Docs Home
ibm 1.77.1 published on Monday, Apr 14, 2025 by ibm-cloud
ibm.IamAccessGroupPolicy
Explore with Pulumi AI
- Example Usage
- Access group policy for all Identity and Access enabled services
- Access group policy for all Identity and Access enabled services within a resource group
- Access group policy using service with region
- Access group policy using service_type with region
- Access group policy using resource instance
- Create a policy to all instances of an IBM Cloud service within a resource group
- Access group policy by using resource and resource type
- Access group policy by using attributes
- Access Group Policy by using resource_attributes
- Access Group Policy by using service and rule_conditions
- Access Group Policy by using service_group_id resource attribute
- Access Group Policy by using Attribute Based Condition
- Create IamAccessGroupPolicy Resource
- Constructor syntax
- Constructor example
- IamAccessGroupPolicy Resource Properties
- Inputs
- Outputs
- Look up Existing IamAccessGroupPolicy Resource
- Supporting Types
- Import
- Package Details
Create, update, or delete an IAM policy for an IAM access group. For more information, about IBM access group policy, see creating policies for account management service access.
Example Usage
Access group policy for all Identity and Access enabled services
The following example creates an IAM policy that grants members of the access group the IAM Viewer platform role to all IAM-enabled services.
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const accgrp = new ibm.IamAccessGroup("accgrp", {});
const policy = new ibm.IamAccessGroupPolicy("policy", {
accessGroupId: accgrp.iamAccessGroupId,
roles: ["Viewer"],
resourceTags: [{
name: "env",
value: "dev",
}],
transactionId: "terraformUserPolicy",
});
import pulumi
import pulumi_ibm as ibm
accgrp = ibm.IamAccessGroup("accgrp")
policy = ibm.IamAccessGroupPolicy("policy",
access_group_id=accgrp.iam_access_group_id,
roles=["Viewer"],
resource_tags=[{
"name": "env",
"value": "dev",
}],
transaction_id="terraformUserPolicy")
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
accgrp, err := ibm.NewIamAccessGroup(ctx, "accgrp", nil)
if err != nil {
return err
}
_, err = ibm.NewIamAccessGroupPolicy(ctx, "policy", &ibm.IamAccessGroupPolicyArgs{
AccessGroupId: accgrp.IamAccessGroupId,
Roles: pulumi.StringArray{
pulumi.String("Viewer"),
},
ResourceTags: ibm.IamAccessGroupPolicyResourceTagArray{
&ibm.IamAccessGroupPolicyResourceTagArgs{
Name: pulumi.String("env"),
Value: pulumi.String("dev"),
},
},
TransactionId: pulumi.String("terraformUserPolicy"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var accgrp = new Ibm.IamAccessGroup("accgrp");
var policy = new Ibm.IamAccessGroupPolicy("policy", new()
{
AccessGroupId = accgrp.IamAccessGroupId,
Roles = new[]
{
"Viewer",
},
ResourceTags = new[]
{
new Ibm.Inputs.IamAccessGroupPolicyResourceTagArgs
{
Name = "env",
Value = "dev",
},
},
TransactionId = "terraformUserPolicy",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamAccessGroup;
import com.pulumi.ibm.IamAccessGroupPolicy;
import com.pulumi.ibm.IamAccessGroupPolicyArgs;
import com.pulumi.ibm.inputs.IamAccessGroupPolicyResourceTagArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var accgrp = new IamAccessGroup("accgrp");
var policy = new IamAccessGroupPolicy("policy", IamAccessGroupPolicyArgs.builder()
.accessGroupId(accgrp.iamAccessGroupId())
.roles("Viewer")
.resourceTags(IamAccessGroupPolicyResourceTagArgs.builder()
.name("env")
.value("dev")
.build())
.transactionId("terraformUserPolicy")
.build());
}
}
resources:
accgrp:
type: ibm:IamAccessGroup
policy:
type: ibm:IamAccessGroupPolicy
properties:
accessGroupId: ${accgrp.iamAccessGroupId}
roles:
- Viewer
resourceTags:
- name: env
value: dev
transactionId: terraformUserPolicy
Access group policy for all Identity and Access enabled services within a resource group
The following example creates an IAM policy that grants members of the access group the IAM Operator platform role and the Writer service access role to all IAM-enabled services within a resource group.
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const accgrp = new ibm.IamAccessGroup("accgrp", {});
const group = ibm.getResourceGroup({
name: "default",
});
const policy = new ibm.IamAccessGroupPolicy("policy", {
accessGroupId: accgrp.iamAccessGroupId,
roles: [
"Operator",
"Writer",
],
resources: {
resourceGroupId: group.then(group => group.id),
},
});
import pulumi
import pulumi_ibm as ibm
accgrp = ibm.IamAccessGroup("accgrp")
group = ibm.get_resource_group(name="default")
policy = ibm.IamAccessGroupPolicy("policy",
access_group_id=accgrp.iam_access_group_id,
roles=[
"Operator",
"Writer",
],
resources={
"resource_group_id": group.id,
})
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
accgrp, err := ibm.NewIamAccessGroup(ctx, "accgrp", nil)
if err != nil {
return err
}
group, err := ibm.LookupResourceGroup(ctx, &ibm.LookupResourceGroupArgs{
Name: pulumi.StringRef("default"),
}, nil)
if err != nil {
return err
}
_, err = ibm.NewIamAccessGroupPolicy(ctx, "policy", &ibm.IamAccessGroupPolicyArgs{
AccessGroupId: accgrp.IamAccessGroupId,
Roles: pulumi.StringArray{
pulumi.String("Operator"),
pulumi.String("Writer"),
},
Resources: &ibm.IamAccessGroupPolicyResourcesArgs{
ResourceGroupId: pulumi.String(group.Id),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var accgrp = new Ibm.IamAccessGroup("accgrp");
var @group = Ibm.GetResourceGroup.Invoke(new()
{
Name = "default",
});
var policy = new Ibm.IamAccessGroupPolicy("policy", new()
{
AccessGroupId = accgrp.IamAccessGroupId,
Roles = new[]
{
"Operator",
"Writer",
},
Resources = new Ibm.Inputs.IamAccessGroupPolicyResourcesArgs
{
ResourceGroupId = @group.Apply(@group => @group.Apply(getResourceGroupResult => getResourceGroupResult.Id)),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamAccessGroup;
import com.pulumi.ibm.IbmFunctions;
import com.pulumi.ibm.inputs.GetResourceGroupArgs;
import com.pulumi.ibm.IamAccessGroupPolicy;
import com.pulumi.ibm.IamAccessGroupPolicyArgs;
import com.pulumi.ibm.inputs.IamAccessGroupPolicyResourcesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var accgrp = new IamAccessGroup("accgrp");
final var group = IbmFunctions.getResourceGroup(GetResourceGroupArgs.builder()
.name("default")
.build());
var policy = new IamAccessGroupPolicy("policy", IamAccessGroupPolicyArgs.builder()
.accessGroupId(accgrp.iamAccessGroupId())
.roles(
"Operator",
"Writer")
.resources(IamAccessGroupPolicyResourcesArgs.builder()
.resourceGroupId(group.applyValue(getResourceGroupResult -> getResourceGroupResult.id()))
.build())
.build());
}
}
resources:
accgrp:
type: ibm:IamAccessGroup
policy:
type: ibm:IamAccessGroupPolicy
properties:
accessGroupId: ${accgrp.iamAccessGroupId}
roles:
- Operator
- Writer
resources:
resourceGroupId: ${group.id}
variables:
group:
fn::invoke:
function: ibm:getResourceGroup
arguments:
name: default
Access group policy using service with region
The following example creates an IAM policy that grants members of the access group the IAM Viewer platform role to all service instances of cloudantnosqldb in us-south region
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const accgrp = new ibm.IamAccessGroup("accgrp", {});
const policy = new ibm.IamAccessGroupPolicy("policy", {
accessGroupId: accgrp.iamAccessGroupId,
roles: ["Viewer"],
resources: {
service: "cloudantnosqldb",
region: "us-south",
},
});
import pulumi
import pulumi_ibm as ibm
accgrp = ibm.IamAccessGroup("accgrp")
policy = ibm.IamAccessGroupPolicy("policy",
access_group_id=accgrp.iam_access_group_id,
roles=["Viewer"],
resources={
"service": "cloudantnosqldb",
"region": "us-south",
})
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
accgrp, err := ibm.NewIamAccessGroup(ctx, "accgrp", nil)
if err != nil {
return err
}
_, err = ibm.NewIamAccessGroupPolicy(ctx, "policy", &ibm.IamAccessGroupPolicyArgs{
AccessGroupId: accgrp.IamAccessGroupId,
Roles: pulumi.StringArray{
pulumi.String("Viewer"),
},
Resources: &ibm.IamAccessGroupPolicyResourcesArgs{
Service: pulumi.String("cloudantnosqldb"),
Region: pulumi.String("us-south"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var accgrp = new Ibm.IamAccessGroup("accgrp");
var policy = new Ibm.IamAccessGroupPolicy("policy", new()
{
AccessGroupId = accgrp.IamAccessGroupId,
Roles = new[]
{
"Viewer",
},
Resources = new Ibm.Inputs.IamAccessGroupPolicyResourcesArgs
{
Service = "cloudantnosqldb",
Region = "us-south",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamAccessGroup;
import com.pulumi.ibm.IamAccessGroupPolicy;
import com.pulumi.ibm.IamAccessGroupPolicyArgs;
import com.pulumi.ibm.inputs.IamAccessGroupPolicyResourcesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var accgrp = new IamAccessGroup("accgrp");
var policy = new IamAccessGroupPolicy("policy", IamAccessGroupPolicyArgs.builder()
.accessGroupId(accgrp.iamAccessGroupId())
.roles("Viewer")
.resources(IamAccessGroupPolicyResourcesArgs.builder()
.service("cloudantnosqldb")
.region("us-south")
.build())
.build());
}
}
resources:
accgrp:
type: ibm:IamAccessGroup
policy:
type: ibm:IamAccessGroupPolicy
properties:
accessGroupId: ${accgrp.iamAccessGroupId}
roles:
- Viewer
resources:
service: cloudantnosqldb
region: us-south
Access group policy using service_type with region
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const accgrp = new ibm.IamAccessGroup("accgrp", {});
const policy = new ibm.IamAccessGroupPolicy("policy", {
accessGroupId: accgrp.iamAccessGroupId,
roles: ["Viewer"],
resources: {
serviceType: "service",
region: "us-south",
},
});
import pulumi
import pulumi_ibm as ibm
accgrp = ibm.IamAccessGroup("accgrp")
policy = ibm.IamAccessGroupPolicy("policy",
access_group_id=accgrp.iam_access_group_id,
roles=["Viewer"],
resources={
"service_type": "service",
"region": "us-south",
})
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
accgrp, err := ibm.NewIamAccessGroup(ctx, "accgrp", nil)
if err != nil {
return err
}
_, err = ibm.NewIamAccessGroupPolicy(ctx, "policy", &ibm.IamAccessGroupPolicyArgs{
AccessGroupId: accgrp.IamAccessGroupId,
Roles: pulumi.StringArray{
pulumi.String("Viewer"),
},
Resources: &ibm.IamAccessGroupPolicyResourcesArgs{
ServiceType: pulumi.String("service"),
Region: pulumi.String("us-south"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var accgrp = new Ibm.IamAccessGroup("accgrp");
var policy = new Ibm.IamAccessGroupPolicy("policy", new()
{
AccessGroupId = accgrp.IamAccessGroupId,
Roles = new[]
{
"Viewer",
},
Resources = new Ibm.Inputs.IamAccessGroupPolicyResourcesArgs
{
ServiceType = "service",
Region = "us-south",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamAccessGroup;
import com.pulumi.ibm.IamAccessGroupPolicy;
import com.pulumi.ibm.IamAccessGroupPolicyArgs;
import com.pulumi.ibm.inputs.IamAccessGroupPolicyResourcesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var accgrp = new IamAccessGroup("accgrp");
var policy = new IamAccessGroupPolicy("policy", IamAccessGroupPolicyArgs.builder()
.accessGroupId(accgrp.iamAccessGroupId())
.roles("Viewer")
.resources(IamAccessGroupPolicyResourcesArgs.builder()
.serviceType("service")
.region("us-south")
.build())
.build());
}
}
resources:
accgrp:
type: ibm:IamAccessGroup
policy:
type: ibm:IamAccessGroupPolicy
properties:
accessGroupId: ${accgrp.iamAccessGroupId}
roles:
- Viewer
resources:
serviceType: service
region: us-south
Access group policy using resource instance
The following example creates an IAM policy that grants members of the access group the IAM Viewer and Administrator platform role, and the Manager service access role to a single service instance.
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const accgrp = new ibm.IamAccessGroup("accgrp", {});
const instance = new ibm.ResourceInstance("instance", {
service: "kms",
plan: "tiered-pricing",
location: "us-south",
});
const policy = new ibm.IamAccessGroupPolicy("policy", {
accessGroupId: accgrp.iamAccessGroupId,
roles: [
"Manager",
"Viewer",
"Administrator",
],
resources: {
service: "kms",
resourceInstanceId: instance.resourceInstanceId.apply(resourceInstanceId => resourceInstanceId.split(":"))[7],
},
});
import pulumi
import pulumi_ibm as ibm
accgrp = ibm.IamAccessGroup("accgrp")
instance = ibm.ResourceInstance("instance",
service="kms",
plan="tiered-pricing",
location="us-south")
policy = ibm.IamAccessGroupPolicy("policy",
access_group_id=accgrp.iam_access_group_id,
roles=[
"Manager",
"Viewer",
"Administrator",
],
resources={
"service": "kms",
"resource_instance_id": instance.resource_instance_id.apply(lambda resource_instance_id: resource_instance_id.split(":"))[7],
})
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
accgrp, err := ibm.NewIamAccessGroup(ctx, "accgrp", nil)
if err != nil {
return err
}
instance, err := ibm.NewResourceInstance(ctx, "instance", &ibm.ResourceInstanceArgs{
Service: pulumi.String("kms"),
Plan: pulumi.String("tiered-pricing"),
Location: pulumi.String("us-south"),
})
if err != nil {
return err
}
_, err = ibm.NewIamAccessGroupPolicy(ctx, "policy", &ibm.IamAccessGroupPolicyArgs{
AccessGroupId: accgrp.IamAccessGroupId,
Roles: pulumi.StringArray{
pulumi.String("Manager"),
pulumi.String("Viewer"),
pulumi.String("Administrator"),
},
Resources: &ibm.IamAccessGroupPolicyResourcesArgs{
Service: pulumi.String("kms"),
ResourceInstanceId: "TODO: call element",
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var accgrp = new Ibm.IamAccessGroup("accgrp");
var instance = new Ibm.ResourceInstance("instance", new()
{
Service = "kms",
Plan = "tiered-pricing",
Location = "us-south",
});
var policy = new Ibm.IamAccessGroupPolicy("policy", new()
{
AccessGroupId = accgrp.IamAccessGroupId,
Roles = new[]
{
"Manager",
"Viewer",
"Administrator",
},
Resources = new Ibm.Inputs.IamAccessGroupPolicyResourcesArgs
{
Service = "kms",
ResourceInstanceId = instance.ResourceInstanceId.Apply(resourceInstanceId => resourceInstanceId.Split(":"))[7],
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamAccessGroup;
import com.pulumi.ibm.ResourceInstance;
import com.pulumi.ibm.ResourceInstanceArgs;
import com.pulumi.ibm.IamAccessGroupPolicy;
import com.pulumi.ibm.IamAccessGroupPolicyArgs;
import com.pulumi.ibm.inputs.IamAccessGroupPolicyResourcesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var accgrp = new IamAccessGroup("accgrp");
var instance = new ResourceInstance("instance", ResourceInstanceArgs.builder()
.service("kms")
.plan("tiered-pricing")
.location("us-south")
.build());
var policy = new IamAccessGroupPolicy("policy", IamAccessGroupPolicyArgs.builder()
.accessGroupId(accgrp.iamAccessGroupId())
.roles(
"Manager",
"Viewer",
"Administrator")
.resources(IamAccessGroupPolicyResourcesArgs.builder()
.service("kms")
.resourceInstanceId(instance.resourceInstanceId().applyValue(resourceInstanceId -> resourceInstanceId.split(":"))[7])
.build())
.build());
}
}
resources:
accgrp:
type: ibm:IamAccessGroup
instance:
type: ibm:ResourceInstance
properties:
service: kms
plan: tiered-pricing
location: us-south
policy:
type: ibm:IamAccessGroupPolicy
properties:
accessGroupId: ${accgrp.iamAccessGroupId}
roles:
- Manager
- Viewer
- Administrator
resources:
service: kms
resourceInstanceId:
fn::select:
- 7
- fn::split:
- ${instance.resourceInstanceId}
- ':'
Create a policy to all instances of an IBM Cloud service within a resource group
The following example creates an IAM policy that grants members of the access group the IAM Viewer platform role to all instances of IBM Cloud Kubernetes Service that are created within a specific resource group.
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const accgrp = new ibm.IamAccessGroup("accgrp", {});
const group = ibm.getResourceGroup({
name: "default",
});
const policy = new ibm.IamAccessGroupPolicy("policy", {
accessGroupId: accgrp.iamAccessGroupId,
roles: ["Viewer"],
resources: {
service: "containers-kubernetes",
resourceGroupId: group.then(group => group.id),
},
});
import pulumi
import pulumi_ibm as ibm
accgrp = ibm.IamAccessGroup("accgrp")
group = ibm.get_resource_group(name="default")
policy = ibm.IamAccessGroupPolicy("policy",
access_group_id=accgrp.iam_access_group_id,
roles=["Viewer"],
resources={
"service": "containers-kubernetes",
"resource_group_id": group.id,
})
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
accgrp, err := ibm.NewIamAccessGroup(ctx, "accgrp", nil)
if err != nil {
return err
}
group, err := ibm.LookupResourceGroup(ctx, &ibm.LookupResourceGroupArgs{
Name: pulumi.StringRef("default"),
}, nil)
if err != nil {
return err
}
_, err = ibm.NewIamAccessGroupPolicy(ctx, "policy", &ibm.IamAccessGroupPolicyArgs{
AccessGroupId: accgrp.IamAccessGroupId,
Roles: pulumi.StringArray{
pulumi.String("Viewer"),
},
Resources: &ibm.IamAccessGroupPolicyResourcesArgs{
Service: pulumi.String("containers-kubernetes"),
ResourceGroupId: pulumi.String(group.Id),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var accgrp = new Ibm.IamAccessGroup("accgrp");
var @group = Ibm.GetResourceGroup.Invoke(new()
{
Name = "default",
});
var policy = new Ibm.IamAccessGroupPolicy("policy", new()
{
AccessGroupId = accgrp.IamAccessGroupId,
Roles = new[]
{
"Viewer",
},
Resources = new Ibm.Inputs.IamAccessGroupPolicyResourcesArgs
{
Service = "containers-kubernetes",
ResourceGroupId = @group.Apply(@group => @group.Apply(getResourceGroupResult => getResourceGroupResult.Id)),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamAccessGroup;
import com.pulumi.ibm.IbmFunctions;
import com.pulumi.ibm.inputs.GetResourceGroupArgs;
import com.pulumi.ibm.IamAccessGroupPolicy;
import com.pulumi.ibm.IamAccessGroupPolicyArgs;
import com.pulumi.ibm.inputs.IamAccessGroupPolicyResourcesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var accgrp = new IamAccessGroup("accgrp");
final var group = IbmFunctions.getResourceGroup(GetResourceGroupArgs.builder()
.name("default")
.build());
var policy = new IamAccessGroupPolicy("policy", IamAccessGroupPolicyArgs.builder()
.accessGroupId(accgrp.iamAccessGroupId())
.roles("Viewer")
.resources(IamAccessGroupPolicyResourcesArgs.builder()
.service("containers-kubernetes")
.resourceGroupId(group.applyValue(getResourceGroupResult -> getResourceGroupResult.id()))
.build())
.build());
}
}
resources:
accgrp:
type: ibm:IamAccessGroup
policy:
type: ibm:IamAccessGroupPolicy
properties:
accessGroupId: ${accgrp.iamAccessGroupId}
roles:
- Viewer
resources:
service: containers-kubernetes
resourceGroupId: ${group.id}
variables:
group:
fn::invoke:
function: ibm:getResourceGroup
arguments:
name: default
Access group policy by using resource and resource type
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const accgrp = new ibm.IamAccessGroup("accgrp", {});
const group = ibm.getResourceGroup({
name: "default",
});
const policy = new ibm.IamAccessGroupPolicy("policy", {
accessGroupId: accgrp.iamAccessGroupId,
roles: ["Administrator"],
resources: {
resourceType: "resource-group",
resource: group.then(group => group.id),
},
});
import pulumi
import pulumi_ibm as ibm
accgrp = ibm.IamAccessGroup("accgrp")
group = ibm.get_resource_group(name="default")
policy = ibm.IamAccessGroupPolicy("policy",
access_group_id=accgrp.iam_access_group_id,
roles=["Administrator"],
resources={
"resource_type": "resource-group",
"resource": group.id,
})
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
accgrp, err := ibm.NewIamAccessGroup(ctx, "accgrp", nil)
if err != nil {
return err
}
group, err := ibm.LookupResourceGroup(ctx, &ibm.LookupResourceGroupArgs{
Name: pulumi.StringRef("default"),
}, nil)
if err != nil {
return err
}
_, err = ibm.NewIamAccessGroupPolicy(ctx, "policy", &ibm.IamAccessGroupPolicyArgs{
AccessGroupId: accgrp.IamAccessGroupId,
Roles: pulumi.StringArray{
pulumi.String("Administrator"),
},
Resources: &ibm.IamAccessGroupPolicyResourcesArgs{
ResourceType: pulumi.String("resource-group"),
Resource: pulumi.String(group.Id),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var accgrp = new Ibm.IamAccessGroup("accgrp");
var @group = Ibm.GetResourceGroup.Invoke(new()
{
Name = "default",
});
var policy = new Ibm.IamAccessGroupPolicy("policy", new()
{
AccessGroupId = accgrp.IamAccessGroupId,
Roles = new[]
{
"Administrator",
},
Resources = new Ibm.Inputs.IamAccessGroupPolicyResourcesArgs
{
ResourceType = "resource-group",
Resource = @group.Apply(@group => @group.Apply(getResourceGroupResult => getResourceGroupResult.Id)),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamAccessGroup;
import com.pulumi.ibm.IbmFunctions;
import com.pulumi.ibm.inputs.GetResourceGroupArgs;
import com.pulumi.ibm.IamAccessGroupPolicy;
import com.pulumi.ibm.IamAccessGroupPolicyArgs;
import com.pulumi.ibm.inputs.IamAccessGroupPolicyResourcesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var accgrp = new IamAccessGroup("accgrp");
final var group = IbmFunctions.getResourceGroup(GetResourceGroupArgs.builder()
.name("default")
.build());
var policy = new IamAccessGroupPolicy("policy", IamAccessGroupPolicyArgs.builder()
.accessGroupId(accgrp.iamAccessGroupId())
.roles("Administrator")
.resources(IamAccessGroupPolicyResourcesArgs.builder()
.resourceType("resource-group")
.resource(group.applyValue(getResourceGroupResult -> getResourceGroupResult.id()))
.build())
.build());
}
}
resources:
accgrp:
type: ibm:IamAccessGroup
policy:
type: ibm:IamAccessGroupPolicy
properties:
accessGroupId: ${accgrp.iamAccessGroupId}
roles:
- Administrator
resources:
resourceType: resource-group
resource: ${group.id}
variables:
group:
fn::invoke:
function: ibm:getResourceGroup
arguments:
name: default
Access group policy by using attributes
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const accgrp = new ibm.IamAccessGroup("accgrp", {});
const group = ibm.getResourceGroup({
name: "default",
});
const policy = new ibm.IamAccessGroupPolicy("policy", {
accessGroupId: accgrp.iamAccessGroupId,
roles: ["Viewer"],
resources: {
service: "is",
attributes: {
vpcId: "*",
},
resourceGroupId: group.then(group => group.id),
},
});
import pulumi
import pulumi_ibm as ibm
accgrp = ibm.IamAccessGroup("accgrp")
group = ibm.get_resource_group(name="default")
policy = ibm.IamAccessGroupPolicy("policy",
access_group_id=accgrp.iam_access_group_id,
roles=["Viewer"],
resources={
"service": "is",
"attributes": {
"vpcId": "*",
},
"resource_group_id": group.id,
})
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
accgrp, err := ibm.NewIamAccessGroup(ctx, "accgrp", nil)
if err != nil {
return err
}
group, err := ibm.LookupResourceGroup(ctx, &ibm.LookupResourceGroupArgs{
Name: pulumi.StringRef("default"),
}, nil)
if err != nil {
return err
}
_, err = ibm.NewIamAccessGroupPolicy(ctx, "policy", &ibm.IamAccessGroupPolicyArgs{
AccessGroupId: accgrp.IamAccessGroupId,
Roles: pulumi.StringArray{
pulumi.String("Viewer"),
},
Resources: &ibm.IamAccessGroupPolicyResourcesArgs{
Service: pulumi.String("is"),
Attributes: pulumi.StringMap{
"vpcId": pulumi.String("*"),
},
ResourceGroupId: pulumi.String(group.Id),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var accgrp = new Ibm.IamAccessGroup("accgrp");
var @group = Ibm.GetResourceGroup.Invoke(new()
{
Name = "default",
});
var policy = new Ibm.IamAccessGroupPolicy("policy", new()
{
AccessGroupId = accgrp.IamAccessGroupId,
Roles = new[]
{
"Viewer",
},
Resources = new Ibm.Inputs.IamAccessGroupPolicyResourcesArgs
{
Service = "is",
Attributes =
{
{ "vpcId", "*" },
},
ResourceGroupId = @group.Apply(@group => @group.Apply(getResourceGroupResult => getResourceGroupResult.Id)),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamAccessGroup;
import com.pulumi.ibm.IbmFunctions;
import com.pulumi.ibm.inputs.GetResourceGroupArgs;
import com.pulumi.ibm.IamAccessGroupPolicy;
import com.pulumi.ibm.IamAccessGroupPolicyArgs;
import com.pulumi.ibm.inputs.IamAccessGroupPolicyResourcesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var accgrp = new IamAccessGroup("accgrp");
final var group = IbmFunctions.getResourceGroup(GetResourceGroupArgs.builder()
.name("default")
.build());
var policy = new IamAccessGroupPolicy("policy", IamAccessGroupPolicyArgs.builder()
.accessGroupId(accgrp.iamAccessGroupId())
.roles("Viewer")
.resources(IamAccessGroupPolicyResourcesArgs.builder()
.service("is")
.attributes(Map.of("vpcId", "*"))
.resourceGroupId(group.applyValue(getResourceGroupResult -> getResourceGroupResult.id()))
.build())
.build());
}
}
resources:
accgrp:
type: ibm:IamAccessGroup
policy:
type: ibm:IamAccessGroupPolicy
properties:
accessGroupId: ${accgrp.iamAccessGroupId}
roles:
- Viewer
resources:
service: is
attributes:
vpcId: '*'
resourceGroupId: ${group.id}
variables:
group:
fn::invoke:
function: ibm:getResourceGroup
arguments:
name: default
Access Group Policy by using resource_attributes
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const accgrp = new ibm.IamAccessGroup("accgrp", {});
const policy = new ibm.IamAccessGroupPolicy("policy", {
accessGroupId: accgrp.iamAccessGroupId,
roles: ["Viewer"],
resourceAttributes: [
{
name: "resource",
value: "test123*",
operator: "stringMatch",
},
{
name: "serviceName",
value: "messagehub",
},
],
});
import pulumi
import pulumi_ibm as ibm
accgrp = ibm.IamAccessGroup("accgrp")
policy = ibm.IamAccessGroupPolicy("policy",
access_group_id=accgrp.iam_access_group_id,
roles=["Viewer"],
resource_attributes=[
{
"name": "resource",
"value": "test123*",
"operator": "stringMatch",
},
{
"name": "serviceName",
"value": "messagehub",
},
])
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
accgrp, err := ibm.NewIamAccessGroup(ctx, "accgrp", nil)
if err != nil {
return err
}
_, err = ibm.NewIamAccessGroupPolicy(ctx, "policy", &ibm.IamAccessGroupPolicyArgs{
AccessGroupId: accgrp.IamAccessGroupId,
Roles: pulumi.StringArray{
pulumi.String("Viewer"),
},
ResourceAttributes: ibm.IamAccessGroupPolicyResourceAttributeArray{
&ibm.IamAccessGroupPolicyResourceAttributeArgs{
Name: pulumi.String("resource"),
Value: pulumi.String("test123*"),
Operator: pulumi.String("stringMatch"),
},
&ibm.IamAccessGroupPolicyResourceAttributeArgs{
Name: pulumi.String("serviceName"),
Value: pulumi.String("messagehub"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var accgrp = new Ibm.IamAccessGroup("accgrp");
var policy = new Ibm.IamAccessGroupPolicy("policy", new()
{
AccessGroupId = accgrp.IamAccessGroupId,
Roles = new[]
{
"Viewer",
},
ResourceAttributes = new[]
{
new Ibm.Inputs.IamAccessGroupPolicyResourceAttributeArgs
{
Name = "resource",
Value = "test123*",
Operator = "stringMatch",
},
new Ibm.Inputs.IamAccessGroupPolicyResourceAttributeArgs
{
Name = "serviceName",
Value = "messagehub",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamAccessGroup;
import com.pulumi.ibm.IamAccessGroupPolicy;
import com.pulumi.ibm.IamAccessGroupPolicyArgs;
import com.pulumi.ibm.inputs.IamAccessGroupPolicyResourceAttributeArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var accgrp = new IamAccessGroup("accgrp");
var policy = new IamAccessGroupPolicy("policy", IamAccessGroupPolicyArgs.builder()
.accessGroupId(accgrp.iamAccessGroupId())
.roles("Viewer")
.resourceAttributes(
IamAccessGroupPolicyResourceAttributeArgs.builder()
.name("resource")
.value("test123*")
.operator("stringMatch")
.build(),
IamAccessGroupPolicyResourceAttributeArgs.builder()
.name("serviceName")
.value("messagehub")
.build())
.build());
}
}
resources:
accgrp:
type: ibm:IamAccessGroup
policy:
type: ibm:IamAccessGroupPolicy
properties:
accessGroupId: ${accgrp.iamAccessGroupId}
roles:
- Viewer
resourceAttributes:
- name: resource
value: test123*
operator: stringMatch
- name: serviceName
value: messagehub
Access Group Policy by using service and rule_conditions
rule_conditions can be used in conjunction with pattern and rule_operator to implement access group policies with time-based conditions. For information see Limiting access with time-based conditions. Note Currently, a policy resource created without rule_conditions, pattern, and rule_operator cannot be updated including those conditions on update.
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const accgrp = new ibm.IamAccessGroup("accgrp", {});
const policy = new ibm.IamAccessGroupPolicy("policy", {
accessGroupId: accgrp.iamAccessGroupId,
roles: ["Viewer"],
resources: {
service: "kms",
},
ruleConditions: [
{
key: "{{environment.attributes.day_of_week}}",
operator: "dayOfWeekAnyOf",
values: [
"1+00:00",
"2+00:00",
"3+00:00",
"4+00:00",
],
},
{
key: "{{environment.attributes.current_time}}",
operator: "timeGreaterThanOrEquals",
values: ["09:00:00+00:00"],
},
{
key: "{{environment.attributes.current_time}}",
operator: "timeLessThanOrEquals",
values: ["17:00:00+00:00"],
},
],
ruleOperator: "and",
pattern: "time-based-conditions:weekly:custom-hours",
});
import pulumi
import pulumi_ibm as ibm
accgrp = ibm.IamAccessGroup("accgrp")
policy = ibm.IamAccessGroupPolicy("policy",
access_group_id=accgrp.iam_access_group_id,
roles=["Viewer"],
resources={
"service": "kms",
},
rule_conditions=[
{
"key": "{{environment.attributes.day_of_week}}",
"operator": "dayOfWeekAnyOf",
"values": [
"1+00:00",
"2+00:00",
"3+00:00",
"4+00:00",
],
},
{
"key": "{{environment.attributes.current_time}}",
"operator": "timeGreaterThanOrEquals",
"values": ["09:00:00+00:00"],
},
{
"key": "{{environment.attributes.current_time}}",
"operator": "timeLessThanOrEquals",
"values": ["17:00:00+00:00"],
},
],
rule_operator="and",
pattern="time-based-conditions:weekly:custom-hours")
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
accgrp, err := ibm.NewIamAccessGroup(ctx, "accgrp", nil)
if err != nil {
return err
}
_, err = ibm.NewIamAccessGroupPolicy(ctx, "policy", &ibm.IamAccessGroupPolicyArgs{
AccessGroupId: accgrp.IamAccessGroupId,
Roles: pulumi.StringArray{
pulumi.String("Viewer"),
},
Resources: &ibm.IamAccessGroupPolicyResourcesArgs{
Service: pulumi.String("kms"),
},
RuleConditions: ibm.IamAccessGroupPolicyRuleConditionArray{
&ibm.IamAccessGroupPolicyRuleConditionArgs{
Key: pulumi.String("{{environment.attributes.day_of_week}}"),
Operator: pulumi.String("dayOfWeekAnyOf"),
Values: pulumi.StringArray{
pulumi.String("1+00:00"),
pulumi.String("2+00:00"),
pulumi.String("3+00:00"),
pulumi.String("4+00:00"),
},
},
&ibm.IamAccessGroupPolicyRuleConditionArgs{
Key: pulumi.String("{{environment.attributes.current_time}}"),
Operator: pulumi.String("timeGreaterThanOrEquals"),
Values: pulumi.StringArray{
pulumi.String("09:00:00+00:00"),
},
},
&ibm.IamAccessGroupPolicyRuleConditionArgs{
Key: pulumi.String("{{environment.attributes.current_time}}"),
Operator: pulumi.String("timeLessThanOrEquals"),
Values: pulumi.StringArray{
pulumi.String("17:00:00+00:00"),
},
},
},
RuleOperator: pulumi.String("and"),
Pattern: pulumi.String("time-based-conditions:weekly:custom-hours"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var accgrp = new Ibm.IamAccessGroup("accgrp");
var policy = new Ibm.IamAccessGroupPolicy("policy", new()
{
AccessGroupId = accgrp.IamAccessGroupId,
Roles = new[]
{
"Viewer",
},
Resources = new Ibm.Inputs.IamAccessGroupPolicyResourcesArgs
{
Service = "kms",
},
RuleConditions = new[]
{
new Ibm.Inputs.IamAccessGroupPolicyRuleConditionArgs
{
Key = "{{environment.attributes.day_of_week}}",
Operator = "dayOfWeekAnyOf",
Values = new[]
{
"1+00:00",
"2+00:00",
"3+00:00",
"4+00:00",
},
},
new Ibm.Inputs.IamAccessGroupPolicyRuleConditionArgs
{
Key = "{{environment.attributes.current_time}}",
Operator = "timeGreaterThanOrEquals",
Values = new[]
{
"09:00:00+00:00",
},
},
new Ibm.Inputs.IamAccessGroupPolicyRuleConditionArgs
{
Key = "{{environment.attributes.current_time}}",
Operator = "timeLessThanOrEquals",
Values = new[]
{
"17:00:00+00:00",
},
},
},
RuleOperator = "and",
Pattern = "time-based-conditions:weekly:custom-hours",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamAccessGroup;
import com.pulumi.ibm.IamAccessGroupPolicy;
import com.pulumi.ibm.IamAccessGroupPolicyArgs;
import com.pulumi.ibm.inputs.IamAccessGroupPolicyResourcesArgs;
import com.pulumi.ibm.inputs.IamAccessGroupPolicyRuleConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var accgrp = new IamAccessGroup("accgrp");
var policy = new IamAccessGroupPolicy("policy", IamAccessGroupPolicyArgs.builder()
.accessGroupId(accgrp.iamAccessGroupId())
.roles("Viewer")
.resources(IamAccessGroupPolicyResourcesArgs.builder()
.service("kms")
.build())
.ruleConditions(
IamAccessGroupPolicyRuleConditionArgs.builder()
.key("{{environment.attributes.day_of_week}}")
.operator("dayOfWeekAnyOf")
.values(
"1+00:00",
"2+00:00",
"3+00:00",
"4+00:00")
.build(),
IamAccessGroupPolicyRuleConditionArgs.builder()
.key("{{environment.attributes.current_time}}")
.operator("timeGreaterThanOrEquals")
.values("09:00:00+00:00")
.build(),
IamAccessGroupPolicyRuleConditionArgs.builder()
.key("{{environment.attributes.current_time}}")
.operator("timeLessThanOrEquals")
.values("17:00:00+00:00")
.build())
.ruleOperator("and")
.pattern("time-based-conditions:weekly:custom-hours")
.build());
}
}
resources:
accgrp:
type: ibm:IamAccessGroup
policy:
type: ibm:IamAccessGroupPolicy
properties:
accessGroupId: ${accgrp.iamAccessGroupId}
roles:
- Viewer
resources:
service: kms
ruleConditions:
- key: '{{environment.attributes.day_of_week}}'
operator: dayOfWeekAnyOf
values:
- 1+00:00
- 2+00:00
- 3+00:00
- 4+00:00
- key: '{{environment.attributes.current_time}}'
operator: timeGreaterThanOrEquals
values:
- 09:00:00+00:00
- key: '{{environment.attributes.current_time}}'
operator: timeLessThanOrEquals
values:
- 17:00:00+00:00
ruleOperator: and
pattern: time-based-conditions:weekly:custom-hours
Access Group Policy by using service_group_id resource attribute
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const accgrp = new ibm.IamAccessGroup("accgrp", {});
const policy = new ibm.IamAccessGroupPolicy("policy", {
resourceAttributes: [{
name: "service_group_id",
operator: "stringEquals",
value: "IAM",
}],
roles: [
"Service ID creator",
"User API key creator",
"Administrator",
],
});
import pulumi
import pulumi_ibm as ibm
accgrp = ibm.IamAccessGroup("accgrp")
policy = ibm.IamAccessGroupPolicy("policy",
resource_attributes=[{
"name": "service_group_id",
"operator": "stringEquals",
"value": "IAM",
}],
roles=[
"Service ID creator",
"User API key creator",
"Administrator",
])
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ibm.NewIamAccessGroup(ctx, "accgrp", nil)
if err != nil {
return err
}
_, err = ibm.NewIamAccessGroupPolicy(ctx, "policy", &ibm.IamAccessGroupPolicyArgs{
ResourceAttributes: ibm.IamAccessGroupPolicyResourceAttributeArray{
&ibm.IamAccessGroupPolicyResourceAttributeArgs{
Name: pulumi.String("service_group_id"),
Operator: pulumi.String("stringEquals"),
Value: pulumi.String("IAM"),
},
},
Roles: pulumi.StringArray{
pulumi.String("Service ID creator"),
pulumi.String("User API key creator"),
pulumi.String("Administrator"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var accgrp = new Ibm.IamAccessGroup("accgrp");
var policy = new Ibm.IamAccessGroupPolicy("policy", new()
{
ResourceAttributes = new[]
{
new Ibm.Inputs.IamAccessGroupPolicyResourceAttributeArgs
{
Name = "service_group_id",
Operator = "stringEquals",
Value = "IAM",
},
},
Roles = new[]
{
"Service ID creator",
"User API key creator",
"Administrator",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamAccessGroup;
import com.pulumi.ibm.IamAccessGroupPolicy;
import com.pulumi.ibm.IamAccessGroupPolicyArgs;
import com.pulumi.ibm.inputs.IamAccessGroupPolicyResourceAttributeArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var accgrp = new IamAccessGroup("accgrp");
var policy = new IamAccessGroupPolicy("policy", IamAccessGroupPolicyArgs.builder()
.resourceAttributes(IamAccessGroupPolicyResourceAttributeArgs.builder()
.name("service_group_id")
.operator("stringEquals")
.value("IAM")
.build())
.roles(
"Service ID creator",
"User API key creator",
"Administrator")
.build());
}
}
resources:
accgrp:
type: ibm:IamAccessGroup
policy:
type: ibm:IamAccessGroupPolicy
properties:
resourceAttributes:
- name: service_group_id
operator: stringEquals
value: IAM
roles:
- Service ID creator
- User API key creator
- Administrator
Access Group Policy by using Attribute Based Condition
rule_conditions can be used in conjunction with pattern = attribute-based-condition:resource:literal-and-wildcard and rule_operator to implement more complex policy conditions. Note Currently, a policy resource created without rule_conditions, pattern, and rule_operator cannot be updated including those conditions on update.
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const accgrp = new ibm.IamAccessGroup("accgrp", {});
const policy = new ibm.IamAccessGroupPolicy("policy", {
accessGroupId: accgrp.iamAccessGroupId,
roles: ["Writer"],
resourceAttributes: [
{
value: "cloud-object-storage",
operator: "stringEquals",
name: "serviceName",
},
{
value: "cos-instance",
operator: "stringEquals",
name: "serviceInstance",
},
{
value: "bucket",
operator: "stringEquals",
name: "resourceType",
},
{
value: "fgac-tf-test",
operator: "stringEquals",
name: "resource",
},
],
ruleConditions: [
{
operator: "and",
conditions: [
{
key: "{{resource.attributes.prefix}}",
operator: "stringMatch",
values: ["folder1/subfolder1/*"],
},
{
key: "{{resource.attributes.delimiter}}",
operator: "stringEqualsAnyOf",
values: [
"/",
"",
],
},
],
},
{
key: "{{resource.attributes.path}}",
operator: "stringMatch",
values: ["folder1/subfolder1/*"],
},
{
operator: "and",
conditions: [
{
key: "{{resource.attributes.delimiter}}",
operator: "stringExists",
values: ["false"],
},
{
key: "{{resource.attributes.prefix}}",
operator: "stringExists",
values: ["false"],
},
],
},
],
ruleOperator: "or",
pattern: "attribute-based-condition:resource:literal-and-wildcard",
description: "IAM User Policy Attribute Based Condition Creation for test scenario",
});
import pulumi
import pulumi_ibm as ibm
accgrp = ibm.IamAccessGroup("accgrp")
policy = ibm.IamAccessGroupPolicy("policy",
access_group_id=accgrp.iam_access_group_id,
roles=["Writer"],
resource_attributes=[
{
"value": "cloud-object-storage",
"operator": "stringEquals",
"name": "serviceName",
},
{
"value": "cos-instance",
"operator": "stringEquals",
"name": "serviceInstance",
},
{
"value": "bucket",
"operator": "stringEquals",
"name": "resourceType",
},
{
"value": "fgac-tf-test",
"operator": "stringEquals",
"name": "resource",
},
],
rule_conditions=[
{
"operator": "and",
"conditions": [
{
"key": "{{resource.attributes.prefix}}",
"operator": "stringMatch",
"values": ["folder1/subfolder1/*"],
},
{
"key": "{{resource.attributes.delimiter}}",
"operator": "stringEqualsAnyOf",
"values": [
"/",
"",
],
},
],
},
{
"key": "{{resource.attributes.path}}",
"operator": "stringMatch",
"values": ["folder1/subfolder1/*"],
},
{
"operator": "and",
"conditions": [
{
"key": "{{resource.attributes.delimiter}}",
"operator": "stringExists",
"values": ["false"],
},
{
"key": "{{resource.attributes.prefix}}",
"operator": "stringExists",
"values": ["false"],
},
],
},
],
rule_operator="or",
pattern="attribute-based-condition:resource:literal-and-wildcard",
description="IAM User Policy Attribute Based Condition Creation for test scenario")
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
accgrp, err := ibm.NewIamAccessGroup(ctx, "accgrp", nil)
if err != nil {
return err
}
_, err = ibm.NewIamAccessGroupPolicy(ctx, "policy", &ibm.IamAccessGroupPolicyArgs{
AccessGroupId: accgrp.IamAccessGroupId,
Roles: pulumi.StringArray{
pulumi.String("Writer"),
},
ResourceAttributes: ibm.IamAccessGroupPolicyResourceAttributeArray{
&ibm.IamAccessGroupPolicyResourceAttributeArgs{
Value: pulumi.String("cloud-object-storage"),
Operator: pulumi.String("stringEquals"),
Name: pulumi.String("serviceName"),
},
&ibm.IamAccessGroupPolicyResourceAttributeArgs{
Value: pulumi.String("cos-instance"),
Operator: pulumi.String("stringEquals"),
Name: pulumi.String("serviceInstance"),
},
&ibm.IamAccessGroupPolicyResourceAttributeArgs{
Value: pulumi.String("bucket"),
Operator: pulumi.String("stringEquals"),
Name: pulumi.String("resourceType"),
},
&ibm.IamAccessGroupPolicyResourceAttributeArgs{
Value: pulumi.String("fgac-tf-test"),
Operator: pulumi.String("stringEquals"),
Name: pulumi.String("resource"),
},
},
RuleConditions: ibm.IamAccessGroupPolicyRuleConditionArray{
&ibm.IamAccessGroupPolicyRuleConditionArgs{
Operator: pulumi.String("and"),
Conditions: ibm.IamAccessGroupPolicyRuleConditionConditionArray{
&ibm.IamAccessGroupPolicyRuleConditionConditionArgs{
Key: pulumi.String("{{resource.attributes.prefix}}"),
Operator: pulumi.String("stringMatch"),
Values: pulumi.StringArray{
pulumi.String("folder1/subfolder1/*"),
},
},
&ibm.IamAccessGroupPolicyRuleConditionConditionArgs{
Key: pulumi.String("{{resource.attributes.delimiter}}"),
Operator: pulumi.String("stringEqualsAnyOf"),
Values: pulumi.StringArray{
pulumi.String("/"),
pulumi.String(""),
},
},
},
},
&ibm.IamAccessGroupPolicyRuleConditionArgs{
Key: pulumi.String("{{resource.attributes.path}}"),
Operator: pulumi.String("stringMatch"),
Values: pulumi.StringArray{
pulumi.String("folder1/subfolder1/*"),
},
},
&ibm.IamAccessGroupPolicyRuleConditionArgs{
Operator: pulumi.String("and"),
Conditions: ibm.IamAccessGroupPolicyRuleConditionConditionArray{
&ibm.IamAccessGroupPolicyRuleConditionConditionArgs{
Key: pulumi.String("{{resource.attributes.delimiter}}"),
Operator: pulumi.String("stringExists"),
Values: pulumi.StringArray{
pulumi.String("false"),
},
},
&ibm.IamAccessGroupPolicyRuleConditionConditionArgs{
Key: pulumi.String("{{resource.attributes.prefix}}"),
Operator: pulumi.String("stringExists"),
Values: pulumi.StringArray{
pulumi.String("false"),
},
},
},
},
},
RuleOperator: pulumi.String("or"),
Pattern: pulumi.String("attribute-based-condition:resource:literal-and-wildcard"),
Description: pulumi.String("IAM User Policy Attribute Based Condition Creation for test scenario"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var accgrp = new Ibm.IamAccessGroup("accgrp");
var policy = new Ibm.IamAccessGroupPolicy("policy", new()
{
AccessGroupId = accgrp.IamAccessGroupId,
Roles = new[]
{
"Writer",
},
ResourceAttributes = new[]
{
new Ibm.Inputs.IamAccessGroupPolicyResourceAttributeArgs
{
Value = "cloud-object-storage",
Operator = "stringEquals",
Name = "serviceName",
},
new Ibm.Inputs.IamAccessGroupPolicyResourceAttributeArgs
{
Value = "cos-instance",
Operator = "stringEquals",
Name = "serviceInstance",
},
new Ibm.Inputs.IamAccessGroupPolicyResourceAttributeArgs
{
Value = "bucket",
Operator = "stringEquals",
Name = "resourceType",
},
new Ibm.Inputs.IamAccessGroupPolicyResourceAttributeArgs
{
Value = "fgac-tf-test",
Operator = "stringEquals",
Name = "resource",
},
},
RuleConditions = new[]
{
new Ibm.Inputs.IamAccessGroupPolicyRuleConditionArgs
{
Operator = "and",
Conditions = new[]
{
new Ibm.Inputs.IamAccessGroupPolicyRuleConditionConditionArgs
{
Key = "{{resource.attributes.prefix}}",
Operator = "stringMatch",
Values = new[]
{
"folder1/subfolder1/*",
},
},
new Ibm.Inputs.IamAccessGroupPolicyRuleConditionConditionArgs
{
Key = "{{resource.attributes.delimiter}}",
Operator = "stringEqualsAnyOf",
Values = new[]
{
"/",
"",
},
},
},
},
new Ibm.Inputs.IamAccessGroupPolicyRuleConditionArgs
{
Key = "{{resource.attributes.path}}",
Operator = "stringMatch",
Values = new[]
{
"folder1/subfolder1/*",
},
},
new Ibm.Inputs.IamAccessGroupPolicyRuleConditionArgs
{
Operator = "and",
Conditions = new[]
{
new Ibm.Inputs.IamAccessGroupPolicyRuleConditionConditionArgs
{
Key = "{{resource.attributes.delimiter}}",
Operator = "stringExists",
Values = new[]
{
"false",
},
},
new Ibm.Inputs.IamAccessGroupPolicyRuleConditionConditionArgs
{
Key = "{{resource.attributes.prefix}}",
Operator = "stringExists",
Values = new[]
{
"false",
},
},
},
},
},
RuleOperator = "or",
Pattern = "attribute-based-condition:resource:literal-and-wildcard",
Description = "IAM User Policy Attribute Based Condition Creation for test scenario",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamAccessGroup;
import com.pulumi.ibm.IamAccessGroupPolicy;
import com.pulumi.ibm.IamAccessGroupPolicyArgs;
import com.pulumi.ibm.inputs.IamAccessGroupPolicyResourceAttributeArgs;
import com.pulumi.ibm.inputs.IamAccessGroupPolicyRuleConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var accgrp = new IamAccessGroup("accgrp");
var policy = new IamAccessGroupPolicy("policy", IamAccessGroupPolicyArgs.builder()
.accessGroupId(accgrp.iamAccessGroupId())
.roles("Writer")
.resourceAttributes(
IamAccessGroupPolicyResourceAttributeArgs.builder()
.value("cloud-object-storage")
.operator("stringEquals")
.name("serviceName")
.build(),
IamAccessGroupPolicyResourceAttributeArgs.builder()
.value("cos-instance")
.operator("stringEquals")
.name("serviceInstance")
.build(),
IamAccessGroupPolicyResourceAttributeArgs.builder()
.value("bucket")
.operator("stringEquals")
.name("resourceType")
.build(),
IamAccessGroupPolicyResourceAttributeArgs.builder()
.value("fgac-tf-test")
.operator("stringEquals")
.name("resource")
.build())
.ruleConditions(
IamAccessGroupPolicyRuleConditionArgs.builder()
.operator("and")
.conditions(
IamAccessGroupPolicyRuleConditionConditionArgs.builder()
.key("{{resource.attributes.prefix}}")
.operator("stringMatch")
.values("folder1/subfolder1/*")
.build(),
IamAccessGroupPolicyRuleConditionConditionArgs.builder()
.key("{{resource.attributes.delimiter}}")
.operator("stringEqualsAnyOf")
.values(
"/",
"")
.build())
.build(),
IamAccessGroupPolicyRuleConditionArgs.builder()
.key("{{resource.attributes.path}}")
.operator("stringMatch")
.values("folder1/subfolder1/*")
.build(),
IamAccessGroupPolicyRuleConditionArgs.builder()
.operator("and")
.conditions(
IamAccessGroupPolicyRuleConditionConditionArgs.builder()
.key("{{resource.attributes.delimiter}}")
.operator("stringExists")
.values("false")
.build(),
IamAccessGroupPolicyRuleConditionConditionArgs.builder()
.key("{{resource.attributes.prefix}}")
.operator("stringExists")
.values("false")
.build())
.build())
.ruleOperator("or")
.pattern("attribute-based-condition:resource:literal-and-wildcard")
.description("IAM User Policy Attribute Based Condition Creation for test scenario")
.build());
}
}
resources:
accgrp:
type: ibm:IamAccessGroup
policy:
type: ibm:IamAccessGroupPolicy
properties:
accessGroupId: ${accgrp.iamAccessGroupId}
roles:
- Writer
resourceAttributes:
- value: cloud-object-storage
operator: stringEquals
name: serviceName
- value: cos-instance
operator: stringEquals
name: serviceInstance
- value: bucket
operator: stringEquals
name: resourceType
- value: fgac-tf-test
operator: stringEquals
name: resource
ruleConditions:
- operator: and
conditions:
- key: '{{resource.attributes.prefix}}'
operator: stringMatch
values:
- folder1/subfolder1/*
- key: '{{resource.attributes.delimiter}}'
operator: stringEqualsAnyOf
values:
- /
- ""
- key: '{{resource.attributes.path}}'
operator: stringMatch
values:
- folder1/subfolder1/*
- operator: and
conditions:
- key: '{{resource.attributes.delimiter}}'
operator: stringExists
values:
- 'false'
- key: '{{resource.attributes.prefix}}'
operator: stringExists
values:
- 'false'
ruleOperator: or
pattern: attribute-based-condition:resource:literal-and-wildcard
description: IAM User Policy Attribute Based Condition Creation for test scenario
Create IamAccessGroupPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new IamAccessGroupPolicy(name: string, args: IamAccessGroupPolicyArgs, opts?: CustomResourceOptions);@overload
def IamAccessGroupPolicy(resource_name: str,
args: IamAccessGroupPolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def IamAccessGroupPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
access_group_id: Optional[str] = None,
roles: Optional[Sequence[str]] = None,
resource_tags: Optional[Sequence[IamAccessGroupPolicyResourceTagArgs]] = None,
iam_access_group_policy_id: Optional[str] = None,
pattern: Optional[str] = None,
resource_attributes: Optional[Sequence[IamAccessGroupPolicyResourceAttributeArgs]] = None,
description: Optional[str] = None,
resources: Optional[IamAccessGroupPolicyResourcesArgs] = None,
account_management: Optional[bool] = None,
rule_conditions: Optional[Sequence[IamAccessGroupPolicyRuleConditionArgs]] = None,
rule_operator: Optional[str] = None,
tags: Optional[Sequence[str]] = None,
transaction_id: Optional[str] = None)func NewIamAccessGroupPolicy(ctx *Context, name string, args IamAccessGroupPolicyArgs, opts ...ResourceOption) (*IamAccessGroupPolicy, error)public IamAccessGroupPolicy(string name, IamAccessGroupPolicyArgs args, CustomResourceOptions? opts = null)public IamAccessGroupPolicy(String name, IamAccessGroupPolicyArgs args)
public IamAccessGroupPolicy(String name, IamAccessGroupPolicyArgs args, CustomResourceOptions options)
type: ibm:IamAccessGroupPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name
This property is required. string - The unique name of the resource.
- args
This property is required. IamAccessGroupPolicyArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name
This property is required. str - The unique name of the resource.
- args
This property is required. IamAccessGroupPolicyArgs - The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. IamAccessGroupPolicyArgs - The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. IamAccessGroupPolicyArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name
This property is required. String - The unique name of the resource.
- args
This property is required. IamAccessGroupPolicyArgs - The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var iamAccessGroupPolicyResource = new Ibm.IamAccessGroupPolicy("iamAccessGroupPolicyResource", new()
{
AccessGroupId = "string",
Roles = new[]
{
"string",
},
ResourceTags = new[]
{
new Ibm.Inputs.IamAccessGroupPolicyResourceTagArgs
{
Name = "string",
Value = "string",
Operator = "string",
},
},
IamAccessGroupPolicyId = "string",
Pattern = "string",
ResourceAttributes = new[]
{
new Ibm.Inputs.IamAccessGroupPolicyResourceAttributeArgs
{
Name = "string",
Value = "string",
Operator = "string",
},
},
Description = "string",
Resources = new Ibm.Inputs.IamAccessGroupPolicyResourcesArgs
{
Attributes =
{
{ "string", "string" },
},
Region = "string",
Resource = "string",
ResourceGroupId = "string",
ResourceInstanceId = "string",
ResourceType = "string",
Service = "string",
ServiceGroupId = "string",
ServiceType = "string",
},
AccountManagement = false,
RuleConditions = new[]
{
new Ibm.Inputs.IamAccessGroupPolicyRuleConditionArgs
{
Operator = "string",
Conditions = new[]
{
new Ibm.Inputs.IamAccessGroupPolicyRuleConditionConditionArgs
{
Key = "string",
Operator = "string",
Values = new[]
{
"string",
},
},
},
Key = "string",
Values = new[]
{
"string",
},
},
},
RuleOperator = "string",
Tags = new[]
{
"string",
},
TransactionId = "string",
});
example, err := ibm.NewIamAccessGroupPolicy(ctx, "iamAccessGroupPolicyResource", &ibm.IamAccessGroupPolicyArgs{
AccessGroupId: pulumi.String("string"),
Roles: pulumi.StringArray{
pulumi.String("string"),
},
ResourceTags: .IamAccessGroupPolicyResourceTagArray{
&.IamAccessGroupPolicyResourceTagArgs{
Name: pulumi.String("string"),
Value: pulumi.String("string"),
Operator: pulumi.String("string"),
},
},
IamAccessGroupPolicyId: pulumi.String("string"),
Pattern: pulumi.String("string"),
ResourceAttributes: .IamAccessGroupPolicyResourceAttributeArray{
&.IamAccessGroupPolicyResourceAttributeArgs{
Name: pulumi.String("string"),
Value: pulumi.String("string"),
Operator: pulumi.String("string"),
},
},
Description: pulumi.String("string"),
Resources: &.IamAccessGroupPolicyResourcesArgs{
Attributes: pulumi.StringMap{
"string": pulumi.String("string"),
},
Region: pulumi.String("string"),
Resource: pulumi.String("string"),
ResourceGroupId: pulumi.String("string"),
ResourceInstanceId: pulumi.String("string"),
ResourceType: pulumi.String("string"),
Service: pulumi.String("string"),
ServiceGroupId: pulumi.String("string"),
ServiceType: pulumi.String("string"),
},
AccountManagement: pulumi.Bool(false),
RuleConditions: .IamAccessGroupPolicyRuleConditionArray{
&.IamAccessGroupPolicyRuleConditionArgs{
Operator: pulumi.String("string"),
Conditions: .IamAccessGroupPolicyRuleConditionConditionArray{
&.IamAccessGroupPolicyRuleConditionConditionArgs{
Key: pulumi.String("string"),
Operator: pulumi.String("string"),
Values: pulumi.StringArray{
pulumi.String("string"),
},
},
},
Key: pulumi.String("string"),
Values: pulumi.StringArray{
pulumi.String("string"),
},
},
},
RuleOperator: pulumi.String("string"),
Tags: pulumi.StringArray{
pulumi.String("string"),
},
TransactionId: pulumi.String("string"),
})
var iamAccessGroupPolicyResource = new IamAccessGroupPolicy("iamAccessGroupPolicyResource", IamAccessGroupPolicyArgs.builder()
.accessGroupId("string")
.roles("string")
.resourceTags(IamAccessGroupPolicyResourceTagArgs.builder()
.name("string")
.value("string")
.operator("string")
.build())
.iamAccessGroupPolicyId("string")
.pattern("string")
.resourceAttributes(IamAccessGroupPolicyResourceAttributeArgs.builder()
.name("string")
.value("string")
.operator("string")
.build())
.description("string")
.resources(IamAccessGroupPolicyResourcesArgs.builder()
.attributes(Map.of("string", "string"))
.region("string")
.resource("string")
.resourceGroupId("string")
.resourceInstanceId("string")
.resourceType("string")
.service("string")
.serviceGroupId("string")
.serviceType("string")
.build())
.accountManagement(false)
.ruleConditions(IamAccessGroupPolicyRuleConditionArgs.builder()
.operator("string")
.conditions(IamAccessGroupPolicyRuleConditionConditionArgs.builder()
.key("string")
.operator("string")
.values("string")
.build())
.key("string")
.values("string")
.build())
.ruleOperator("string")
.tags("string")
.transactionId("string")
.build());
iam_access_group_policy_resource = ibm.IamAccessGroupPolicy("iamAccessGroupPolicyResource",
access_group_id="string",
roles=["string"],
resource_tags=[{
"name": "string",
"value": "string",
"operator": "string",
}],
iam_access_group_policy_id="string",
pattern="string",
resource_attributes=[{
"name": "string",
"value": "string",
"operator": "string",
}],
description="string",
resources={
"attributes": {
"string": "string",
},
"region": "string",
"resource": "string",
"resource_group_id": "string",
"resource_instance_id": "string",
"resource_type": "string",
"service": "string",
"service_group_id": "string",
"service_type": "string",
},
account_management=False,
rule_conditions=[{
"operator": "string",
"conditions": [{
"key": "string",
"operator": "string",
"values": ["string"],
}],
"key": "string",
"values": ["string"],
}],
rule_operator="string",
tags=["string"],
transaction_id="string")
const iamAccessGroupPolicyResource = new ibm.IamAccessGroupPolicy("iamAccessGroupPolicyResource", {
accessGroupId: "string",
roles: ["string"],
resourceTags: [{
name: "string",
value: "string",
operator: "string",
}],
iamAccessGroupPolicyId: "string",
pattern: "string",
resourceAttributes: [{
name: "string",
value: "string",
operator: "string",
}],
description: "string",
resources: {
attributes: {
string: "string",
},
region: "string",
resource: "string",
resourceGroupId: "string",
resourceInstanceId: "string",
resourceType: "string",
service: "string",
serviceGroupId: "string",
serviceType: "string",
},
accountManagement: false,
ruleConditions: [{
operator: "string",
conditions: [{
key: "string",
operator: "string",
values: ["string"],
}],
key: "string",
values: ["string"],
}],
ruleOperator: "string",
tags: ["string"],
transactionId: "string",
});
type: ibm:IamAccessGroupPolicy
properties:
accessGroupId: string
accountManagement: false
description: string
iamAccessGroupPolicyId: string
pattern: string
resourceAttributes:
- name: string
operator: string
value: string
resourceTags:
- name: string
operator: string
value: string
resources:
attributes:
string: string
region: string
resource: string
resourceGroupId: string
resourceInstanceId: string
resourceType: string
service: string
serviceGroupId: string
serviceType: string
roles:
- string
ruleConditions:
- conditions:
- key: string
operator: string
values:
- string
key: string
operator: string
values:
- string
ruleOperator: string
tags:
- string
transactionId: string
IamAccessGroupPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The IamAccessGroupPolicy resource accepts the following input properties:
- Access
Group Id This property is required. string - The ID of the access group.
- Roles
This property is required. List<string> - A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - Account
Management bool - Gives access to all account management services if set to true. Default value false. If you set this option, do not specify
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - Description string
- Description of the Policy
- Iam
Access stringGroup Policy Id - (String) The unique identifier of the access group policy. The ID is composed of
<access_group_id>/<access_group_policy_id>. - Pattern string
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - Resource
Attributes List<IamAccess Group Policy Resource Attribute> A nested block describing the resource of this policy. Note Conflicts with
account_managementandresources.Nested scheme for
resource_attributes:-
List<Iam
Access Group Policy Resource Tag> A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- Resources
Iam
Access Group Policy Resources A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- Rule
Conditions List<IamAccess Group Policy Rule Condition> A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- Rule
Operator string - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - List<string>
- Transaction
Id string - The TransactionID can be passed to your request for tracking the calls.
- Access
Group Id This property is required. string - The ID of the access group.
- Roles
This property is required. []string - A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - Account
Management bool - Gives access to all account management services if set to true. Default value false. If you set this option, do not specify
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - Description string
- Description of the Policy
- Iam
Access stringGroup Policy Id - (String) The unique identifier of the access group policy. The ID is composed of
<access_group_id>/<access_group_policy_id>. - Pattern string
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - Resource
Attributes []IamAccess Group Policy Resource Attribute Args A nested block describing the resource of this policy. Note Conflicts with
account_managementandresources.Nested scheme for
resource_attributes:-
[]Iam
Access Group Policy Resource Tag Args A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- Resources
Iam
Access Group Policy Resources Args A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- Rule
Conditions []IamAccess Group Policy Rule Condition Args A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- Rule
Operator string - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - []string
- Transaction
Id string - The TransactionID can be passed to your request for tracking the calls.
- access
Group Id This property is required. String - The ID of the access group.
- roles
This property is required. List<String> - A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - account
Management Boolean - Gives access to all account management services if set to true. Default value false. If you set this option, do not specify
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - description String
- Description of the Policy
- iam
Access StringGroup Policy Id - (String) The unique identifier of the access group policy. The ID is composed of
<access_group_id>/<access_group_policy_id>. - pattern String
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource
Attributes List<IamAccess Group Policy Resource Attribute> A nested block describing the resource of this policy. Note Conflicts with
account_managementandresources.Nested scheme for
resource_attributes:-
List<Iam
Access Group Policy Resource Tag> A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources
Iam
Access Group Policy Resources A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- rule
Conditions List<IamAccess Group Policy Rule Condition> A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule
Operator String - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - List<String>
- transaction
Id String - The TransactionID can be passed to your request for tracking the calls.
- access
Group Id This property is required. string - The ID of the access group.
- roles
This property is required. string[] - A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - account
Management boolean - Gives access to all account management services if set to true. Default value false. If you set this option, do not specify
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - description string
- Description of the Policy
- iam
Access stringGroup Policy Id - (String) The unique identifier of the access group policy. The ID is composed of
<access_group_id>/<access_group_policy_id>. - pattern string
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource
Attributes IamAccess Group Policy Resource Attribute[] A nested block describing the resource of this policy. Note Conflicts with
account_managementandresources.Nested scheme for
resource_attributes:-
Iam
Access Group Policy Resource Tag[] A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources
Iam
Access Group Policy Resources A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- rule
Conditions IamAccess Group Policy Rule Condition[] A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule
Operator string - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - string[]
- transaction
Id string - The TransactionID can be passed to your request for tracking the calls.
- access_
group_ id This property is required. str - The ID of the access group.
- roles
This property is required. Sequence[str] - A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - account_
management bool - Gives access to all account management services if set to true. Default value false. If you set this option, do not specify
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - description str
- Description of the Policy
- iam_
access_ strgroup_ policy_ id - (String) The unique identifier of the access group policy. The ID is composed of
<access_group_id>/<access_group_policy_id>. - pattern str
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource_
attributes Sequence[IamAccess Group Policy Resource Attribute Args] A nested block describing the resource of this policy. Note Conflicts with
account_managementandresources.Nested scheme for
resource_attributes:-
Sequence[Iam
Access Group Policy Resource Tag Args] A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources
Iam
Access Group Policy Resources Args A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- rule_
conditions Sequence[IamAccess Group Policy Rule Condition Args] A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule_
operator str - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - Sequence[str]
- transaction_
id str - The TransactionID can be passed to your request for tracking the calls.
- access
Group Id This property is required. String - The ID of the access group.
- roles
This property is required. List<String> - A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - account
Management Boolean - Gives access to all account management services if set to true. Default value false. If you set this option, do not specify
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - description String
- Description of the Policy
- iam
Access StringGroup Policy Id - (String) The unique identifier of the access group policy. The ID is composed of
<access_group_id>/<access_group_policy_id>. - pattern String
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource
Attributes List<Property Map> A nested block describing the resource of this policy. Note Conflicts with
account_managementandresources.Nested scheme for
resource_attributes:- List<Property Map>
A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources Property Map
A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- rule
Conditions List<Property Map> A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule
Operator String - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - List<String>
- transaction
Id String - The TransactionID can be passed to your request for tracking the calls.
Outputs
All input properties are implicitly available as output properties. Additionally, the IamAccessGroupPolicy resource produces the following output properties:
Look up Existing IamAccessGroupPolicy Resource
Get an existing IamAccessGroupPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: IamAccessGroupPolicyState, opts?: CustomResourceOptions): IamAccessGroupPolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
access_group_id: Optional[str] = None,
account_management: Optional[bool] = None,
description: Optional[str] = None,
iam_access_group_policy_id: Optional[str] = None,
pattern: Optional[str] = None,
resource_attributes: Optional[Sequence[IamAccessGroupPolicyResourceAttributeArgs]] = None,
resource_tags: Optional[Sequence[IamAccessGroupPolicyResourceTagArgs]] = None,
resources: Optional[IamAccessGroupPolicyResourcesArgs] = None,
roles: Optional[Sequence[str]] = None,
rule_conditions: Optional[Sequence[IamAccessGroupPolicyRuleConditionArgs]] = None,
rule_operator: Optional[str] = None,
tags: Optional[Sequence[str]] = None,
transaction_id: Optional[str] = None,
version: Optional[str] = None) -> IamAccessGroupPolicyfunc GetIamAccessGroupPolicy(ctx *Context, name string, id IDInput, state *IamAccessGroupPolicyState, opts ...ResourceOption) (*IamAccessGroupPolicy, error)public static IamAccessGroupPolicy Get(string name, Input<string> id, IamAccessGroupPolicyState? state, CustomResourceOptions? opts = null)public static IamAccessGroupPolicy get(String name, Output<String> id, IamAccessGroupPolicyState state, CustomResourceOptions options)resources: _: type: ibm:IamAccessGroupPolicy get: id: ${id}- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Access
Group stringId - The ID of the access group.
- Account
Management bool - Gives access to all account management services if set to true. Default value false. If you set this option, do not specify
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - Description string
- Description of the Policy
- Iam
Access stringGroup Policy Id - (String) The unique identifier of the access group policy. The ID is composed of
<access_group_id>/<access_group_policy_id>. - Pattern string
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - Resource
Attributes List<IamAccess Group Policy Resource Attribute> A nested block describing the resource of this policy. Note Conflicts with
account_managementandresources.Nested scheme for
resource_attributes:-
List<Iam
Access Group Policy Resource Tag> A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- Resources
Iam
Access Group Policy Resources A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- Roles List<string>
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - Rule
Conditions List<IamAccess Group Policy Rule Condition> A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- Rule
Operator string - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - List<string>
- Transaction
Id string - The TransactionID can be passed to your request for tracking the calls.
- Version string
- (String) The version of the access group policy.
- Access
Group stringId - The ID of the access group.
- Account
Management bool - Gives access to all account management services if set to true. Default value false. If you set this option, do not specify
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - Description string
- Description of the Policy
- Iam
Access stringGroup Policy Id - (String) The unique identifier of the access group policy. The ID is composed of
<access_group_id>/<access_group_policy_id>. - Pattern string
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - Resource
Attributes []IamAccess Group Policy Resource Attribute Args A nested block describing the resource of this policy. Note Conflicts with
account_managementandresources.Nested scheme for
resource_attributes:-
[]Iam
Access Group Policy Resource Tag Args A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- Resources
Iam
Access Group Policy Resources Args A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- Roles []string
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - Rule
Conditions []IamAccess Group Policy Rule Condition Args A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- Rule
Operator string - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - []string
- Transaction
Id string - The TransactionID can be passed to your request for tracking the calls.
- Version string
- (String) The version of the access group policy.
- access
Group StringId - The ID of the access group.
- account
Management Boolean - Gives access to all account management services if set to true. Default value false. If you set this option, do not specify
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - description String
- Description of the Policy
- iam
Access StringGroup Policy Id - (String) The unique identifier of the access group policy. The ID is composed of
<access_group_id>/<access_group_policy_id>. - pattern String
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource
Attributes List<IamAccess Group Policy Resource Attribute> A nested block describing the resource of this policy. Note Conflicts with
account_managementandresources.Nested scheme for
resource_attributes:-
List<Iam
Access Group Policy Resource Tag> A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources
Iam
Access Group Policy Resources A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- roles List<String>
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - rule
Conditions List<IamAccess Group Policy Rule Condition> A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule
Operator String - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - List<String>
- transaction
Id String - The TransactionID can be passed to your request for tracking the calls.
- version String
- (String) The version of the access group policy.
- access
Group stringId - The ID of the access group.
- account
Management boolean - Gives access to all account management services if set to true. Default value false. If you set this option, do not specify
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - description string
- Description of the Policy
- iam
Access stringGroup Policy Id - (String) The unique identifier of the access group policy. The ID is composed of
<access_group_id>/<access_group_policy_id>. - pattern string
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource
Attributes IamAccess Group Policy Resource Attribute[] A nested block describing the resource of this policy. Note Conflicts with
account_managementandresources.Nested scheme for
resource_attributes:-
Iam
Access Group Policy Resource Tag[] A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources
Iam
Access Group Policy Resources A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- roles string[]
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - rule
Conditions IamAccess Group Policy Rule Condition[] A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule
Operator string - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - string[]
- transaction
Id string - The TransactionID can be passed to your request for tracking the calls.
- version string
- (String) The version of the access group policy.
- access_
group_ strid - The ID of the access group.
- account_
management bool - Gives access to all account management services if set to true. Default value false. If you set this option, do not specify
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - description str
- Description of the Policy
- iam_
access_ strgroup_ policy_ id - (String) The unique identifier of the access group policy. The ID is composed of
<access_group_id>/<access_group_policy_id>. - pattern str
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource_
attributes Sequence[IamAccess Group Policy Resource Attribute Args] A nested block describing the resource of this policy. Note Conflicts with
account_managementandresources.Nested scheme for
resource_attributes:-
Sequence[Iam
Access Group Policy Resource Tag Args] A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources
Iam
Access Group Policy Resources Args A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- roles Sequence[str]
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - rule_
conditions Sequence[IamAccess Group Policy Rule Condition Args] A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule_
operator str - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - Sequence[str]
- transaction_
id str - The TransactionID can be passed to your request for tracking the calls.
- version str
- (String) The version of the access group policy.
- access
Group StringId - The ID of the access group.
- account
Management Boolean - Gives access to all account management services if set to true. Default value false. If you set this option, do not specify
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - description String
- Description of the Policy
- iam
Access StringGroup Policy Id - (String) The unique identifier of the access group policy. The ID is composed of
<access_group_id>/<access_group_policy_id>. - pattern String
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource
Attributes List<Property Map> A nested block describing the resource of this policy. Note Conflicts with
account_managementandresources.Nested scheme for
resource_attributes:- List<Property Map>
A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources Property Map
A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- roles List<String>
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - rule
Conditions List<Property Map> A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule
Operator String - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - List<String>
- transaction
Id String - The TransactionID can be passed to your request for tracking the calls.
- version String
- (String) The version of the access group policy.
Supporting Types
IamAccessGroupPolicyResourceAttribute, IamAccessGroupPolicyResourceAttributeArgs
, IamAccessGroupPolicyResourceAttributeArgs
- Name
This property is required. string - Name of an attribute. Supported values are
serviceName,serviceInstance,region,resourceType,resource,resourceGroupId,service_group_id, and other service specific resource attributes. - Value
This property is required. string - Value of an attribute.
- Operator string
- Operator of an attribute. Default value is
stringEquals. Note Conflicts withaccount_managementandresources.
- Name
This property is required. string - Name of an attribute. Supported values are
serviceName,serviceInstance,region,resourceType,resource,resourceGroupId,service_group_id, and other service specific resource attributes. - Value
This property is required. string - Value of an attribute.
- Operator string
- Operator of an attribute. Default value is
stringEquals. Note Conflicts withaccount_managementandresources.
- name
This property is required. String - Name of an attribute. Supported values are
serviceName,serviceInstance,region,resourceType,resource,resourceGroupId,service_group_id, and other service specific resource attributes. - value
This property is required. String - Value of an attribute.
- operator String
- Operator of an attribute. Default value is
stringEquals. Note Conflicts withaccount_managementandresources.
- name
This property is required. string - Name of an attribute. Supported values are
serviceName,serviceInstance,region,resourceType,resource,resourceGroupId,service_group_id, and other service specific resource attributes. - value
This property is required. string - Value of an attribute.
- operator string
- Operator of an attribute. Default value is
stringEquals. Note Conflicts withaccount_managementandresources.
- name
This property is required. str - Name of an attribute. Supported values are
serviceName,serviceInstance,region,resourceType,resource,resourceGroupId,service_group_id, and other service specific resource attributes. - value
This property is required. str - Value of an attribute.
- operator str
- Operator of an attribute. Default value is
stringEquals. Note Conflicts withaccount_managementandresources.
- name
This property is required. String - Name of an attribute. Supported values are
serviceName,serviceInstance,region,resourceType,resource,resourceGroupId,service_group_id, and other service specific resource attributes. - value
This property is required. String - Value of an attribute.
- operator String
- Operator of an attribute. Default value is
stringEquals. Note Conflicts withaccount_managementandresources.
IamAccessGroupPolicyResourceTag, IamAccessGroupPolicyResourceTagArgs
, IamAccessGroupPolicyResourceTagArgs
IamAccessGroupPolicyResources, IamAccessGroupPolicyResourcesArgs
, IamAccessGroupPolicyResourcesArgs
- Attributes Dictionary<string, string>
- Set resource attributes in the form of
name=value,name=value. If you set this option, do not specifyaccount_managementat the same time. - Region string
- The region of the policy definition.
- Resource string
- The resource of the policy definition.
resources.resource_group_id- (Optional, String) The ID of the resource group. To retrieve the ID, runibmcloud resource groupsor use theibm.ResourceGroupdata source.
- Resource
Group stringId - ID of the resource group.
- Resource
Instance stringId - The ID of resource instance of the policy definition.
- Resource
Type string - The resource type of the policy definition.
- Service string
- The service name that you want to include in your policy definition. For account management services, you can find supported values in the documentation. For other services, run the
ibmcloud catalog service-marketplacecommand and retrieve the value from the Name column of your command line output. Attributes service, service_type are mutually exclusive. - Service
Group stringId - The service group id of the policy definition. Note Attributes service, service_group_id are mutually exclusive.
- Service
Type string - The service type of the policy definition. Note Attributes service, service_type are mutually exclusive.
- Attributes map[string]string
- Set resource attributes in the form of
name=value,name=value. If you set this option, do not specifyaccount_managementat the same time. - Region string
- The region of the policy definition.
- Resource string
- The resource of the policy definition.
resources.resource_group_id- (Optional, String) The ID of the resource group. To retrieve the ID, runibmcloud resource groupsor use theibm.ResourceGroupdata source.
- Resource
Group stringId - ID of the resource group.
- Resource
Instance stringId - The ID of resource instance of the policy definition.
- Resource
Type string - The resource type of the policy definition.
- Service string
- The service name that you want to include in your policy definition. For account management services, you can find supported values in the documentation. For other services, run the
ibmcloud catalog service-marketplacecommand and retrieve the value from the Name column of your command line output. Attributes service, service_type are mutually exclusive. - Service
Group stringId - The service group id of the policy definition. Note Attributes service, service_group_id are mutually exclusive.
- Service
Type string - The service type of the policy definition. Note Attributes service, service_type are mutually exclusive.
- attributes Map<String,String>
- Set resource attributes in the form of
name=value,name=value. If you set this option, do not specifyaccount_managementat the same time. - region String
- The region of the policy definition.
- resource String
- The resource of the policy definition.
resources.resource_group_id- (Optional, String) The ID of the resource group. To retrieve the ID, runibmcloud resource groupsor use theibm.ResourceGroupdata source.
- resource
Group StringId - ID of the resource group.
- resource
Instance StringId - The ID of resource instance of the policy definition.
- resource
Type String - The resource type of the policy definition.
- service String
- The service name that you want to include in your policy definition. For account management services, you can find supported values in the documentation. For other services, run the
ibmcloud catalog service-marketplacecommand and retrieve the value from the Name column of your command line output. Attributes service, service_type are mutually exclusive. - service
Group StringId - The service group id of the policy definition. Note Attributes service, service_group_id are mutually exclusive.
- service
Type String - The service type of the policy definition. Note Attributes service, service_type are mutually exclusive.
- attributes {[key: string]: string}
- Set resource attributes in the form of
name=value,name=value. If you set this option, do not specifyaccount_managementat the same time. - region string
- The region of the policy definition.
- resource string
- The resource of the policy definition.
resources.resource_group_id- (Optional, String) The ID of the resource group. To retrieve the ID, runibmcloud resource groupsor use theibm.ResourceGroupdata source.
- resource
Group stringId - ID of the resource group.
- resource
Instance stringId - The ID of resource instance of the policy definition.
- resource
Type string - The resource type of the policy definition.
- service string
- The service name that you want to include in your policy definition. For account management services, you can find supported values in the documentation. For other services, run the
ibmcloud catalog service-marketplacecommand and retrieve the value from the Name column of your command line output. Attributes service, service_type are mutually exclusive. - service
Group stringId - The service group id of the policy definition. Note Attributes service, service_group_id are mutually exclusive.
- service
Type string - The service type of the policy definition. Note Attributes service, service_type are mutually exclusive.
- attributes Mapping[str, str]
- Set resource attributes in the form of
name=value,name=value. If you set this option, do not specifyaccount_managementat the same time. - region str
- The region of the policy definition.
- resource str
- The resource of the policy definition.
resources.resource_group_id- (Optional, String) The ID of the resource group. To retrieve the ID, runibmcloud resource groupsor use theibm.ResourceGroupdata source.
- resource_
group_ strid - ID of the resource group.
- resource_
instance_ strid - The ID of resource instance of the policy definition.
- resource_
type str - The resource type of the policy definition.
- service str
- The service name that you want to include in your policy definition. For account management services, you can find supported values in the documentation. For other services, run the
ibmcloud catalog service-marketplacecommand and retrieve the value from the Name column of your command line output. Attributes service, service_type are mutually exclusive. - service_
group_ strid - The service group id of the policy definition. Note Attributes service, service_group_id are mutually exclusive.
- service_
type str - The service type of the policy definition. Note Attributes service, service_type are mutually exclusive.
- attributes Map<String>
- Set resource attributes in the form of
name=value,name=value. If you set this option, do not specifyaccount_managementat the same time. - region String
- The region of the policy definition.
- resource String
- The resource of the policy definition.
resources.resource_group_id- (Optional, String) The ID of the resource group. To retrieve the ID, runibmcloud resource groupsor use theibm.ResourceGroupdata source.
- resource
Group StringId - ID of the resource group.
- resource
Instance StringId - The ID of resource instance of the policy definition.
- resource
Type String - The resource type of the policy definition.
- service String
- The service name that you want to include in your policy definition. For account management services, you can find supported values in the documentation. For other services, run the
ibmcloud catalog service-marketplacecommand and retrieve the value from the Name column of your command line output. Attributes service, service_type are mutually exclusive. - service
Group StringId - The service group id of the policy definition. Note Attributes service, service_group_id are mutually exclusive.
- service
Type String - The service type of the policy definition. Note Attributes service, service_type are mutually exclusive.
IamAccessGroupPolicyRuleCondition, IamAccessGroupPolicyRuleConditionArgs
, IamAccessGroupPolicyRuleConditionArgs
- Operator
This property is required. string - The operator of a rule condition.
- Conditions
List<Iam
Access Group Policy Rule Condition Condition> A nested block describing additional conditions of this policy.
Nested schema for
conditions:- Key string
- The key of a rule condition.
- Values List<string>
- The value of a rule condition.
- Operator
This property is required. string - The operator of a rule condition.
- Conditions
[]Iam
Access Group Policy Rule Condition Condition A nested block describing additional conditions of this policy.
Nested schema for
conditions:- Key string
- The key of a rule condition.
- Values []string
- The value of a rule condition.
- operator
This property is required. String - The operator of a rule condition.
- conditions
List<Iam
Access Group Policy Rule Condition Condition> A nested block describing additional conditions of this policy.
Nested schema for
conditions:- key String
- The key of a rule condition.
- values List<String>
- The value of a rule condition.
- operator
This property is required. string - The operator of a rule condition.
- conditions
Iam
Access Group Policy Rule Condition Condition[] A nested block describing additional conditions of this policy.
Nested schema for
conditions:- key string
- The key of a rule condition.
- values string[]
- The value of a rule condition.
- operator
This property is required. str - The operator of a rule condition.
- conditions
Sequence[Iam
Access Group Policy Rule Condition Condition] A nested block describing additional conditions of this policy.
Nested schema for
conditions:- key str
- The key of a rule condition.
- values Sequence[str]
- The value of a rule condition.
- operator
This property is required. String - The operator of a rule condition.
- conditions List<Property Map>
A nested block describing additional conditions of this policy.
Nested schema for
conditions:- key String
- The key of a rule condition.
- values List<String>
- The value of a rule condition.
IamAccessGroupPolicyRuleConditionCondition, IamAccessGroupPolicyRuleConditionConditionArgs
, IamAccessGroupPolicyRuleConditionConditionArgs
Import
The ibm_iam_access_group_policy resource can be imported by using access group ID and access group policy ID.
Syntax
$ pulumi import ibm:index/iamAccessGroupPolicy:IamAccessGroupPolicy example <access_group_ID>/<access_group_policy_ID>
Example
$ pulumi import ibm:index/iamAccessGroupPolicy:IamAccessGroupPolicy example AccessGroupId-1148204e-6ef2-4ce1-9fd2-05e82a390fcf/bf5d6807-371e-4755-a282-64ebf575b80a
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- ibm ibm-cloud/terraform-provider-ibm
- License
- Notes
- This Pulumi package is based on the
ibmTerraform Provider.
- Example Usage
- Access group policy for all Identity and Access enabled services
- Access group policy for all Identity and Access enabled services within a resource group
- Access group policy using service with region
- Access group policy using service_type with region
- Access group policy using resource instance
- Create a policy to all instances of an IBM Cloud service within a resource group
- Access group policy by using resource and resource type
- Access group policy by using attributes
- Access Group Policy by using resource_attributes
- Access Group Policy by using service and rule_conditions
- Access Group Policy by using service_group_id resource attribute
- Access Group Policy by using Attribute Based Condition
- Create IamAccessGroupPolicy Resource
- Constructor syntax
- Constructor example
- IamAccessGroupPolicy Resource Properties
- Inputs
- Outputs
- Look up Existing IamAccessGroupPolicy Resource
- Supporting Types
- Import
- Package Details