google_iam_policy

Generates an IAM policy document that may be referenced by and applied to other Google Cloud Platform resources, such as the google_project resource.

data "google_iam_policy" "admin" {
  binding {
    role = "roles/compute.instanceAdmin"
    members = [
      "serviceAccount:[email protected]",
    ]
  }
  binding {
    role = "roles/storage.objectViewer"
    members = [
      "user:[email protected]",
    ]
  }
}

This data source is used to define IAM policies to apply to othe resources. Currently, defining a policy through a datasource and referencing that policy from another resource is the only way to apply an IAM policy to a resource.

Argument Reference

The following arguments are supported:

• binding (Required) - A nested configuration block (described below) defining a binding to be included in the policy document. Multiple binding arguments are supported.

Each document configuration must have one or more binding blocks, which each accept the following arguments:

• role (Required) - The role/permission that will be granted to the members. See the IAM Roles documentation for a complete list of roles.
• members (Required) - An array of users/principals that will be granted the privilege in the role. For a human user, prefix the user’s e-mail address with user: (e.g., user:[email protected]). For a service account, prefix the service account e-mail address with serviceAccount: (e.g., serviceAccount:[email protected]).

Attributes Reference

The following attribute is exported:

• policy_data - The above bindings serialized in a format suitable for referencing from a resource that supports IAM.

See the source of this document at Terraform.io