block supports:

* `available_resource` -
  (Optional)
  The full resource name of a Google Cloud resource entity.

* `available_permissions` -
  (Optional)
  A list of permissions that may be allowed for use on the specified resource.

* `availability_condition` -
  (Optional)
  The availability condition further constrains the access allowed by the access boundary rule.
  Structure is [documented below](#nested_availability_condition).


<a name="nested_availability_condition"></a>The `availability_condition` block supports:

* `expression` -
  (Required)
  Textual representation of an expression in Common Expression Language syntax.

* `title` -
  (Optional)
  Title for the expression, i.e. a short string describing its purpose.
  This can be used e.g. in UIs which allow to enter the expression.

* `description` -
  (Optional)
  Description of the expression. This is a longer text which describes the expression,
  e.g. when hovered over it in a UI.

* `location` -
  (Optional)
  String indicating the location of the expression for error reporting,
  e.g. a file name and a position in the file.

- - -


* `display_name` -
  (Optional)
  The display name of the rule.


## Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

* `id` - an identifier for the resource with format `{{parent}}/{{name}}`

* `etag` -
  The hash of the resource. Used internally during updates.


## Timeouts

This resource provides the following
[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

- `create` - Default is 20 minutes.
- `update` - Default is 20 minutes.
- `delete` - Default is 20 minutes.

## Import


AccessBoundaryPolicy can be imported using any of these accepted formats:

* `{{parent}}/{{name}}`


In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import AccessBoundaryPolicy using one of the formats above. For example:

```tf
import {
  id = "{{parent}}/{{name}}"
  to = google_iam_access_boundary_policy.default
}
```

When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), AccessBoundaryPolicy can be imported using one of the formats above. For example:

```
$ terraform import google_iam_access_boundary_policy.default {{parent}}/{{name}}
```