pulumi-gcp 7.30.0a1719903049__py3-none-any.whl → 7.30.0a1720039709__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (16) hide show
  1. pulumi_gcp/compute/region_disk_iam_binding.py +122 -95
  2. pulumi_gcp/compute/region_disk_iam_member.py +122 -95
  3. pulumi_gcp/compute/region_disk_iam_policy.py +115 -88
  4. pulumi_gcp/gkebackup/restore_plan_iam_binding.py +328 -953
  5. pulumi_gcp/gkebackup/restore_plan_iam_member.py +328 -953
  6. pulumi_gcp/gkebackup/restore_plan_iam_policy.py +238 -953
  7. pulumi_gcp/networksecurity/address_group_iam_binding.py +289 -2
  8. pulumi_gcp/networksecurity/address_group_iam_member.py +289 -2
  9. pulumi_gcp/pulumi-plugin.json +1 -1
  10. pulumi_gcp/sourcerepo/repository_iam_binding.py +92 -83
  11. pulumi_gcp/sourcerepo/repository_iam_member.py +92 -83
  12. pulumi_gcp/sourcerepo/repository_iam_policy.py +85 -76
  13. {pulumi_gcp-7.30.0a1719903049.dist-info → pulumi_gcp-7.30.0a1720039709.dist-info}/METADATA +1 -1
  14. {pulumi_gcp-7.30.0a1719903049.dist-info → pulumi_gcp-7.30.0a1720039709.dist-info}/RECORD +16 -16
  15. {pulumi_gcp-7.30.0a1719903049.dist-info → pulumi_gcp-7.30.0a1720039709.dist-info}/WHEEL +0 -0
  16. {pulumi_gcp-7.30.0a1719903049.dist-info → pulumi_gcp-7.30.0a1720039709.dist-info}/top_level.txt +0 -0
pulumi_gcp/gkebackup/restore_plan_iam_member.py CHANGED
@@ -29,8 +29,27 @@ class RestorePlanIamMemberArgs:
29
29
  project: Optional[pulumi.Input[str]] = None):
30
30
  """
31
31
  The set of arguments for constructing a RestorePlanIamMember resource.
32
+ :param pulumi.Input[str] member: Identities that will be granted the privilege in `role`.
33
+ Each entry can have one of the following values:
34
+ * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
35
+ * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
36
+ * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
37
+ * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
38
+ * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
39
+ * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
40
+ * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
41
+ * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
42
+ * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
43
+ :param pulumi.Input[str] role: The role that should be applied. Only one
44
+ `gkebackup.RestorePlanIamBinding` can be used per role. Note that custom roles must be of the format
45
+ `[projects|organizations]/{parent-name}/roles/{role-name}`.
32
46
  :param pulumi.Input[str] location: The region of the Restore Plan.
33
- :param pulumi.Input[str] name: The full name of the BackupPlan Resource.
47
+ Used to find the parent resource to bind the IAM policy to. If not specified,
48
+ the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no
49
+ location is specified, it is taken from the provider configuration.
50
+ :param pulumi.Input[str] name: Used to find the parent resource to bind the IAM policy to
51
+ :param pulumi.Input[str] project: The ID of the project in which the resource belongs.
52
+ If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
34
53
  """
35
54
  pulumi.set(__self__, "member", member)
36
55
  pulumi.set(__self__, "role", role)
@@ -46,6 +65,19 @@ class RestorePlanIamMemberArgs:
46
65
  @property
47
66
  @pulumi.getter
48
67
  def member(self) -> pulumi.Input[str]:
68
+ """
69
+ Identities that will be granted the privilege in `role`.
70
+ Each entry can have one of the following values:
71
+ * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
72
+ * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
73
+ * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
74
+ * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
75
+ * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
76
+ * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
77
+ * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
78
+ * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
79
+ * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
80
+ """
49
81
  return pulumi.get(self, "member")
50
82
 
51
83
  @member.setter
@@ -55,6 +87,11 @@ class RestorePlanIamMemberArgs:
55
87
  @property
56
88
  @pulumi.getter
57
89
  def role(self) -> pulumi.Input[str]:
90
+ """
91
+ The role that should be applied. Only one
92
+ `gkebackup.RestorePlanIamBinding` can be used per role. Note that custom roles must be of the format
93
+ `[projects|organizations]/{parent-name}/roles/{role-name}`.
94
+ """
58
95
  return pulumi.get(self, "role")
59
96
 
60
97
  @role.setter
@@ -75,6 +112,9 @@ class RestorePlanIamMemberArgs:
75
112
  def location(self) -> Optional[pulumi.Input[str]]:
76
113
  """
77
114
  The region of the Restore Plan.
115
+ Used to find the parent resource to bind the IAM policy to. If not specified,
116
+ the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no
117
+ location is specified, it is taken from the provider configuration.
78
118
  """
79
119
  return pulumi.get(self, "location")
80
120
 
@@ -86,7 +126,7 @@ class RestorePlanIamMemberArgs:
86
126
  @pulumi.getter
87
127
  def name(self) -> Optional[pulumi.Input[str]]:
88
128
  """
89
- The full name of the BackupPlan Resource.
129
+ Used to find the parent resource to bind the IAM policy to
90
130
  """
91
131
  return pulumi.get(self, "name")
92
132
 
@@ -97,6 +137,10 @@ class RestorePlanIamMemberArgs:
97
137
  @property
98
138
  @pulumi.getter
99
139
  def project(self) -> Optional[pulumi.Input[str]]:
140
+ """
141
+ The ID of the project in which the resource belongs.
142
+ If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
143
+ """
100
144
  return pulumi.get(self, "project")
101
145
 
102
146
  @project.setter
@@ -116,8 +160,28 @@ class _RestorePlanIamMemberState:
116
160
  role: Optional[pulumi.Input[str]] = None):
117
161
  """
118
162
  Input properties used for looking up and filtering RestorePlanIamMember resources.
163
+ :param pulumi.Input[str] etag: (Computed) The etag of the IAM policy.
119
164
  :param pulumi.Input[str] location: The region of the Restore Plan.
120
- :param pulumi.Input[str] name: The full name of the BackupPlan Resource.
165
+ Used to find the parent resource to bind the IAM policy to. If not specified,
166
+ the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no
167
+ location is specified, it is taken from the provider configuration.
168
+ :param pulumi.Input[str] member: Identities that will be granted the privilege in `role`.
169
+ Each entry can have one of the following values:
170
+ * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
171
+ * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
172
+ * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
173
+ * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
174
+ * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
175
+ * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
176
+ * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
177
+ * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
178
+ * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
179
+ :param pulumi.Input[str] name: Used to find the parent resource to bind the IAM policy to
180
+ :param pulumi.Input[str] project: The ID of the project in which the resource belongs.
181
+ If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
182
+ :param pulumi.Input[str] role: The role that should be applied. Only one
183
+ `gkebackup.RestorePlanIamBinding` can be used per role. Note that custom roles must be of the format
184
+ `[projects|organizations]/{parent-name}/roles/{role-name}`.
121
185
  """
122
186
  if condition is not None:
123
187
  pulumi.set(__self__, "condition", condition)
@@ -146,6 +210,9 @@ class _RestorePlanIamMemberState:
146
210
  @property
147
211
  @pulumi.getter
148
212
  def etag(self) -> Optional[pulumi.Input[str]]:
213
+ """
214
+ (Computed) The etag of the IAM policy.
215
+ """
149
216
  return pulumi.get(self, "etag")
150
217
 
151
218
  @etag.setter
@@ -157,6 +224,9 @@ class _RestorePlanIamMemberState:
157
224
  def location(self) -> Optional[pulumi.Input[str]]:
158
225
  """
159
226
  The region of the Restore Plan.
227
+ Used to find the parent resource to bind the IAM policy to. If not specified,
228
+ the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no
229
+ location is specified, it is taken from the provider configuration.
160
230
  """
161
231
  return pulumi.get(self, "location")
162
232
 
@@ -167,6 +237,19 @@ class _RestorePlanIamMemberState:
167
237
  @property
168
238
  @pulumi.getter
169
239
  def member(self) -> Optional[pulumi.Input[str]]:
240
+ """
241
+ Identities that will be granted the privilege in `role`.
242
+ Each entry can have one of the following values:
243
+ * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
244
+ * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
245
+ * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
246
+ * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
247
+ * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
248
+ * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
249
+ * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
250
+ * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
251
+ * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
252
+ """
170
253
  return pulumi.get(self, "member")
171
254
 
172
255
  @member.setter
@@ -177,7 +260,7 @@ class _RestorePlanIamMemberState:
177
260
  @pulumi.getter
178
261
  def name(self) -> Optional[pulumi.Input[str]]:
179
262
  """
180
- The full name of the BackupPlan Resource.
263
+ Used to find the parent resource to bind the IAM policy to
181
264
  """
182
265
  return pulumi.get(self, "name")
183
266
 
@@ -188,6 +271,10 @@ class _RestorePlanIamMemberState:
188
271
  @property
189
272
  @pulumi.getter
190
273
  def project(self) -> Optional[pulumi.Input[str]]:
274
+ """
275
+ The ID of the project in which the resource belongs.
276
+ If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
277
+ """
191
278
  return pulumi.get(self, "project")
192
279
 
193
280
  @project.setter
@@ -197,6 +284,11 @@ class _RestorePlanIamMemberState:
197
284
  @property
198
285
  @pulumi.getter
199
286
  def role(self) -> Optional[pulumi.Input[str]]:
287
+ """
288
+ The role that should be applied. Only one
289
+ `gkebackup.RestorePlanIamBinding` can be used per role. Note that custom roles must be of the format
290
+ `[projects|organizations]/{parent-name}/roles/{role-name}`.
291
+ """
200
292
  return pulumi.get(self, "role")
201
293
 
202
294
  @role.setter
@@ -217,544 +309,171 @@ class RestorePlanIamMember(pulumi.CustomResource):
217
309
  role: Optional[pulumi.Input[str]] = None,
218
310
  __props__=None):
219
311
  """
220
- Represents a Restore Plan instance.
312
+ Three different resources help you manage your IAM policy for Backup for GKE RestorePlan. Each of these resources serves a different use case:
221
313
 
222
- To get more information about RestorePlan, see:
314
+ * `gkebackup.RestorePlanIamPolicy`: Authoritative. Sets the IAM policy for the restoreplan and replaces any existing policy already attached.
315
+ * `gkebackup.RestorePlanIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the restoreplan are preserved.
316
+ * `gkebackup.RestorePlanIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the restoreplan are preserved.
223
317
 
224
- * [API documentation](https://cloud.google.com/kubernetes-engine/docs/add-on/backup-for-gke/reference/rest/v1/projects.locations.restorePlans)
225
- * How-to Guides
226
- * [Official Documentation](https://cloud.google.com/kubernetes-engine/docs/add-on/backup-for-gke)
318
+ A data source can be used to retrieve policy data in advent you do not need creation
227
319
 
228
- ## Example Usage
320
+ * `gkebackup.RestorePlanIamPolicy`: Retrieves the IAM policy for the restoreplan
229
321
 
230
- ### Gkebackup Restoreplan All Namespaces
322
+ > **Note:** `gkebackup.RestorePlanIamPolicy` **cannot** be used in conjunction with `gkebackup.RestorePlanIamBinding` and `gkebackup.RestorePlanIamMember` or they will fight over what your policy should be.
231
323
 
232
- ```python
233
- import pulumi
234
- import pulumi_gcp as gcp
324
+ > **Note:** `gkebackup.RestorePlanIamBinding` resources **can be** used in conjunction with `gkebackup.RestorePlanIamMember` resources **only if** they do not grant privilege to the same role.
235
325
 
236
- primary = gcp.container.Cluster("primary",
237
- name="restore-all-ns-cluster",
238
- location="us-central1",
239
- initial_node_count=1,
240
- workload_identity_config={
241
- "workloadPool": "my-project-name.svc.id.goog",
242
- },
243
- addons_config={
244
- "gkeBackupAgentConfig": {
245
- "enabled": True,
246
- },
247
- },
248
- deletion_protection="",
249
- network="default",
250
- subnetwork="default")
251
- basic = gcp.gkebackup.BackupPlan("basic",
252
- name="restore-all-ns",
253
- cluster=primary.id,
254
- location="us-central1",
255
- backup_config={
256
- "includeVolumeData": True,
257
- "includeSecrets": True,
258
- "allNamespaces": True,
259
- })
260
- all_ns = gcp.gkebackup.RestorePlan("all_ns",
261
- name="restore-all-ns",
262
- location="us-central1",
263
- backup_plan=basic.id,
264
- cluster=primary.id,
265
- restore_config={
266
- "allNamespaces": True,
267
- "namespacedResourceRestoreMode": "FAIL_ON_CONFLICT",
268
- "volumeDataRestorePolicy": "RESTORE_VOLUME_DATA_FROM_BACKUP",
269
- "clusterResourceRestoreScope": {
270
- "allGroupKinds": True,
271
- },
272
- "clusterResourceConflictPolicy": "USE_EXISTING_VERSION",
273
- })
274
- ```
275
- ### Gkebackup Restoreplan Rollback Namespace
326
+ ## gkebackup.RestorePlanIamPolicy
276
327
 
277
328
  ```python
278
329
  import pulumi
279
330
  import pulumi_gcp as gcp
280
331
 
281
- primary = gcp.container.Cluster("primary",
282
- name="rollback-ns-cluster",
283
- location="us-central1",
284
- initial_node_count=1,
285
- workload_identity_config={
286
- "workloadPool": "my-project-name.svc.id.goog",
287
- },
288
- addons_config={
289
- "gkeBackupAgentConfig": {
290
- "enabled": True,
291
- },
292
- },
293
- deletion_protection="",
294
- network="default",
295
- subnetwork="default")
296
- basic = gcp.gkebackup.BackupPlan("basic",
297
- name="rollback-ns",
298
- cluster=primary.id,
299
- location="us-central1",
300
- backup_config={
301
- "includeVolumeData": True,
302
- "includeSecrets": True,
303
- "allNamespaces": True,
304
- })
305
- rollback_ns = gcp.gkebackup.RestorePlan("rollback_ns",
306
- name="rollback-ns-rp",
307
- location="us-central1",
308
- backup_plan=basic.id,
309
- cluster=primary.id,
310
- restore_config={
311
- "selectedNamespaces": {
312
- "namespaces": ["my-ns"],
313
- },
314
- "namespacedResourceRestoreMode": "DELETE_AND_RESTORE",
315
- "volumeDataRestorePolicy": "RESTORE_VOLUME_DATA_FROM_BACKUP",
316
- "clusterResourceRestoreScope": {
317
- "selectedGroupKinds": [
318
- {
319
- "resourceGroup": "apiextension.k8s.io",
320
- "resourceKind": "CustomResourceDefinition",
321
- },
322
- {
323
- "resourceGroup": "storage.k8s.io",
324
- "resourceKind": "StorageClass",
325
- },
326
- ],
327
- },
328
- "clusterResourceConflictPolicy": "USE_EXISTING_VERSION",
329
- })
332
+ admin = gcp.organizations.get_iam_policy(bindings=[{
333
+ "role": "roles/viewer",
334
+ "members": ["user:jane@example.com"],
335
+ }])
336
+ policy = gcp.gkebackup.RestorePlanIamPolicy("policy",
337
+ project=all_ns["project"],
338
+ location=all_ns["location"],
339
+ name=all_ns["name"],
340
+ policy_data=admin.policy_data)
330
341
  ```
331
- ### Gkebackup Restoreplan Protected Application
332
342
 
333
- ```python
334
- import pulumi
335
- import pulumi_gcp as gcp
336
-
337
- primary = gcp.container.Cluster("primary",
338
- name="rollback-app-cluster",
339
- location="us-central1",
340
- initial_node_count=1,
341
- workload_identity_config={
342
- "workloadPool": "my-project-name.svc.id.goog",
343
- },
344
- addons_config={
345
- "gkeBackupAgentConfig": {
346
- "enabled": True,
347
- },
348
- },
349
- deletion_protection="",
350
- network="default",
351
- subnetwork="default")
352
- basic = gcp.gkebackup.BackupPlan("basic",
353
- name="rollback-app",
354
- cluster=primary.id,
355
- location="us-central1",
356
- backup_config={
357
- "includeVolumeData": True,
358
- "includeSecrets": True,
359
- "allNamespaces": True,
360
- })
361
- rollback_app = gcp.gkebackup.RestorePlan("rollback_app",
362
- name="rollback-app-rp",
363
- location="us-central1",
364
- backup_plan=basic.id,
365
- cluster=primary.id,
366
- restore_config={
367
- "selectedApplications": {
368
- "namespacedNames": [{
369
- "name": "my-app",
370
- "namespace": "my-ns",
371
- }],
372
- },
373
- "namespacedResourceRestoreMode": "DELETE_AND_RESTORE",
374
- "volumeDataRestorePolicy": "REUSE_VOLUME_HANDLE_FROM_BACKUP",
375
- "clusterResourceRestoreScope": {
376
- "noGroupKinds": True,
377
- },
378
- })
379
- ```
380
- ### Gkebackup Restoreplan All Cluster Resources
343
+ ## gkebackup.RestorePlanIamBinding
381
344
 
382
345
  ```python
383
346
  import pulumi
384
347
  import pulumi_gcp as gcp
385
348
 
386
- primary = gcp.container.Cluster("primary",
387
- name="all-groupkinds-cluster",
388
- location="us-central1",
389
- initial_node_count=1,
390
- workload_identity_config={
391
- "workloadPool": "my-project-name.svc.id.goog",
392
- },
393
- addons_config={
394
- "gkeBackupAgentConfig": {
395
- "enabled": True,
396
- },
397
- },
398
- deletion_protection="",
399
- network="default",
400
- subnetwork="default")
401
- basic = gcp.gkebackup.BackupPlan("basic",
402
- name="all-groupkinds",
403
- cluster=primary.id,
404
- location="us-central1",
405
- backup_config={
406
- "includeVolumeData": True,
407
- "includeSecrets": True,
408
- "allNamespaces": True,
409
- })
410
- all_cluster_resources = gcp.gkebackup.RestorePlan("all_cluster_resources",
411
- name="all-groupkinds-rp",
412
- location="us-central1",
413
- backup_plan=basic.id,
414
- cluster=primary.id,
415
- restore_config={
416
- "noNamespaces": True,
417
- "namespacedResourceRestoreMode": "FAIL_ON_CONFLICT",
418
- "clusterResourceRestoreScope": {
419
- "allGroupKinds": True,
420
- },
421
- "clusterResourceConflictPolicy": "USE_EXISTING_VERSION",
422
- })
349
+ binding = gcp.gkebackup.RestorePlanIamBinding("binding",
350
+ project=all_ns["project"],
351
+ location=all_ns["location"],
352
+ name=all_ns["name"],
353
+ role="roles/viewer",
354
+ members=["user:jane@example.com"])
423
355
  ```
424
- ### Gkebackup Restoreplan Rename Namespace
425
356
 
426
- ```python
427
- import pulumi
428
- import pulumi_gcp as gcp
429
-
430
- primary = gcp.container.Cluster("primary",
431
- name="rename-ns-cluster",
432
- location="us-central1",
433
- initial_node_count=1,
434
- workload_identity_config={
435
- "workloadPool": "my-project-name.svc.id.goog",
436
- },
437
- addons_config={
438
- "gkeBackupAgentConfig": {
439
- "enabled": True,
440
- },
441
- },
442
- deletion_protection="",
443
- network="default",
444
- subnetwork="default")
445
- basic = gcp.gkebackup.BackupPlan("basic",
446
- name="rename-ns",
447
- cluster=primary.id,
448
- location="us-central1",
449
- backup_config={
450
- "includeVolumeData": True,
451
- "includeSecrets": True,
452
- "allNamespaces": True,
453
- })
454
- rename_ns = gcp.gkebackup.RestorePlan("rename_ns",
455
- name="rename-ns-rp",
456
- location="us-central1",
457
- backup_plan=basic.id,
458
- cluster=primary.id,
459
- restore_config={
460
- "selectedNamespaces": {
461
- "namespaces": ["ns1"],
462
- },
463
- "namespacedResourceRestoreMode": "FAIL_ON_CONFLICT",
464
- "volumeDataRestorePolicy": "REUSE_VOLUME_HANDLE_FROM_BACKUP",
465
- "clusterResourceRestoreScope": {
466
- "noGroupKinds": True,
467
- },
468
- "transformationRules": [
469
- {
470
- "description": "rename namespace from ns1 to ns2",
471
- "resourceFilter": {
472
- "groupKinds": [{
473
- "resourceKind": "Namespace",
474
- }],
475
- "jsonPath": ".metadata[?(@.name == 'ns1')]",
476
- },
477
- "fieldActions": [{
478
- "op": "REPLACE",
479
- "path": "/metadata/name",
480
- "value": "ns2",
481
- }],
482
- },
483
- {
484
- "description": "move all resources from ns1 to ns2",
485
- "resourceFilter": {
486
- "namespaces": ["ns1"],
487
- },
488
- "fieldActions": [{
489
- "op": "REPLACE",
490
- "path": "/metadata/namespace",
491
- "value": "ns2",
492
- }],
493
- },
494
- ],
495
- })
496
- ```
497
- ### Gkebackup Restoreplan Second Transformation
357
+ ## gkebackup.RestorePlanIamMember
498
358
 
499
359
  ```python
500
360
  import pulumi
501
361
  import pulumi_gcp as gcp
502
362
 
503
- primary = gcp.container.Cluster("primary",
504
- name="transform-rule-cluster",
505
- location="us-central1",
506
- initial_node_count=1,
507
- workload_identity_config={
508
- "workloadPool": "my-project-name.svc.id.goog",
509
- },
510
- addons_config={
511
- "gkeBackupAgentConfig": {
512
- "enabled": True,
513
- },
514
- },
515
- deletion_protection="",
516
- network="default",
517
- subnetwork="default")
518
- basic = gcp.gkebackup.BackupPlan("basic",
519
- name="transform-rule",
520
- cluster=primary.id,
521
- location="us-central1",
522
- backup_config={
523
- "includeVolumeData": True,
524
- "includeSecrets": True,
525
- "allNamespaces": True,
526
- })
527
- transform_rule = gcp.gkebackup.RestorePlan("transform_rule",
528
- name="transform-rule-rp",
529
- description="copy nginx env variables",
530
- labels={
531
- "app": "nginx",
532
- },
533
- location="us-central1",
534
- backup_plan=basic.id,
535
- cluster=primary.id,
536
- restore_config={
537
- "excludedNamespaces": {
538
- "namespaces": ["my-ns"],
539
- },
540
- "namespacedResourceRestoreMode": "DELETE_AND_RESTORE",
541
- "volumeDataRestorePolicy": "RESTORE_VOLUME_DATA_FROM_BACKUP",
542
- "clusterResourceRestoreScope": {
543
- "excludedGroupKinds": [{
544
- "resourceGroup": "apiextension.k8s.io",
545
- "resourceKind": "CustomResourceDefinition",
546
- }],
547
- },
548
- "clusterResourceConflictPolicy": "USE_EXISTING_VERSION",
549
- "transformationRules": [{
550
- "description": "Copy environment variables from the nginx container to the install init container.",
551
- "resourceFilter": {
552
- "groupKinds": [{
553
- "resourceKind": "Pod",
554
- "resourceGroup": "",
555
- }],
556
- "jsonPath": ".metadata[?(@.name == 'nginx')]",
557
- },
558
- "fieldActions": [{
559
- "op": "COPY",
560
- "path": "/spec/initContainers/0/env",
561
- "fromPath": "/spec/containers/0/env",
562
- }],
563
- }],
564
- })
363
+ member = gcp.gkebackup.RestorePlanIamMember("member",
364
+ project=all_ns["project"],
365
+ location=all_ns["location"],
366
+ name=all_ns["name"],
367
+ role="roles/viewer",
368
+ member="user:jane@example.com")
565
369
  ```
566
- ### Gkebackup Restoreplan Gitops Mode
370
+
371
+ ## gkebackup.RestorePlanIamPolicy
567
372
 
568
373
  ```python
569
374
  import pulumi
570
375
  import pulumi_gcp as gcp
571
376
 
572
- primary = gcp.container.Cluster("primary",
573
- name="gitops-mode-cluster",
574
- location="us-central1",
575
- initial_node_count=1,
576
- workload_identity_config={
577
- "workloadPool": "my-project-name.svc.id.goog",
578
- },
579
- addons_config={
580
- "gkeBackupAgentConfig": {
581
- "enabled": True,
582
- },
583
- },
584
- deletion_protection="",
585
- network="default",
586
- subnetwork="default")
587
- basic = gcp.gkebackup.BackupPlan("basic",
588
- name="gitops-mode",
589
- cluster=primary.id,
590
- location="us-central1",
591
- backup_config={
592
- "includeVolumeData": True,
593
- "includeSecrets": True,
594
- "allNamespaces": True,
595
- })
596
- gitops_mode = gcp.gkebackup.RestorePlan("gitops_mode",
597
- name="gitops-mode",
598
- location="us-central1",
599
- backup_plan=basic.id,
600
- cluster=primary.id,
601
- restore_config={
602
- "allNamespaces": True,
603
- "namespacedResourceRestoreMode": "MERGE_SKIP_ON_CONFLICT",
604
- "volumeDataRestorePolicy": "RESTORE_VOLUME_DATA_FROM_BACKUP",
605
- "clusterResourceRestoreScope": {
606
- "allGroupKinds": True,
607
- },
608
- "clusterResourceConflictPolicy": "USE_EXISTING_VERSION",
609
- })
377
+ admin = gcp.organizations.get_iam_policy(bindings=[{
378
+ "role": "roles/viewer",
379
+ "members": ["user:jane@example.com"],
380
+ }])
381
+ policy = gcp.gkebackup.RestorePlanIamPolicy("policy",
382
+ project=all_ns["project"],
383
+ location=all_ns["location"],
384
+ name=all_ns["name"],
385
+ policy_data=admin.policy_data)
610
386
  ```
611
- ### Gkebackup Restoreplan Restore Order
387
+
388
+ ## gkebackup.RestorePlanIamBinding
612
389
 
613
390
  ```python
614
391
  import pulumi
615
392
  import pulumi_gcp as gcp
616
393
 
617
- primary = gcp.container.Cluster("primary",
618
- name="restore-order-cluster",
619
- location="us-central1",
620
- initial_node_count=1,
621
- workload_identity_config={
622
- "workloadPool": "my-project-name.svc.id.goog",
623
- },
624
- addons_config={
625
- "gkeBackupAgentConfig": {
626
- "enabled": True,
627
- },
628
- },
629
- deletion_protection="",
630
- network="default",
631
- subnetwork="default")
632
- basic = gcp.gkebackup.BackupPlan("basic",
633
- name="restore-order",
634
- cluster=primary.id,
635
- location="us-central1",
636
- backup_config={
637
- "includeVolumeData": True,
638
- "includeSecrets": True,
639
- "allNamespaces": True,
640
- })
641
- restore_order = gcp.gkebackup.RestorePlan("restore_order",
642
- name="restore-order",
643
- location="us-central1",
644
- backup_plan=basic.id,
645
- cluster=primary.id,
646
- restore_config={
647
- "allNamespaces": True,
648
- "namespacedResourceRestoreMode": "FAIL_ON_CONFLICT",
649
- "volumeDataRestorePolicy": "RESTORE_VOLUME_DATA_FROM_BACKUP",
650
- "clusterResourceRestoreScope": {
651
- "allGroupKinds": True,
652
- },
653
- "clusterResourceConflictPolicy": "USE_EXISTING_VERSION",
654
- "restoreOrder": {
655
- "groupKindDependencies": [
656
- {
657
- "satisfying": {
658
- "resourceGroup": "stable.example.com",
659
- "resourceKind": "kindA",
660
- },
661
- "requiring": {
662
- "resourceGroup": "stable.example.com",
663
- "resourceKind": "kindB",
664
- },
665
- },
666
- {
667
- "satisfying": {
668
- "resourceGroup": "stable.example.com",
669
- "resourceKind": "kindB",
670
- },
671
- "requiring": {
672
- "resourceGroup": "stable.example.com",
673
- "resourceKind": "kindC",
674
- },
675
- },
676
- ],
677
- },
678
- })
394
+ binding = gcp.gkebackup.RestorePlanIamBinding("binding",
395
+ project=all_ns["project"],
396
+ location=all_ns["location"],
397
+ name=all_ns["name"],
398
+ role="roles/viewer",
399
+ members=["user:jane@example.com"])
679
400
  ```
680
- ### Gkebackup Restoreplan Volume Res
401
+
402
+ ## gkebackup.RestorePlanIamMember
681
403
 
682
404
  ```python
683
405
  import pulumi
684
406
  import pulumi_gcp as gcp
685
407
 
686
- primary = gcp.container.Cluster("primary",
687
- name="volume-res-cluster",
688
- location="us-central1",
689
- initial_node_count=1,
690
- workload_identity_config={
691
- "workloadPool": "my-project-name.svc.id.goog",
692
- },
693
- addons_config={
694
- "gkeBackupAgentConfig": {
695
- "enabled": True,
696
- },
697
- },
698
- deletion_protection="",
699
- network="default",
700
- subnetwork="default")
701
- basic = gcp.gkebackup.BackupPlan("basic",
702
- name="volume-res",
703
- cluster=primary.id,
704
- location="us-central1",
705
- backup_config={
706
- "includeVolumeData": True,
707
- "includeSecrets": True,
708
- "allNamespaces": True,
709
- })
710
- volume_res = gcp.gkebackup.RestorePlan("volume_res",
711
- name="volume-res",
712
- location="us-central1",
713
- backup_plan=basic.id,
714
- cluster=primary.id,
715
- restore_config={
716
- "allNamespaces": True,
717
- "namespacedResourceRestoreMode": "FAIL_ON_CONFLICT",
718
- "volumeDataRestorePolicy": "NO_VOLUME_DATA_RESTORATION",
719
- "clusterResourceRestoreScope": {
720
- "allGroupKinds": True,
721
- },
722
- "clusterResourceConflictPolicy": "USE_EXISTING_VERSION",
723
- "volumeDataRestorePolicyBindings": [{
724
- "policy": "RESTORE_VOLUME_DATA_FROM_BACKUP",
725
- "volumeType": "GCE_PERSISTENT_DISK",
726
- }],
727
- })
408
+ member = gcp.gkebackup.RestorePlanIamMember("member",
409
+ project=all_ns["project"],
410
+ location=all_ns["location"],
411
+ name=all_ns["name"],
412
+ role="roles/viewer",
413
+ member="user:jane@example.com")
728
414
  ```
729
415
 
730
416
  ## Import
731
417
 
732
- RestorePlan can be imported using any of these accepted formats:
418
+ For all import syntaxes, the "resource in question" can take any of the following forms:
733
419
 
734
- * `projects/{{project}}/locations/{{location}}/restorePlans/{{name}}`
420
+ * projects/{{project}}/locations/{{location}}/restorePlans/{{name}}
735
421
 
736
- * `{{project}}/{{location}}/{{name}}`
422
+ * {{project}}/{{location}}/{{name}}
737
423
 
738
- * `{{location}}/{{name}}`
424
+ * {{location}}/{{name}}
739
425
 
740
- When using the `pulumi import` command, RestorePlan can be imported using one of the formats above. For example:
426
+ * {{name}}
427
+
428
+ Any variables not passed in the import command will be taken from the provider configuration.
429
+
430
+ Backup for GKE restoreplan IAM resources can be imported using the resource identifiers, role, and member.
431
+
432
+ IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.
741
433
 
742
434
  ```sh
743
- $ pulumi import gcp:gkebackup/restorePlanIamMember:RestorePlanIamMember default projects/{{project}}/locations/{{location}}/restorePlans/{{name}}
435
+ $ pulumi import gcp:gkebackup/restorePlanIamMember:RestorePlanIamMember editor "projects/{{project}}/locations/{{location}}/restorePlans/{{restore_plan}} roles/viewer user:jane@example.com"
744
436
  ```
745
437
 
438
+ IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.
439
+
746
440
  ```sh
747
- $ pulumi import gcp:gkebackup/restorePlanIamMember:RestorePlanIamMember default {{project}}/{{location}}/{{name}}
441
+ $ pulumi import gcp:gkebackup/restorePlanIamMember:RestorePlanIamMember editor "projects/{{project}}/locations/{{location}}/restorePlans/{{restore_plan}} roles/viewer"
748
442
  ```
749
443
 
444
+ IAM policy imports use the identifier of the resource in question, e.g.
445
+
750
446
  ```sh
751
- $ pulumi import gcp:gkebackup/restorePlanIamMember:RestorePlanIamMember default {{location}}/{{name}}
447
+ $ pulumi import gcp:gkebackup/restorePlanIamMember:RestorePlanIamMember editor projects/{{project}}/locations/{{location}}/restorePlans/{{restore_plan}}
752
448
  ```
753
449
 
450
+ -> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
451
+
452
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
453
+
754
454
  :param str resource_name: The name of the resource.
755
455
  :param pulumi.ResourceOptions opts: Options for the resource.
756
456
  :param pulumi.Input[str] location: The region of the Restore Plan.
757
- :param pulumi.Input[str] name: The full name of the BackupPlan Resource.
457
+ Used to find the parent resource to bind the IAM policy to. If not specified,
458
+ the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no
459
+ location is specified, it is taken from the provider configuration.
460
+ :param pulumi.Input[str] member: Identities that will be granted the privilege in `role`.
461
+ Each entry can have one of the following values:
462
+ * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
463
+ * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
464
+ * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
465
+ * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
466
+ * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
467
+ * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
468
+ * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
469
+ * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
470
+ * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
471
+ :param pulumi.Input[str] name: Used to find the parent resource to bind the IAM policy to
472
+ :param pulumi.Input[str] project: The ID of the project in which the resource belongs.
473
+ If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
474
+ :param pulumi.Input[str] role: The role that should be applied. Only one
475
+ `gkebackup.RestorePlanIamBinding` can be used per role. Note that custom roles must be of the format
476
+ `[projects|organizations]/{parent-name}/roles/{role-name}`.
758
477
  """
759
478
  ...
760
479
  @overload
@@ -763,540 +482,148 @@ class RestorePlanIamMember(pulumi.CustomResource):
763
482
  args: RestorePlanIamMemberArgs,
764
483
  opts: Optional[pulumi.ResourceOptions] = None):
765
484
  """
766
- Represents a Restore Plan instance.
485
+ Three different resources help you manage your IAM policy for Backup for GKE RestorePlan. Each of these resources serves a different use case:
767
486
 
768
- To get more information about RestorePlan, see:
487
+ * `gkebackup.RestorePlanIamPolicy`: Authoritative. Sets the IAM policy for the restoreplan and replaces any existing policy already attached.
488
+ * `gkebackup.RestorePlanIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the restoreplan are preserved.
489
+ * `gkebackup.RestorePlanIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the restoreplan are preserved.
769
490
 
770
- * [API documentation](https://cloud.google.com/kubernetes-engine/docs/add-on/backup-for-gke/reference/rest/v1/projects.locations.restorePlans)
771
- * How-to Guides
772
- * [Official Documentation](https://cloud.google.com/kubernetes-engine/docs/add-on/backup-for-gke)
491
+ A data source can be used to retrieve policy data in advent you do not need creation
773
492
 
774
- ## Example Usage
493
+ * `gkebackup.RestorePlanIamPolicy`: Retrieves the IAM policy for the restoreplan
775
494
 
776
- ### Gkebackup Restoreplan All Namespaces
495
+ > **Note:** `gkebackup.RestorePlanIamPolicy` **cannot** be used in conjunction with `gkebackup.RestorePlanIamBinding` and `gkebackup.RestorePlanIamMember` or they will fight over what your policy should be.
777
496
 
778
- ```python
779
- import pulumi
780
- import pulumi_gcp as gcp
497
+ > **Note:** `gkebackup.RestorePlanIamBinding` resources **can be** used in conjunction with `gkebackup.RestorePlanIamMember` resources **only if** they do not grant privilege to the same role.
781
498
 
782
- primary = gcp.container.Cluster("primary",
783
- name="restore-all-ns-cluster",
784
- location="us-central1",
785
- initial_node_count=1,
786
- workload_identity_config={
787
- "workloadPool": "my-project-name.svc.id.goog",
788
- },
789
- addons_config={
790
- "gkeBackupAgentConfig": {
791
- "enabled": True,
792
- },
793
- },
794
- deletion_protection="",
795
- network="default",
796
- subnetwork="default")
797
- basic = gcp.gkebackup.BackupPlan("basic",
798
- name="restore-all-ns",
799
- cluster=primary.id,
800
- location="us-central1",
801
- backup_config={
802
- "includeVolumeData": True,
803
- "includeSecrets": True,
804
- "allNamespaces": True,
805
- })
806
- all_ns = gcp.gkebackup.RestorePlan("all_ns",
807
- name="restore-all-ns",
808
- location="us-central1",
809
- backup_plan=basic.id,
810
- cluster=primary.id,
811
- restore_config={
812
- "allNamespaces": True,
813
- "namespacedResourceRestoreMode": "FAIL_ON_CONFLICT",
814
- "volumeDataRestorePolicy": "RESTORE_VOLUME_DATA_FROM_BACKUP",
815
- "clusterResourceRestoreScope": {
816
- "allGroupKinds": True,
817
- },
818
- "clusterResourceConflictPolicy": "USE_EXISTING_VERSION",
819
- })
820
- ```
821
- ### Gkebackup Restoreplan Rollback Namespace
499
+ ## gkebackup.RestorePlanIamPolicy
822
500
 
823
501
  ```python
824
502
  import pulumi
825
503
  import pulumi_gcp as gcp
826
504
 
827
- primary = gcp.container.Cluster("primary",
828
- name="rollback-ns-cluster",
829
- location="us-central1",
830
- initial_node_count=1,
831
- workload_identity_config={
832
- "workloadPool": "my-project-name.svc.id.goog",
833
- },
834
- addons_config={
835
- "gkeBackupAgentConfig": {
836
- "enabled": True,
837
- },
838
- },
839
- deletion_protection="",
840
- network="default",
841
- subnetwork="default")
842
- basic = gcp.gkebackup.BackupPlan("basic",
843
- name="rollback-ns",
844
- cluster=primary.id,
845
- location="us-central1",
846
- backup_config={
847
- "includeVolumeData": True,
848
- "includeSecrets": True,
849
- "allNamespaces": True,
850
- })
851
- rollback_ns = gcp.gkebackup.RestorePlan("rollback_ns",
852
- name="rollback-ns-rp",
853
- location="us-central1",
854
- backup_plan=basic.id,
855
- cluster=primary.id,
856
- restore_config={
857
- "selectedNamespaces": {
858
- "namespaces": ["my-ns"],
859
- },
860
- "namespacedResourceRestoreMode": "DELETE_AND_RESTORE",
861
- "volumeDataRestorePolicy": "RESTORE_VOLUME_DATA_FROM_BACKUP",
862
- "clusterResourceRestoreScope": {
863
- "selectedGroupKinds": [
864
- {
865
- "resourceGroup": "apiextension.k8s.io",
866
- "resourceKind": "CustomResourceDefinition",
867
- },
868
- {
869
- "resourceGroup": "storage.k8s.io",
870
- "resourceKind": "StorageClass",
871
- },
872
- ],
873
- },
874
- "clusterResourceConflictPolicy": "USE_EXISTING_VERSION",
875
- })
505
+ admin = gcp.organizations.get_iam_policy(bindings=[{
506
+ "role": "roles/viewer",
507
+ "members": ["user:jane@example.com"],
508
+ }])
509
+ policy = gcp.gkebackup.RestorePlanIamPolicy("policy",
510
+ project=all_ns["project"],
511
+ location=all_ns["location"],
512
+ name=all_ns["name"],
513
+ policy_data=admin.policy_data)
876
514
  ```
877
- ### Gkebackup Restoreplan Protected Application
878
-
879
- ```python
880
- import pulumi
881
- import pulumi_gcp as gcp
882
515
 
883
- primary = gcp.container.Cluster("primary",
884
- name="rollback-app-cluster",
885
- location="us-central1",
886
- initial_node_count=1,
887
- workload_identity_config={
888
- "workloadPool": "my-project-name.svc.id.goog",
889
- },
890
- addons_config={
891
- "gkeBackupAgentConfig": {
892
- "enabled": True,
893
- },
894
- },
895
- deletion_protection="",
896
- network="default",
897
- subnetwork="default")
898
- basic = gcp.gkebackup.BackupPlan("basic",
899
- name="rollback-app",
900
- cluster=primary.id,
901
- location="us-central1",
902
- backup_config={
903
- "includeVolumeData": True,
904
- "includeSecrets": True,
905
- "allNamespaces": True,
906
- })
907
- rollback_app = gcp.gkebackup.RestorePlan("rollback_app",
908
- name="rollback-app-rp",
909
- location="us-central1",
910
- backup_plan=basic.id,
911
- cluster=primary.id,
912
- restore_config={
913
- "selectedApplications": {
914
- "namespacedNames": [{
915
- "name": "my-app",
916
- "namespace": "my-ns",
917
- }],
918
- },
919
- "namespacedResourceRestoreMode": "DELETE_AND_RESTORE",
920
- "volumeDataRestorePolicy": "REUSE_VOLUME_HANDLE_FROM_BACKUP",
921
- "clusterResourceRestoreScope": {
922
- "noGroupKinds": True,
923
- },
924
- })
925
- ```
926
- ### Gkebackup Restoreplan All Cluster Resources
516
+ ## gkebackup.RestorePlanIamBinding
927
517
 
928
518
  ```python
929
519
  import pulumi
930
520
  import pulumi_gcp as gcp
931
521
 
932
- primary = gcp.container.Cluster("primary",
933
- name="all-groupkinds-cluster",
934
- location="us-central1",
935
- initial_node_count=1,
936
- workload_identity_config={
937
- "workloadPool": "my-project-name.svc.id.goog",
938
- },
939
- addons_config={
940
- "gkeBackupAgentConfig": {
941
- "enabled": True,
942
- },
943
- },
944
- deletion_protection="",
945
- network="default",
946
- subnetwork="default")
947
- basic = gcp.gkebackup.BackupPlan("basic",
948
- name="all-groupkinds",
949
- cluster=primary.id,
950
- location="us-central1",
951
- backup_config={
952
- "includeVolumeData": True,
953
- "includeSecrets": True,
954
- "allNamespaces": True,
955
- })
956
- all_cluster_resources = gcp.gkebackup.RestorePlan("all_cluster_resources",
957
- name="all-groupkinds-rp",
958
- location="us-central1",
959
- backup_plan=basic.id,
960
- cluster=primary.id,
961
- restore_config={
962
- "noNamespaces": True,
963
- "namespacedResourceRestoreMode": "FAIL_ON_CONFLICT",
964
- "clusterResourceRestoreScope": {
965
- "allGroupKinds": True,
966
- },
967
- "clusterResourceConflictPolicy": "USE_EXISTING_VERSION",
968
- })
522
+ binding = gcp.gkebackup.RestorePlanIamBinding("binding",
523
+ project=all_ns["project"],
524
+ location=all_ns["location"],
525
+ name=all_ns["name"],
526
+ role="roles/viewer",
527
+ members=["user:jane@example.com"])
969
528
  ```
970
- ### Gkebackup Restoreplan Rename Namespace
971
529
 
972
- ```python
973
- import pulumi
974
- import pulumi_gcp as gcp
975
-
976
- primary = gcp.container.Cluster("primary",
977
- name="rename-ns-cluster",
978
- location="us-central1",
979
- initial_node_count=1,
980
- workload_identity_config={
981
- "workloadPool": "my-project-name.svc.id.goog",
982
- },
983
- addons_config={
984
- "gkeBackupAgentConfig": {
985
- "enabled": True,
986
- },
987
- },
988
- deletion_protection="",
989
- network="default",
990
- subnetwork="default")
991
- basic = gcp.gkebackup.BackupPlan("basic",
992
- name="rename-ns",
993
- cluster=primary.id,
994
- location="us-central1",
995
- backup_config={
996
- "includeVolumeData": True,
997
- "includeSecrets": True,
998
- "allNamespaces": True,
999
- })
1000
- rename_ns = gcp.gkebackup.RestorePlan("rename_ns",
1001
- name="rename-ns-rp",
1002
- location="us-central1",
1003
- backup_plan=basic.id,
1004
- cluster=primary.id,
1005
- restore_config={
1006
- "selectedNamespaces": {
1007
- "namespaces": ["ns1"],
1008
- },
1009
- "namespacedResourceRestoreMode": "FAIL_ON_CONFLICT",
1010
- "volumeDataRestorePolicy": "REUSE_VOLUME_HANDLE_FROM_BACKUP",
1011
- "clusterResourceRestoreScope": {
1012
- "noGroupKinds": True,
1013
- },
1014
- "transformationRules": [
1015
- {
1016
- "description": "rename namespace from ns1 to ns2",
1017
- "resourceFilter": {
1018
- "groupKinds": [{
1019
- "resourceKind": "Namespace",
1020
- }],
1021
- "jsonPath": ".metadata[?(@.name == 'ns1')]",
1022
- },
1023
- "fieldActions": [{
1024
- "op": "REPLACE",
1025
- "path": "/metadata/name",
1026
- "value": "ns2",
1027
- }],
1028
- },
1029
- {
1030
- "description": "move all resources from ns1 to ns2",
1031
- "resourceFilter": {
1032
- "namespaces": ["ns1"],
1033
- },
1034
- "fieldActions": [{
1035
- "op": "REPLACE",
1036
- "path": "/metadata/namespace",
1037
- "value": "ns2",
1038
- }],
1039
- },
1040
- ],
1041
- })
1042
- ```
1043
- ### Gkebackup Restoreplan Second Transformation
530
+ ## gkebackup.RestorePlanIamMember
1044
531
 
1045
532
  ```python
1046
533
  import pulumi
1047
534
  import pulumi_gcp as gcp
1048
535
 
1049
- primary = gcp.container.Cluster("primary",
1050
- name="transform-rule-cluster",
1051
- location="us-central1",
1052
- initial_node_count=1,
1053
- workload_identity_config={
1054
- "workloadPool": "my-project-name.svc.id.goog",
1055
- },
1056
- addons_config={
1057
- "gkeBackupAgentConfig": {
1058
- "enabled": True,
1059
- },
1060
- },
1061
- deletion_protection="",
1062
- network="default",
1063
- subnetwork="default")
1064
- basic = gcp.gkebackup.BackupPlan("basic",
1065
- name="transform-rule",
1066
- cluster=primary.id,
1067
- location="us-central1",
1068
- backup_config={
1069
- "includeVolumeData": True,
1070
- "includeSecrets": True,
1071
- "allNamespaces": True,
1072
- })
1073
- transform_rule = gcp.gkebackup.RestorePlan("transform_rule",
1074
- name="transform-rule-rp",
1075
- description="copy nginx env variables",
1076
- labels={
1077
- "app": "nginx",
1078
- },
1079
- location="us-central1",
1080
- backup_plan=basic.id,
1081
- cluster=primary.id,
1082
- restore_config={
1083
- "excludedNamespaces": {
1084
- "namespaces": ["my-ns"],
1085
- },
1086
- "namespacedResourceRestoreMode": "DELETE_AND_RESTORE",
1087
- "volumeDataRestorePolicy": "RESTORE_VOLUME_DATA_FROM_BACKUP",
1088
- "clusterResourceRestoreScope": {
1089
- "excludedGroupKinds": [{
1090
- "resourceGroup": "apiextension.k8s.io",
1091
- "resourceKind": "CustomResourceDefinition",
1092
- }],
1093
- },
1094
- "clusterResourceConflictPolicy": "USE_EXISTING_VERSION",
1095
- "transformationRules": [{
1096
- "description": "Copy environment variables from the nginx container to the install init container.",
1097
- "resourceFilter": {
1098
- "groupKinds": [{
1099
- "resourceKind": "Pod",
1100
- "resourceGroup": "",
1101
- }],
1102
- "jsonPath": ".metadata[?(@.name == 'nginx')]",
1103
- },
1104
- "fieldActions": [{
1105
- "op": "COPY",
1106
- "path": "/spec/initContainers/0/env",
1107
- "fromPath": "/spec/containers/0/env",
1108
- }],
1109
- }],
1110
- })
536
+ member = gcp.gkebackup.RestorePlanIamMember("member",
537
+ project=all_ns["project"],
538
+ location=all_ns["location"],
539
+ name=all_ns["name"],
540
+ role="roles/viewer",
541
+ member="user:jane@example.com")
1111
542
  ```
1112
- ### Gkebackup Restoreplan Gitops Mode
543
+
544
+ ## gkebackup.RestorePlanIamPolicy
1113
545
 
1114
546
  ```python
1115
547
  import pulumi
1116
548
  import pulumi_gcp as gcp
1117
549
 
1118
- primary = gcp.container.Cluster("primary",
1119
- name="gitops-mode-cluster",
1120
- location="us-central1",
1121
- initial_node_count=1,
1122
- workload_identity_config={
1123
- "workloadPool": "my-project-name.svc.id.goog",
1124
- },
1125
- addons_config={
1126
- "gkeBackupAgentConfig": {
1127
- "enabled": True,
1128
- },
1129
- },
1130
- deletion_protection="",
1131
- network="default",
1132
- subnetwork="default")
1133
- basic = gcp.gkebackup.BackupPlan("basic",
1134
- name="gitops-mode",
1135
- cluster=primary.id,
1136
- location="us-central1",
1137
- backup_config={
1138
- "includeVolumeData": True,
1139
- "includeSecrets": True,
1140
- "allNamespaces": True,
1141
- })
1142
- gitops_mode = gcp.gkebackup.RestorePlan("gitops_mode",
1143
- name="gitops-mode",
1144
- location="us-central1",
1145
- backup_plan=basic.id,
1146
- cluster=primary.id,
1147
- restore_config={
1148
- "allNamespaces": True,
1149
- "namespacedResourceRestoreMode": "MERGE_SKIP_ON_CONFLICT",
1150
- "volumeDataRestorePolicy": "RESTORE_VOLUME_DATA_FROM_BACKUP",
1151
- "clusterResourceRestoreScope": {
1152
- "allGroupKinds": True,
1153
- },
1154
- "clusterResourceConflictPolicy": "USE_EXISTING_VERSION",
1155
- })
550
+ admin = gcp.organizations.get_iam_policy(bindings=[{
551
+ "role": "roles/viewer",
552
+ "members": ["user:jane@example.com"],
553
+ }])
554
+ policy = gcp.gkebackup.RestorePlanIamPolicy("policy",
555
+ project=all_ns["project"],
556
+ location=all_ns["location"],
557
+ name=all_ns["name"],
558
+ policy_data=admin.policy_data)
1156
559
  ```
1157
- ### Gkebackup Restoreplan Restore Order
560
+
561
+ ## gkebackup.RestorePlanIamBinding
1158
562
 
1159
563
  ```python
1160
564
  import pulumi
1161
565
  import pulumi_gcp as gcp
1162
566
 
1163
- primary = gcp.container.Cluster("primary",
1164
- name="restore-order-cluster",
1165
- location="us-central1",
1166
- initial_node_count=1,
1167
- workload_identity_config={
1168
- "workloadPool": "my-project-name.svc.id.goog",
1169
- },
1170
- addons_config={
1171
- "gkeBackupAgentConfig": {
1172
- "enabled": True,
1173
- },
1174
- },
1175
- deletion_protection="",
1176
- network="default",
1177
- subnetwork="default")
1178
- basic = gcp.gkebackup.BackupPlan("basic",
1179
- name="restore-order",
1180
- cluster=primary.id,
1181
- location="us-central1",
1182
- backup_config={
1183
- "includeVolumeData": True,
1184
- "includeSecrets": True,
1185
- "allNamespaces": True,
1186
- })
1187
- restore_order = gcp.gkebackup.RestorePlan("restore_order",
1188
- name="restore-order",
1189
- location="us-central1",
1190
- backup_plan=basic.id,
1191
- cluster=primary.id,
1192
- restore_config={
1193
- "allNamespaces": True,
1194
- "namespacedResourceRestoreMode": "FAIL_ON_CONFLICT",
1195
- "volumeDataRestorePolicy": "RESTORE_VOLUME_DATA_FROM_BACKUP",
1196
- "clusterResourceRestoreScope": {
1197
- "allGroupKinds": True,
1198
- },
1199
- "clusterResourceConflictPolicy": "USE_EXISTING_VERSION",
1200
- "restoreOrder": {
1201
- "groupKindDependencies": [
1202
- {
1203
- "satisfying": {
1204
- "resourceGroup": "stable.example.com",
1205
- "resourceKind": "kindA",
1206
- },
1207
- "requiring": {
1208
- "resourceGroup": "stable.example.com",
1209
- "resourceKind": "kindB",
1210
- },
1211
- },
1212
- {
1213
- "satisfying": {
1214
- "resourceGroup": "stable.example.com",
1215
- "resourceKind": "kindB",
1216
- },
1217
- "requiring": {
1218
- "resourceGroup": "stable.example.com",
1219
- "resourceKind": "kindC",
1220
- },
1221
- },
1222
- ],
1223
- },
1224
- })
567
+ binding = gcp.gkebackup.RestorePlanIamBinding("binding",
568
+ project=all_ns["project"],
569
+ location=all_ns["location"],
570
+ name=all_ns["name"],
571
+ role="roles/viewer",
572
+ members=["user:jane@example.com"])
1225
573
  ```
1226
- ### Gkebackup Restoreplan Volume Res
574
+
575
+ ## gkebackup.RestorePlanIamMember
1227
576
 
1228
577
  ```python
1229
578
  import pulumi
1230
579
  import pulumi_gcp as gcp
1231
580
 
1232
- primary = gcp.container.Cluster("primary",
1233
- name="volume-res-cluster",
1234
- location="us-central1",
1235
- initial_node_count=1,
1236
- workload_identity_config={
1237
- "workloadPool": "my-project-name.svc.id.goog",
1238
- },
1239
- addons_config={
1240
- "gkeBackupAgentConfig": {
1241
- "enabled": True,
1242
- },
1243
- },
1244
- deletion_protection="",
1245
- network="default",
1246
- subnetwork="default")
1247
- basic = gcp.gkebackup.BackupPlan("basic",
1248
- name="volume-res",
1249
- cluster=primary.id,
1250
- location="us-central1",
1251
- backup_config={
1252
- "includeVolumeData": True,
1253
- "includeSecrets": True,
1254
- "allNamespaces": True,
1255
- })
1256
- volume_res = gcp.gkebackup.RestorePlan("volume_res",
1257
- name="volume-res",
1258
- location="us-central1",
1259
- backup_plan=basic.id,
1260
- cluster=primary.id,
1261
- restore_config={
1262
- "allNamespaces": True,
1263
- "namespacedResourceRestoreMode": "FAIL_ON_CONFLICT",
1264
- "volumeDataRestorePolicy": "NO_VOLUME_DATA_RESTORATION",
1265
- "clusterResourceRestoreScope": {
1266
- "allGroupKinds": True,
1267
- },
1268
- "clusterResourceConflictPolicy": "USE_EXISTING_VERSION",
1269
- "volumeDataRestorePolicyBindings": [{
1270
- "policy": "RESTORE_VOLUME_DATA_FROM_BACKUP",
1271
- "volumeType": "GCE_PERSISTENT_DISK",
1272
- }],
1273
- })
581
+ member = gcp.gkebackup.RestorePlanIamMember("member",
582
+ project=all_ns["project"],
583
+ location=all_ns["location"],
584
+ name=all_ns["name"],
585
+ role="roles/viewer",
586
+ member="user:jane@example.com")
1274
587
  ```
1275
588
 
1276
589
  ## Import
1277
590
 
1278
- RestorePlan can be imported using any of these accepted formats:
591
+ For all import syntaxes, the "resource in question" can take any of the following forms:
592
+
593
+ * projects/{{project}}/locations/{{location}}/restorePlans/{{name}}
594
+
595
+ * {{project}}/{{location}}/{{name}}
596
+
597
+ * {{location}}/{{name}}
1279
598
 
1280
- * `projects/{{project}}/locations/{{location}}/restorePlans/{{name}}`
599
+ * {{name}}
1281
600
 
1282
- * `{{project}}/{{location}}/{{name}}`
601
+ Any variables not passed in the import command will be taken from the provider configuration.
1283
602
 
1284
- * `{{location}}/{{name}}`
603
+ Backup for GKE restoreplan IAM resources can be imported using the resource identifiers, role, and member.
1285
604
 
1286
- When using the `pulumi import` command, RestorePlan can be imported using one of the formats above. For example:
605
+ IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.
1287
606
 
1288
607
  ```sh
1289
- $ pulumi import gcp:gkebackup/restorePlanIamMember:RestorePlanIamMember default projects/{{project}}/locations/{{location}}/restorePlans/{{name}}
608
+ $ pulumi import gcp:gkebackup/restorePlanIamMember:RestorePlanIamMember editor "projects/{{project}}/locations/{{location}}/restorePlans/{{restore_plan}} roles/viewer user:jane@example.com"
1290
609
  ```
1291
610
 
611
+ IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.
612
+
1292
613
  ```sh
1293
- $ pulumi import gcp:gkebackup/restorePlanIamMember:RestorePlanIamMember default {{project}}/{{location}}/{{name}}
614
+ $ pulumi import gcp:gkebackup/restorePlanIamMember:RestorePlanIamMember editor "projects/{{project}}/locations/{{location}}/restorePlans/{{restore_plan}} roles/viewer"
1294
615
  ```
1295
616
 
617
+ IAM policy imports use the identifier of the resource in question, e.g.
618
+
1296
619
  ```sh
1297
- $ pulumi import gcp:gkebackup/restorePlanIamMember:RestorePlanIamMember default {{location}}/{{name}}
620
+ $ pulumi import gcp:gkebackup/restorePlanIamMember:RestorePlanIamMember editor projects/{{project}}/locations/{{location}}/restorePlans/{{restore_plan}}
1298
621
  ```
1299
622
 
623
+ -> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
624
+
625
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
626
+
1300
627
  :param str resource_name: The name of the resource.
1301
628
  :param RestorePlanIamMemberArgs args: The arguments to use to populate this resource's properties.
1302
629
  :param pulumi.ResourceOptions opts: Options for the resource.
@@ -1362,8 +689,28 @@ class RestorePlanIamMember(pulumi.CustomResource):
1362
689
  :param str resource_name: The unique name of the resulting resource.
1363
690
  :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
1364
691
  :param pulumi.ResourceOptions opts: Options for the resource.
692
+ :param pulumi.Input[str] etag: (Computed) The etag of the IAM policy.
1365
693
  :param pulumi.Input[str] location: The region of the Restore Plan.
1366
- :param pulumi.Input[str] name: The full name of the BackupPlan Resource.
694
+ Used to find the parent resource to bind the IAM policy to. If not specified,
695
+ the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no
696
+ location is specified, it is taken from the provider configuration.
697
+ :param pulumi.Input[str] member: Identities that will be granted the privilege in `role`.
698
+ Each entry can have one of the following values:
699
+ * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
700
+ * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
701
+ * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
702
+ * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
703
+ * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
704
+ * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
705
+ * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
706
+ * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
707
+ * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
708
+ :param pulumi.Input[str] name: Used to find the parent resource to bind the IAM policy to
709
+ :param pulumi.Input[str] project: The ID of the project in which the resource belongs.
710
+ If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
711
+ :param pulumi.Input[str] role: The role that should be applied. Only one
712
+ `gkebackup.RestorePlanIamBinding` can be used per role. Note that custom roles must be of the format
713
+ `[projects|organizations]/{parent-name}/roles/{role-name}`.
1367
714
  """
1368
715
  opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
1369
716
 
@@ -1386,6 +733,9 @@ class RestorePlanIamMember(pulumi.CustomResource):
1386
733
  @property
1387
734
  @pulumi.getter
1388
735
  def etag(self) -> pulumi.Output[str]:
736
+ """
737
+ (Computed) The etag of the IAM policy.
738
+ """
1389
739
  return pulumi.get(self, "etag")
1390
740
 
1391
741
  @property
@@ -1393,29 +743,54 @@ class RestorePlanIamMember(pulumi.CustomResource):
1393
743
  def location(self) -> pulumi.Output[str]:
1394
744
  """
1395
745
  The region of the Restore Plan.
746
+ Used to find the parent resource to bind the IAM policy to. If not specified,
747
+ the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no
748
+ location is specified, it is taken from the provider configuration.
1396
749
  """
1397
750
  return pulumi.get(self, "location")
1398
751
 
1399
752
  @property
1400
753
  @pulumi.getter
1401
754
  def member(self) -> pulumi.Output[str]:
755
+ """
756
+ Identities that will be granted the privilege in `role`.
757
+ Each entry can have one of the following values:
758
+ * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
759
+ * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
760
+ * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
761
+ * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
762
+ * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
763
+ * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
764
+ * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
765
+ * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
766
+ * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
767
+ """
1402
768
  return pulumi.get(self, "member")
1403
769
 
1404
770
  @property
1405
771
  @pulumi.getter
1406
772
  def name(self) -> pulumi.Output[str]:
1407
773
  """
1408
- The full name of the BackupPlan Resource.
774
+ Used to find the parent resource to bind the IAM policy to
1409
775
  """
1410
776
  return pulumi.get(self, "name")
1411
777
 
1412
778
  @property
1413
779
  @pulumi.getter
1414
780
  def project(self) -> pulumi.Output[str]:
781
+ """
782
+ The ID of the project in which the resource belongs.
783
+ If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
784
+ """
1415
785
  return pulumi.get(self, "project")
1416
786
 
1417
787
  @property
1418
788
  @pulumi.getter
1419
789
  def role(self) -> pulumi.Output[str]:
790
+ """
791
+ The role that should be applied. Only one
792
+ `gkebackup.RestorePlanIamBinding` can be used per role. Note that custom roles must be of the format
793
+ `[projects|organizations]/{parent-name}/roles/{role-name}`.
794
+ """
1420
795
  return pulumi.get(self, "role")
1421
796