context = { condition_vars = { organization = { id = 1234567890 } } custom_roles = { myrole_one = "organizations/366118655033/roles/myRoleOne" myrole_two = "organizations/366118655033/roles/myRoleTwo" } email_addresses = { default = "foo@example.com" } folder_ids = { "test/prod" = "folders/6789012345" } kms_keys = { compute-prod-ew1 = "projects/kms-central-prj/locations/europe-west1/keyRings/my-keyring/cryptoKeys/ew1-compute" } iam_principals = { mygroup = "group:test-group@example.com" mysa = "serviceAccount:test@test-project.iam.gserviceaccount.com" myuser = "user:test-user@example.com" } project_ids = { vpc-host = "test-vpc-host" } tag_keys = { test = "tagKeys/1234567890" } tag_values = { "test/one" = "tagValues/1234567890" } tag_vars = { projects = { "test-00" = { test = "foo-test-0/dynamic_test" } } } log_buckets = { audit = "logging.googleapis.com/projects/my-project/locations/global/buckets/audit-bucket" } notification_channels = { email = "projects/my-project/notificationChannels/12345" } vpc_sc_perimeters = { default = "accessPolicies/888933661165/servicePerimeters/default" } pubsub_topics = { test = "projects/test-prod-audit-logs-0/topics/audit-logs" } } alerts = { test-alert = { combiner = "OR" display_name = "Test Alert" conditions = [{ display_name = "test-condition" condition_threshold = { comparison = "COMPARISON_GT" duration = "60s" filter = "resource.type=\"gce_instance\" AND metric.type=\"compute.googleapis.com/instance/cpu/utilization\"" } }] notification_channels = ["$notification_channels:email"] } } logging_metrics = { test-metric = { filter = "resource.type=\"gce_instance\"" bucket_name = "$log_buckets:audit" } } notification_channels = { new-email = { type = "email" labels = { email_address = "$email_addresses:default" } } new-pubsub = { type = "pubsub" labels = { topic = "$pubsub_topics:test" } } } asset_feeds = { test = { billing_project = "test-project" feed_output_config = { pubsub_destination = { topic = "$pubsub_topics:test" } } } } contacts = { "$email_addresses:default" = ["ALL"] } iam = { "$custom_roles:myrole_one" = [ "$iam_principals:myuser" ] "roles/viewer" = [ "$iam_principals:mysa", ] } iam_by_principals = { "$iam_principals:mygroup" = [ "roles/owner", "$custom_roles:myrole_one" ] } iam_bindings = { myrole_two = { role = "$custom_roles:myrole_two" members = [ "$iam_principals:mysa" ] condition = { title = "Test" expression = "resource.matchTag('$${organization.id}/environment', 'development')" } } } iam_bindings_additive = { myrole_two = { role = "$custom_roles:myrole_two" member = "$iam_principals:myuser" } sa_test = { role = "roles/browser" member = "$service_agents:compute" } } logging_data_access = { allServices = { ADMIN_READ = { exempted_members = ["$iam_principals:mygroup"] } DATA_READ = {} } } logging_sinks = { test-pubsub = { destination = "$pubsub_topics:test" filter = "log_id('cloudaudit.googleapis.com/activity')" type = "pubsub" } } pam_entitlements = { net-admins = { max_request_duration = "3600s" manual_approvals = { require_approver_justification = true steps = [{ approvers = ["$iam_principals:mygroup"] }] } eligible_users = ["$iam_principals:mygroup"] privileged_access = [ { role = "roles/compute.networkAdmin" }, { role = "roles/compute.admin" }, { role = "$custom_roles:myrole_two" } ] } } parent = "$folder_ids:test/prod" services = [ "compute.googleapis.com" ] service_encryption_key_ids = { "compute.googleapis.com" = [ "$kms_keys:compute-prod-ew1" ] } shared_vpc_service_config = { host_project = "$project_ids:vpc-host" iam_bindings_additive = { myrole_two = { role = "$custom_roles:myrole_two" member = "$iam_principals:myuser" } } network_users = ["$iam_principals:mysa"] service_agent_iam = { "roles/compute.networkUser" = [ "$service_agents:cloudservices", "$service_agents:compute" ] } service_iam_grants = ["$service_agents:compute"] } iam_by_principals_conditional = { "$iam_principals:myuser" = { roles = [ "roles/storage.admin", "$custom_roles:myrole_one", "$custom_roles:myrole_two", ] condition = { title = "expires_after_2020_12_31" description = "Expiring at midnight of 2020-12-31" expression = "request.time < timestamp(\"2021-01-01T00:00:00Z\")" } } } tag_bindings = { bar = "tagValues/1234567891" baz = "$tag_values:test/one" foo = "$${projects[\"test-00\"].test}/cc-123" } tags = { test = { id = "$tag_keys:test" iam = { "roles/tagAdmin" = ["$iam_principals:mygroup"] } iam_bindings = { tag_user = { role = "roles/tagUser" members = ["$iam_principals:myuser"] } } iam_bindings_additive = { tag_viewer = { role = "roles/tagViewer" member = "$iam_principals:mysa" } } values = { one = { id = "$tag_values:test/one" iam = { "roles/tagAdmin" = ["$iam_principals:mygroup"] } iam_bindings = { tag_user = { role = "roles/tagUser" members = ["$iam_principals:myuser"] } } iam_bindings_additive = { tag_viewer = { role = "roles/tagViewer" member = "$iam_principals:mysa" } } } } } } vpc_sc = { perimeter_name = "$vpc_sc_perimeters:default" } iam_deny_policies = { test-policy = { display_name = "Test Deny Policy" rules = [ { description = "Test Rule" denied_principals = ["$iam_principals:myuser"] denied_permissions = ["compute.googleapis.com/instances.create"] exception_principals = ["$iam_principals:mygroup"] denial_condition = { title = "Test Condition" expression = "resource.matchTag('$${organization.id}/environment', 'development')" } } ] } }