|
| 1 | +--- |
| 2 | +layout: "google" |
| 3 | +page_title: "Google: google_spanner_database_iam" |
| 4 | +sidebar_current: "docs-google-spanner-database-iam" |
| 5 | +description: |- |
| 6 | + Collection of resources to manage IAM policy for a Spanner database. |
| 7 | +--- |
| 8 | + |
| 9 | +# IAM policy for Spanner databases |
| 10 | + |
| 11 | +Three different resources help you manage your IAM policy for a Spanner database. Each of these resources serves a different use case: |
| 12 | + |
| 13 | +* `google_spanner_database_iam_policy`: Authoritative. Sets the IAM policy for the database and replaces any existing policy already attached. |
| 14 | + |
| 15 | +~> **Warning:** It's entirely possibly to lock yourself out of your database using `google_spanner_database_iam_policy`. Any permissions granted by default will be removed unless you include them in your config. |
| 16 | + |
| 17 | +* `google_spanner_database_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the database are preserved. |
| 18 | +* `google_spanner_database_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the database are preserved. |
| 19 | + |
| 20 | +~> **Note:** `google_spanner_database_iam_policy` **cannot** be used in conjunction with `google_spanner_database_iam_binding` and `google_spanner_database_iam_member` or they will fight over what your policy should be. |
| 21 | + |
| 22 | +~> **Note:** `google_spanner_database_iam_binding` resources **can be** used in conjunction with `google_spanner_database_iam_member` resources **only if** they do not grant privilege to the same role. |
| 23 | + |
| 24 | +## google\_spanner\_database\_iam\_policy |
| 25 | + |
| 26 | +```hcl |
| 27 | +data "google_iam_policy" "admin" { |
| 28 | + binding { |
| 29 | + role = "roles/editor" |
| 30 | +
|
| 31 | + members = [ |
| 32 | + |
| 33 | + ] |
| 34 | + } |
| 35 | +} |
| 36 | +
|
| 37 | +resource "google_spanner_database_iam_policy" "database" { |
| 38 | + instance = "your-instance-name" |
| 39 | + database = "your-database-name" |
| 40 | + policy_data = "${data.google_iam_policy.admin.policy_data}" |
| 41 | +} |
| 42 | +``` |
| 43 | + |
| 44 | +## google\_spanner\_database\_iam\_binding |
| 45 | + |
| 46 | +```hcl |
| 47 | +resource "google_spanner_database_iam_binding" "database" { |
| 48 | + instance = "your-instance-name" |
| 49 | + database = "your-database-name" |
| 50 | + role = "roles/compute.networkUser" |
| 51 | +
|
| 52 | + members = [ |
| 53 | + |
| 54 | + ] |
| 55 | +} |
| 56 | +``` |
| 57 | + |
| 58 | +## google\_spanner\_database\_iam\_member |
| 59 | + |
| 60 | +```hcl |
| 61 | +resource "google_spanner_database_iam_member" "database" { |
| 62 | + instance = "your-instance-name" |
| 63 | + database = "your-database-name" |
| 64 | + role = "roles/compute.networkUser" |
| 65 | + |
| 66 | +} |
| 67 | +``` |
| 68 | + |
| 69 | +## Argument Reference |
| 70 | + |
| 71 | +The following arguments are supported: |
| 72 | + |
| 73 | +* `database` - (Required) The name of the Spanner database. |
| 74 | + |
| 75 | +* `instance` - (Required) The name of the Spanner instance the database belongs to. |
| 76 | + |
| 77 | +* `member/members` - (Required) Identities that will be granted the privilege in `role`. |
| 78 | + Each entry can have one of the following values: |
| 79 | + * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. |
| 80 | + * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. |
| 81 | + * **user:{emailid} **: An email address that represents a specific Google account. For example, [email protected] or [email protected]. |
| 82 | + * **serviceAccount:{emailid} **: An email address that represents a service account. For example, [email protected]. |
| 83 | + * **group:{emailid} **: An email address that represents a Google group. For example, [email protected]. |
| 84 | + * **domain:{domain}**: A Google Apps domain name that represents all the users of that domain. For example, google.com or example.com. |
| 85 | + |
| 86 | +* `role` - (Required) The role that should be applied. Only one |
| 87 | + `google_spanner_database_iam_binding` can be used per role. Note that custom roles must be of the format |
| 88 | + `[projects|organizations]/{parent-name}/roles/{role-name}`. |
| 89 | + |
| 90 | +* `policy_data` - (Required only by `google_spanner_database_iam_policy`) The policy data generated by |
| 91 | + a `google_iam_policy` data source. |
| 92 | + |
| 93 | +* `project` - (Optional) The ID of the project in which the resource belongs. If it |
| 94 | + is not provided, the provider project is used. |
| 95 | + |
| 96 | +## Attributes Reference |
| 97 | + |
| 98 | +In addition to the arguments listed above, the following computed attributes are |
| 99 | +exported: |
| 100 | + |
| 101 | +* `etag` - (Computed) The etag of the database's IAM policy. |
| 102 | + |
| 103 | +## Import |
| 104 | + |
| 105 | +For all import syntaxes, the "resource in question" can take any of the following forms: |
| 106 | + |
| 107 | +* {{project}}/{{instance}}/{{database}} |
| 108 | +* {{instance}}/{{database}} (project is taken from provider project) |
| 109 | + |
| 110 | +IAM member imports use space-delimited identifiers; the resource in question, the role, and the account, e.g. |
| 111 | + |
| 112 | +``` |
| 113 | +$ terraform import google_spanner_database_iam_member.database "project-name/instance-name/database-name roles/viewer [email protected]" |
| 114 | +``` |
| 115 | + |
| 116 | +IAM binding imports use space-delimited identifiers; the resource in question and the role, e.g. |
| 117 | + |
| 118 | +``` |
| 119 | +$ terraform import google_spanner_database_iam_binding.database "project-name/instance-name/database-name roles/viewer" |
| 120 | +``` |
| 121 | + |
| 122 | +IAM policy imports use the identifier of the resource in question, e.g. |
| 123 | + |
| 124 | +``` |
| 125 | +$ terraform import google_spanner_database_iam_policy.database project-name/instance-name/database-name |
| 126 | +``` |
0 commit comments