Syntax

A google_project_iam_policy is used to test a Google Project Iam Policy resource

Examples

describe google_project_iam_policy(project: "project") do
  it { should exist }
end

google_project_iam_policy(project: "project").bindings.each do |binding|
  describe binding do
    its('role') { should eq 'roles/editor'}
    its('members') { should include 'user:testuser@example.com'}
  end
end

This resource supports IAM conditions.

Properties

Properties that can be accessed from the google_project_iam_policy resource:

  • iam_binding_roles: The list of roles that exist on the policy.

  • bindings: Associates a list of members to a role.

    • role: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner.
    • members: Specifies the identities requesting access for a Cloud Platform resource.
    • condition: Contains information about when this binding is to be applied.
      • expression: Textual representation of an expression in Common Expression Language syntax.
      • title: An optional title for the expression, i.e. a short string describing its purpose.
      • description: An optional description of the expression. This is a longer text which describes the expression.
  • audit_configs: Specifies cloud audit logging configuration for this policy.

    • service: Specifies a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services.
    • audit_log_configs: The configuration for logging of each type of permission.
      • log_type: The log type that this config enables. For example, ADMINREAD, DATAWRITE or DATA_READ
      • exempted_members: Specifies the identities that do not cause logging for this type of permission.

GCP Permissions

Ensure the Cloud Resource Manager API is enabled for the current project.