Iam
Ensures that a member:role pairing does not exist in a project's IAM policy. On create, this resource will modify the policy to remove the member from the role. If the membership is ever re-added, the next refresh will clear this resource from state, proposing re-adding it to correct the membership. Import is not supported- this resource will acquire the current policy and modify it as part of creating the resource. This resource will conflict with gcp.projects.IAMPolicy and gcp.projects.IAMBinding resources that share a role, as well as gcp.projects.IAMMember resources that target the same membership. When multiple resources conflict the final state is not guaranteed to include or omit the membership. Subsequent pulumi up calls will always show a diff until the configuration is corrected. For more information see the official documentation and API reference.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const targetProject = gcp.organizations.getProject({});
const foo = new gcp.projects.IamMemberRemove("foo", {
role: "roles/editor",
project: targetProjectGoogleProject.projectId,
member: `serviceAccount:${targetProjectGoogleProject.number}-compute@developer.gserviceaccount.com`,
});import pulumi
import pulumi_gcp as gcp
target_project = gcp.organizations.get_project()
foo = gcp.projects.IamMemberRemove("foo",
role="roles/editor",
project=target_project_google_project["projectId"],
member=f"serviceAccount:{target_project_google_project['number']}-compute@developer.gserviceaccount.com")using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var targetProject = Gcp.Organizations.GetProject.Invoke();
var foo = new Gcp.Projects.IamMemberRemove("foo", new()
{
Role = "roles/editor",
Project = targetProjectGoogleProject.ProjectId,
Member = $"serviceAccount:{targetProjectGoogleProject.Number}-compute@developer.gserviceaccount.com",
});
});package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/projects"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := organizations.LookupProject(ctx, &organizations.LookupProjectArgs{}, nil)
if err != nil {
return err
}
_, err = projects.NewIamMemberRemove(ctx, "foo", &projects.IamMemberRemoveArgs{
Role: pulumi.String("roles/editor"),
Project: pulumi.Any(targetProjectGoogleProject.ProjectId),
Member: pulumi.Sprintf("serviceAccount:%v-compute@developer.gserviceaccount.com", targetProjectGoogleProject.Number),
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetProjectArgs;
import com.pulumi.gcp.projects.IamMemberRemove;
import com.pulumi.gcp.projects.IamMemberRemoveArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var targetProject = OrganizationsFunctions.getProject(GetProjectArgs.builder()
.build());
var foo = new IamMemberRemove("foo", IamMemberRemoveArgs.builder()
.role("roles/editor")
.project(targetProjectGoogleProject.projectId())
.member(String.format("serviceAccount:%s-compute@developer.gserviceaccount.com", targetProjectGoogleProject.number()))
.build());
}
}resources:
foo:
type: gcp:projects:IamMemberRemove
properties:
role: roles/editor
project: ${targetProjectGoogleProject.projectId}
member: serviceAccount:${targetProjectGoogleProject.number}-compute@developer.gserviceaccount.com
variables:
targetProject:
fn::invoke:
function: gcp:organizations:getProject
arguments: {}