Merge pull request hashicorp#1387 from terraform-providers/paddy_spanner_instance_iam

Add support for IAM on Spanner Instances.

Author: paddycarver

docs/r/spanner_instance_iam.html.markdown

@@ -0,0 +1,121 @@
+---
+layout: "google"
+page_title: "Google: google_spanner_instance_iam"
+sidebar_current: "docs-google-spanner-instance-iam"
+description: |-
+ Collection of resources to manage IAM policy for a Spanner instance.
+---
+
+# IAM policy for Spanner Instances
+
+Three different resources help you manage your IAM policy for a Spanner instance. Each of these resources serves a different use case:
+
+* `google_spanner_instance_iam_policy`: Authoritative. Sets the IAM policy for the instance and replaces any existing policy already attached.
+
+~> **Warning:** It's entirely possibly to lock yourself out of your instance using `google_spanner_instance_iam_policy`. Any permissions granted by default will be removed unless you include them in your config.
+
+* `google_spanner_instance_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the instance are preserved.
+* `google_spanner_instance_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the instance are preserved.
+
+~> **Note:** `google_spanner_instance_iam_policy` **cannot** be used in conjunction with `google_spanner_instance_iam_binding` and `google_spanner_instance_iam_member` or they will fight over what your policy should be.
+
+~> **Note:** `google_spanner_instance_iam_binding` resources **can be** used in conjunction with `google_spanner_instance_iam_member` resources **only if** they do not grant privilege to the same role.
+
+## google\_spanner\_instance\_iam\_policy
+
+```hcl
+data "google_iam_policy" "admin" {
+  binding {
+    role = "roles/editor"
+
+    members = [
+      "user:[email protected]",
+    ]
+  }
+}
+
+resource "google_spanner_instance_iam_policy" "instance" {
+  instance    = "your-instance-name"
+  policy_data = "${data.google_iam_policy.admin.policy_data}"
+}
+```
+
+## google\_spanner\_instance\_iam\_binding
+
+```hcl
+resource "google_spanner_instance_iam_binding" "instance" {
+  instance  = "your-instance-name"
+  role      = "roles/compute.networkUser"
+
+  members = [
+    "user:[email protected]",
+  ]
+}
+```
+
+## google\_spanner\_instance\_iam\_member
+
+```hcl
+resource "google_spanner_instance_iam_member" "instance" {
+  instance  = "your-instance-name"
+  role      = "roles/compute.networkUser"
+  member    = "user:[email protected]"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `instance` - (Required) The name of the instance.
+
+* `member/members` - (Required) Identities that will be granted the privilege in `role`.
+  Each entry can have one of the following values:
+  * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
+  * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
+  * **user:{emailid}**: An email address that represents a specific Google account. For example, [email protected] or [email protected].
+  * **serviceAccount:{emailid}**: An email address that represents a service account. For example, [email protected].
+  * **group:{emailid}**: An email address that represents a Google group. For example, [email protected].
+  * **domain:{domain}**: A Google Apps domain name that represents all the users of that domain. For example, google.com or example.com.
+
+* `role` - (Required) The role that should be applied. Only one
+    `google_spanner_instance_iam_binding` can be used per role. Note that custom roles must be of the format
+    `[projects|organizations]/{parent-name}/roles/{role-name}`.
+
+* `policy_data` - (Required only by `google_spanner_instance_iam_policy`) The policy data generated by
+  a `google_iam_policy` data source.
+
+* `project` - (Optional) The ID of the project in which the resource belongs. If it
+    is not provided, the provider project is used.
+
+## Attributes Reference
+
+In addition to the arguments listed above, the following computed attributes are
+exported:
+
+* `etag` - (Computed) The etag of the instance's IAM policy.
+
+## Import
+
+For all import syntaxes, the "resource in question" can take any of the following forms:
+
+* {{project}}/{{name}}
+* {{name}} (project is taken from provider project)
+
+IAM member imports use space-delimited identifiers; the resource in question, the role, and the account, e.g.
+
+```
+$ terraform import google_spanner_instance_iam_member.instance "project-name/instance-name roles/viewer [email protected]"
+```
+
+IAM binding imports use space-delimited identifiers; the resource in question and the role, e.g.
+
+```
+$ terraform import google_spanner_instance_iam_binding.instance "project-name/instance-name roles/viewer"
+```
+
+IAM policy imports use the identifier of the resource in question, e.g.
+
+```
+$ terraform import google_spanner_instance_iam_policy.instance project-name/instance-name
+```

google.erb

@@ -536,6 +536,15 @@
       <li<%= sidebar_current("docs-google-spanner-instance") %>>
       <a href="/docs/providers/google/r/spanner_instance.html">google_spanner_instance</a>
       </li>
+      <li<%= sidebar_current("docs-google-spanner-instance-iam") %>>
+      <a href="/docs/providers/google/r/spanner_instance_iam.html">google_spanner_instance_iam_binding</a>
+      </li>
+      <li<%= sidebar_current("docs-google-spanner-instance-iam") %>>
+      <a href="/docs/providers/google/r/spanner_instance_iam.html">google_spanner_instance_iam_member</a>
+      </li>
+      <li<%= sidebar_current("docs-google-spanner-instance-iam") %>>
+      <a href="/docs/providers/google/r/spanner_instance_iam.html">google_spanner_instance_iam_policy</a>
+      </li>
     </ul>
     </li>