pulumi-gcp 8.8.0a1730788810__py3-none-any.whl → 8.8.0a1730856812__py3-none-any.whl

pulumi_gcp/iap/outputs.py

@@ -13,12 +13,25 @@ if sys.version_info >= (3, 11):
 else:
     from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
+from . import outputs
 
 __all__ = [
     'AppEngineServiceIamBindingCondition',
     'AppEngineServiceIamMemberCondition',
     'AppEngineVersionIamBindingCondition',
     'AppEngineVersionIamMemberCondition',
+    'SettingsAccessSettings',
+    'SettingsAccessSettingsAllowedDomainsSettings',
+    'SettingsAccessSettingsCorsSettings',
+    'SettingsAccessSettingsGcipSettings',
+    'SettingsAccessSettingsOauthSettings',
+    'SettingsAccessSettingsReauthSettings',
+    'SettingsAccessSettingsWorkforceIdentitySettings',
+    'SettingsAccessSettingsWorkforceIdentitySettingsOauth2',
+    'SettingsApplicationSettings',
+    'SettingsApplicationSettingsAccessDeniedPageSettings',
+    'SettingsApplicationSettingsAttributePropagationSettings',
+    'SettingsApplicationSettingsCsmSettings',
     'TunnelDestGroupIamBindingCondition',
     'TunnelDestGroupIamMemberCondition',
     'TunnelIamBindingCondition',
@@ -233,6 +246,820 @@ class AppEngineVersionIamMemberCondition(dict):
         return pulumi.get(self, "description")
 
 
+@pulumi.output_type
+class SettingsAccessSettings(dict):
+    @staticmethod
+    def __key_warning(key: str):
+        suggest = None
+        if key == "allowedDomainsSettings":
+            suggest = "allowed_domains_settings"
+        elif key == "corsSettings":
+            suggest = "cors_settings"
+        elif key == "gcipSettings":
+            suggest = "gcip_settings"
+        elif key == "identitySources":
+            suggest = "identity_sources"
+        elif key == "oauthSettings":
+            suggest = "oauth_settings"
+        elif key == "reauthSettings":
+            suggest = "reauth_settings"
+        elif key == "workforceIdentitySettings":
+            suggest = "workforce_identity_settings"
+
+        if suggest:
+            pulumi.log.warn(f"Key '{key}' not found in SettingsAccessSettings. Access the value via the '{suggest}' property getter instead.")
+
+    def __getitem__(self, key: str) -> Any:
+        SettingsAccessSettings.__key_warning(key)
+        return super().__getitem__(key)
+
+    def get(self, key: str, default = None) -> Any:
+        SettingsAccessSettings.__key_warning(key)
+        return super().get(key, default)
+
+    def __init__(__self__, *,
+                 allowed_domains_settings: Optional['outputs.SettingsAccessSettingsAllowedDomainsSettings'] = None,
+                 cors_settings: Optional['outputs.SettingsAccessSettingsCorsSettings'] = None,
+                 gcip_settings: Optional['outputs.SettingsAccessSettingsGcipSettings'] = None,
+                 identity_sources: Optional[Sequence[str]] = None,
+                 oauth_settings: Optional['outputs.SettingsAccessSettingsOauthSettings'] = None,
+                 reauth_settings: Optional['outputs.SettingsAccessSettingsReauthSettings'] = None,
+                 workforce_identity_settings: Optional['outputs.SettingsAccessSettingsWorkforceIdentitySettings'] = None):
+        """
+        :param 'SettingsAccessSettingsAllowedDomainsSettingsArgs' allowed_domains_settings: Settings to configure and enable allowed domains.
+               Structure is documented below.
+        :param 'SettingsAccessSettingsCorsSettingsArgs' cors_settings: Configuration to allow cross-origin requests via IAP.
+               Structure is documented below.
+        :param 'SettingsAccessSettingsGcipSettingsArgs' gcip_settings: GCIP claims and endpoint configurations for 3p identity providers.
+               Structure is documented below.
+        :param Sequence[str] identity_sources: Identity sources that IAP can use to authenticate the end user. Only one identity source
+               can be configured. The possible values are:
+               * `WORKFORCE_IDENTITY_FEDERATION`: Use external identities set up on Google Cloud Workforce
+               Identity Federation.
+               Each value may be one of: `WORKFORCE_IDENTITY_FEDERATION`.
+        :param 'SettingsAccessSettingsOauthSettingsArgs' oauth_settings: Settings to configure IAP's OAuth behavior.
+               Structure is documented below.
+        :param 'SettingsAccessSettingsReauthSettingsArgs' reauth_settings: Settings to configure reauthentication policies in IAP.
+               Structure is documented below.
+        :param 'SettingsAccessSettingsWorkforceIdentitySettingsArgs' workforce_identity_settings: Settings to configure the workforce identity federation, including workforce pools
+               and OAuth 2.0 settings.
+               Structure is documented below.
+        """
+        if allowed_domains_settings is not None:
+            pulumi.set(__self__, "allowed_domains_settings", allowed_domains_settings)
+        if cors_settings is not None:
+            pulumi.set(__self__, "cors_settings", cors_settings)
+        if gcip_settings is not None:
+            pulumi.set(__self__, "gcip_settings", gcip_settings)
+        if identity_sources is not None:
+            pulumi.set(__self__, "identity_sources", identity_sources)
+        if oauth_settings is not None:
+            pulumi.set(__self__, "oauth_settings", oauth_settings)
+        if reauth_settings is not None:
+            pulumi.set(__self__, "reauth_settings", reauth_settings)
+        if workforce_identity_settings is not None:
+            pulumi.set(__self__, "workforce_identity_settings", workforce_identity_settings)
+
+    @property
+    @pulumi.getter(name="allowedDomainsSettings")
+    def allowed_domains_settings(self) -> Optional['outputs.SettingsAccessSettingsAllowedDomainsSettings']:
+        """
+        Settings to configure and enable allowed domains.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "allowed_domains_settings")
+
+    @property
+    @pulumi.getter(name="corsSettings")
+    def cors_settings(self) -> Optional['outputs.SettingsAccessSettingsCorsSettings']:
+        """
+        Configuration to allow cross-origin requests via IAP.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "cors_settings")
+
+    @property
+    @pulumi.getter(name="gcipSettings")
+    def gcip_settings(self) -> Optional['outputs.SettingsAccessSettingsGcipSettings']:
+        """
+        GCIP claims and endpoint configurations for 3p identity providers.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "gcip_settings")
+
+    @property
+    @pulumi.getter(name="identitySources")
+    def identity_sources(self) -> Optional[Sequence[str]]:
+        """
+        Identity sources that IAP can use to authenticate the end user. Only one identity source
+        can be configured. The possible values are:
+        * `WORKFORCE_IDENTITY_FEDERATION`: Use external identities set up on Google Cloud Workforce
+        Identity Federation.
+        Each value may be one of: `WORKFORCE_IDENTITY_FEDERATION`.
+        """
+        return pulumi.get(self, "identity_sources")
+
+    @property
+    @pulumi.getter(name="oauthSettings")
+    def oauth_settings(self) -> Optional['outputs.SettingsAccessSettingsOauthSettings']:
+        """
+        Settings to configure IAP's OAuth behavior.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "oauth_settings")
+
+    @property
+    @pulumi.getter(name="reauthSettings")
+    def reauth_settings(self) -> Optional['outputs.SettingsAccessSettingsReauthSettings']:
+        """
+        Settings to configure reauthentication policies in IAP.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "reauth_settings")
+
+    @property
+    @pulumi.getter(name="workforceIdentitySettings")
+    def workforce_identity_settings(self) -> Optional['outputs.SettingsAccessSettingsWorkforceIdentitySettings']:
+        """
+        Settings to configure the workforce identity federation, including workforce pools
+        and OAuth 2.0 settings.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "workforce_identity_settings")
+
+
+@pulumi.output_type
+class SettingsAccessSettingsAllowedDomainsSettings(dict):
+    def __init__(__self__, *,
+                 domains: Optional[Sequence[str]] = None,
+                 enable: Optional[bool] = None):
+        """
+        :param Sequence[str] domains: List of trusted domains.
+        :param bool enable: Configuration for customers to opt in for the feature.
+        """
+        if domains is not None:
+            pulumi.set(__self__, "domains", domains)
+        if enable is not None:
+            pulumi.set(__self__, "enable", enable)
+
+    @property
+    @pulumi.getter
+    def domains(self) -> Optional[Sequence[str]]:
+        """
+        List of trusted domains.
+        """
+        return pulumi.get(self, "domains")
+
+    @property
+    @pulumi.getter
+    def enable(self) -> Optional[bool]:
+        """
+        Configuration for customers to opt in for the feature.
+        """
+        return pulumi.get(self, "enable")
+
+
+@pulumi.output_type
+class SettingsAccessSettingsCorsSettings(dict):
+    @staticmethod
+    def __key_warning(key: str):
+        suggest = None
+        if key == "allowHttpOptions":
+            suggest = "allow_http_options"
+
+        if suggest:
+            pulumi.log.warn(f"Key '{key}' not found in SettingsAccessSettingsCorsSettings. Access the value via the '{suggest}' property getter instead.")
+
+    def __getitem__(self, key: str) -> Any:
+        SettingsAccessSettingsCorsSettings.__key_warning(key)
+        return super().__getitem__(key)
+
+    def get(self, key: str, default = None) -> Any:
+        SettingsAccessSettingsCorsSettings.__key_warning(key)
+        return super().get(key, default)
+
+    def __init__(__self__, *,
+                 allow_http_options: Optional[bool] = None):
+        """
+        :param bool allow_http_options: Configuration to allow HTTP OPTIONS calls to skip authorization.
+               If undefined, IAP will not apply any special logic to OPTIONS requests.
+        """
+        if allow_http_options is not None:
+            pulumi.set(__self__, "allow_http_options", allow_http_options)
+
+    @property
+    @pulumi.getter(name="allowHttpOptions")
+    def allow_http_options(self) -> Optional[bool]:
+        """
+        Configuration to allow HTTP OPTIONS calls to skip authorization.
+        If undefined, IAP will not apply any special logic to OPTIONS requests.
+        """
+        return pulumi.get(self, "allow_http_options")
+
+
+@pulumi.output_type
+class SettingsAccessSettingsGcipSettings(dict):
+    @staticmethod
+    def __key_warning(key: str):
+        suggest = None
+        if key == "loginPageUri":
+            suggest = "login_page_uri"
+        elif key == "tenantIds":
+            suggest = "tenant_ids"
+
+        if suggest:
+            pulumi.log.warn(f"Key '{key}' not found in SettingsAccessSettingsGcipSettings. Access the value via the '{suggest}' property getter instead.")
+
+    def __getitem__(self, key: str) -> Any:
+        SettingsAccessSettingsGcipSettings.__key_warning(key)
+        return super().__getitem__(key)
+
+    def get(self, key: str, default = None) -> Any:
+        SettingsAccessSettingsGcipSettings.__key_warning(key)
+        return super().get(key, default)
+
+    def __init__(__self__, *,
+                 login_page_uri: Optional[str] = None,
+                 tenant_ids: Optional[Sequence[str]] = None):
+        """
+        :param str login_page_uri: Login page URI associated with the GCIP tenants. Typically, all resources within
+               the same project share the same login page, though it could be overridden at the
+               sub resource level.
+        :param Sequence[str] tenant_ids: GCIP tenant ids that are linked to the IAP resource. tenantIds could be a string
+               beginning with a number character to indicate authenticating with GCIP tenant flow,
+               or in the format of _ to indicate authenticating with GCIP agent flow. If agent flow
+               is used, tenantIds should only contain one single element, while for tenant flow,
+               tenantIds can contain multiple elements.
+        """
+        if login_page_uri is not None:
+            pulumi.set(__self__, "login_page_uri", login_page_uri)
+        if tenant_ids is not None:
+            pulumi.set(__self__, "tenant_ids", tenant_ids)
+
+    @property
+    @pulumi.getter(name="loginPageUri")
+    def login_page_uri(self) -> Optional[str]:
+        """
+        Login page URI associated with the GCIP tenants. Typically, all resources within
+        the same project share the same login page, though it could be overridden at the
+        sub resource level.
+        """
+        return pulumi.get(self, "login_page_uri")
+
+    @property
+    @pulumi.getter(name="tenantIds")
+    def tenant_ids(self) -> Optional[Sequence[str]]:
+        """
+        GCIP tenant ids that are linked to the IAP resource. tenantIds could be a string
+        beginning with a number character to indicate authenticating with GCIP tenant flow,
+        or in the format of _ to indicate authenticating with GCIP agent flow. If agent flow
+        is used, tenantIds should only contain one single element, while for tenant flow,
+        tenantIds can contain multiple elements.
+        """
+        return pulumi.get(self, "tenant_ids")
+
+
+@pulumi.output_type
+class SettingsAccessSettingsOauthSettings(dict):
+    @staticmethod
+    def __key_warning(key: str):
+        suggest = None
+        if key == "loginHint":
+            suggest = "login_hint"
+        elif key == "programmaticClients":
+            suggest = "programmatic_clients"
+
+        if suggest:
+            pulumi.log.warn(f"Key '{key}' not found in SettingsAccessSettingsOauthSettings. Access the value via the '{suggest}' property getter instead.")
+
+    def __getitem__(self, key: str) -> Any:
+        SettingsAccessSettingsOauthSettings.__key_warning(key)
+        return super().__getitem__(key)
+
+    def get(self, key: str, default = None) -> Any:
+        SettingsAccessSettingsOauthSettings.__key_warning(key)
+        return super().get(key, default)
+
+    def __init__(__self__, *,
+                 login_hint: Optional[str] = None,
+                 programmatic_clients: Optional[Sequence[str]] = None):
+        """
+        :param str login_hint: Domain hint to send as hd=? parameter in OAuth request flow.
+               Enables redirect to primary IDP by skipping Google's login screen.
+               (https://developers.google.com/identity/protocols/OpenIDConnect#hd-param)
+               Note: IAP does not verify that the id token's hd claim matches this value
+               since access behavior is managed by IAM policies.
+        :param Sequence[str] programmatic_clients: List of client ids allowed to use IAP programmatically.
+        """
+        if login_hint is not None:
+            pulumi.set(__self__, "login_hint", login_hint)
+        if programmatic_clients is not None:
+            pulumi.set(__self__, "programmatic_clients", programmatic_clients)
+
+    @property
+    @pulumi.getter(name="loginHint")
+    def login_hint(self) -> Optional[str]:
+        """
+        Domain hint to send as hd=? parameter in OAuth request flow.
+        Enables redirect to primary IDP by skipping Google's login screen.
+        (https://developers.google.com/identity/protocols/OpenIDConnect#hd-param)
+        Note: IAP does not verify that the id token's hd claim matches this value
+        since access behavior is managed by IAM policies.
+        """
+        return pulumi.get(self, "login_hint")
+
+    @property
+    @pulumi.getter(name="programmaticClients")
+    def programmatic_clients(self) -> Optional[Sequence[str]]:
+        """
+        List of client ids allowed to use IAP programmatically.
+        """
+        return pulumi.get(self, "programmatic_clients")
+
+
+@pulumi.output_type
+class SettingsAccessSettingsReauthSettings(dict):
+    @staticmethod
+    def __key_warning(key: str):
+        suggest = None
+        if key == "maxAge":
+            suggest = "max_age"
+        elif key == "policyType":
+            suggest = "policy_type"
+
+        if suggest:
+            pulumi.log.warn(f"Key '{key}' not found in SettingsAccessSettingsReauthSettings. Access the value via the '{suggest}' property getter instead.")
+
+    def __getitem__(self, key: str) -> Any:
+        SettingsAccessSettingsReauthSettings.__key_warning(key)
+        return super().__getitem__(key)
+
+    def get(self, key: str, default = None) -> Any:
+        SettingsAccessSettingsReauthSettings.__key_warning(key)
+        return super().get(key, default)
+
+    def __init__(__self__, *,
+                 max_age: str,
+                 method: str,
+                 policy_type: str):
+        """
+        :param str max_age: Reauth session lifetime, how long before a user has to reauthenticate again.
+               A duration in seconds with up to nine fractional digits, ending with 's'.
+               Example: "3.5s".
+        :param str method: Reauth method requested. The possible values are:
+               * `LOGIN`: Prompts the user to log in again.
+               * `SECURE_KEY`: User must use their secure key 2nd factor device.
+               * `ENROLLED_SECOND_FACTORS`: User can use any enabled 2nd factor.
+               Possible values are: `LOGIN`, `SECURE_KEY`, `ENROLLED_SECOND_FACTORS`.
+        :param str policy_type: How IAP determines the effective policy in cases of hierarchical policies.
+               Policies are merged from higher in the hierarchy to lower in the hierarchy.
+               The possible values are:
+               * `MINIMUM`: This policy acts as a minimum to other policies, lower in the hierarchy.
+               Effective policy may only be the same or stricter.
+               * `DEFAULT`: This policy acts as a default if no other reauth policy is set.
+               Possible values are: `MINIMUM`, `DEFAULT`.
+        """
+        pulumi.set(__self__, "max_age", max_age)
+        pulumi.set(__self__, "method", method)
+        pulumi.set(__self__, "policy_type", policy_type)
+
+    @property
+    @pulumi.getter(name="maxAge")
+    def max_age(self) -> str:
+        """
+        Reauth session lifetime, how long before a user has to reauthenticate again.
+        A duration in seconds with up to nine fractional digits, ending with 's'.
+        Example: "3.5s".
+        """
+        return pulumi.get(self, "max_age")
+
+    @property
+    @pulumi.getter
+    def method(self) -> str:
+        """
+        Reauth method requested. The possible values are:
+        * `LOGIN`: Prompts the user to log in again.
+        * `SECURE_KEY`: User must use their secure key 2nd factor device.
+        * `ENROLLED_SECOND_FACTORS`: User can use any enabled 2nd factor.
+        Possible values are: `LOGIN`, `SECURE_KEY`, `ENROLLED_SECOND_FACTORS`.
+        """
+        return pulumi.get(self, "method")
+
+    @property
+    @pulumi.getter(name="policyType")
+    def policy_type(self) -> str:
+        """
+        How IAP determines the effective policy in cases of hierarchical policies.
+        Policies are merged from higher in the hierarchy to lower in the hierarchy.
+        The possible values are:
+        * `MINIMUM`: This policy acts as a minimum to other policies, lower in the hierarchy.
+        Effective policy may only be the same or stricter.
+        * `DEFAULT`: This policy acts as a default if no other reauth policy is set.
+        Possible values are: `MINIMUM`, `DEFAULT`.
+        """
+        return pulumi.get(self, "policy_type")
+
+
+@pulumi.output_type
+class SettingsAccessSettingsWorkforceIdentitySettings(dict):
+    @staticmethod
+    def __key_warning(key: str):
+        suggest = None
+        if key == "workforcePools":
+            suggest = "workforce_pools"
+
+        if suggest:
+            pulumi.log.warn(f"Key '{key}' not found in SettingsAccessSettingsWorkforceIdentitySettings. Access the value via the '{suggest}' property getter instead.")
+
+    def __getitem__(self, key: str) -> Any:
+        SettingsAccessSettingsWorkforceIdentitySettings.__key_warning(key)
+        return super().__getitem__(key)
+
+    def get(self, key: str, default = None) -> Any:
+        SettingsAccessSettingsWorkforceIdentitySettings.__key_warning(key)
+        return super().get(key, default)
+
+    def __init__(__self__, *,
+                 oauth2: Optional['outputs.SettingsAccessSettingsWorkforceIdentitySettingsOauth2'] = None,
+                 workforce_pools: Optional[str] = None):
+        """
+        :param 'SettingsAccessSettingsWorkforceIdentitySettingsOauth2Args' oauth2: OAuth 2.0 settings for IAP to perform OIDC flow with workforce identity
+               federation services.
+               Structure is documented below.
+               
+               
+               <a name="nested_oauth2"></a>The `oauth2` block supports:
+        :param str workforce_pools: The workforce pool resources. Only one workforce pool is accepted.
+        """
+        if oauth2 is not None:
+            pulumi.set(__self__, "oauth2", oauth2)
+        if workforce_pools is not None:
+            pulumi.set(__self__, "workforce_pools", workforce_pools)
+
+    @property
+    @pulumi.getter
+    def oauth2(self) -> Optional['outputs.SettingsAccessSettingsWorkforceIdentitySettingsOauth2']:
+        """
+        OAuth 2.0 settings for IAP to perform OIDC flow with workforce identity
+        federation services.
+        Structure is documented below.
+
+
+        <a name="nested_oauth2"></a>The `oauth2` block supports:
+        """
+        return pulumi.get(self, "oauth2")
+
+    @property
+    @pulumi.getter(name="workforcePools")
+    def workforce_pools(self) -> Optional[str]:
+        """
+        The workforce pool resources. Only one workforce pool is accepted.
+        """
+        return pulumi.get(self, "workforce_pools")
+
+
+@pulumi.output_type
+class SettingsAccessSettingsWorkforceIdentitySettingsOauth2(dict):
+    @staticmethod
+    def __key_warning(key: str):
+        suggest = None
+        if key == "clientId":
+            suggest = "client_id"
+        elif key == "clientSecret":
+            suggest = "client_secret"
+        elif key == "clientSecretSha256":
+            suggest = "client_secret_sha256"
+
+        if suggest:
+            pulumi.log.warn(f"Key '{key}' not found in SettingsAccessSettingsWorkforceIdentitySettingsOauth2. Access the value via the '{suggest}' property getter instead.")
+
+    def __getitem__(self, key: str) -> Any:
+        SettingsAccessSettingsWorkforceIdentitySettingsOauth2.__key_warning(key)
+        return super().__getitem__(key)
+
+    def get(self, key: str, default = None) -> Any:
+        SettingsAccessSettingsWorkforceIdentitySettingsOauth2.__key_warning(key)
+        return super().get(key, default)
+
+    def __init__(__self__, *,
+                 client_id: Optional[str] = None,
+                 client_secret: Optional[str] = None,
+                 client_secret_sha256: Optional[str] = None):
+        """
+        :param str client_id: The OAuth 2.0 client ID registered in the workforce identity
+               federation OAuth 2.0 Server.
+        :param str client_secret: Input only. The OAuth 2.0 client secret created while registering
+               the client ID.
+        :param str client_secret_sha256: Output only. SHA256 hash value for the client secret. This field
+               is returned by IAP when the settings are retrieved.
+        """
+        if client_id is not None:
+            pulumi.set(__self__, "client_id", client_id)
+        if client_secret is not None:
+            pulumi.set(__self__, "client_secret", client_secret)
+        if client_secret_sha256 is not None:
+            pulumi.set(__self__, "client_secret_sha256", client_secret_sha256)
+
+    @property
+    @pulumi.getter(name="clientId")
+    def client_id(self) -> Optional[str]:
+        """
+        The OAuth 2.0 client ID registered in the workforce identity
+        federation OAuth 2.0 Server.
+        """
+        return pulumi.get(self, "client_id")
+
+    @property
+    @pulumi.getter(name="clientSecret")
+    def client_secret(self) -> Optional[str]:
+        """
+        Input only. The OAuth 2.0 client secret created while registering
+        the client ID.
+        """
+        return pulumi.get(self, "client_secret")
+
+    @property
+    @pulumi.getter(name="clientSecretSha256")
+    def client_secret_sha256(self) -> Optional[str]:
+        """
+        Output only. SHA256 hash value for the client secret. This field
+        is returned by IAP when the settings are retrieved.
+        """
+        return pulumi.get(self, "client_secret_sha256")
+
+
+@pulumi.output_type
+class SettingsApplicationSettings(dict):
+    @staticmethod
+    def __key_warning(key: str):
+        suggest = None
+        if key == "accessDeniedPageSettings":
+            suggest = "access_denied_page_settings"
+        elif key == "attributePropagationSettings":
+            suggest = "attribute_propagation_settings"
+        elif key == "cookieDomain":
+            suggest = "cookie_domain"
+        elif key == "csmSettings":
+            suggest = "csm_settings"
+
+        if suggest:
+            pulumi.log.warn(f"Key '{key}' not found in SettingsApplicationSettings. Access the value via the '{suggest}' property getter instead.")
+
+    def __getitem__(self, key: str) -> Any:
+        SettingsApplicationSettings.__key_warning(key)
+        return super().__getitem__(key)
+
+    def get(self, key: str, default = None) -> Any:
+        SettingsApplicationSettings.__key_warning(key)
+        return super().get(key, default)
+
+    def __init__(__self__, *,
+                 access_denied_page_settings: Optional['outputs.SettingsApplicationSettingsAccessDeniedPageSettings'] = None,
+                 attribute_propagation_settings: Optional['outputs.SettingsApplicationSettingsAttributePropagationSettings'] = None,
+                 cookie_domain: Optional[str] = None,
+                 csm_settings: Optional['outputs.SettingsApplicationSettingsCsmSettings'] = None):
+        """
+        :param 'SettingsApplicationSettingsAccessDeniedPageSettingsArgs' access_denied_page_settings: Customization for Access Denied page. IAP allows customers to define a custom URI
+               to use as the error page when access is denied to users. If IAP prevents access
+               to this page, the default IAP error page will be displayed instead.
+               Structure is documented below.
+        :param 'SettingsApplicationSettingsAttributePropagationSettingsArgs' attribute_propagation_settings: Settings to configure attribute propagation.
+               Structure is documented below.
+        :param str cookie_domain: The Domain value to set for cookies generated by IAP. This value is not validated by the API,
+               but will be ignored at runtime if invalid.
+        :param 'SettingsApplicationSettingsCsmSettingsArgs' csm_settings: Settings to configure IAP's behavior for a service mesh.
+               Structure is documented below.
+        """
+        if access_denied_page_settings is not None:
+            pulumi.set(__self__, "access_denied_page_settings", access_denied_page_settings)
+        if attribute_propagation_settings is not None:
+            pulumi.set(__self__, "attribute_propagation_settings", attribute_propagation_settings)
+        if cookie_domain is not None:
+            pulumi.set(__self__, "cookie_domain", cookie_domain)
+        if csm_settings is not None:
+            pulumi.set(__self__, "csm_settings", csm_settings)
+
+    @property
+    @pulumi.getter(name="accessDeniedPageSettings")
+    def access_denied_page_settings(self) -> Optional['outputs.SettingsApplicationSettingsAccessDeniedPageSettings']:
+        """
+        Customization for Access Denied page. IAP allows customers to define a custom URI
+        to use as the error page when access is denied to users. If IAP prevents access
+        to this page, the default IAP error page will be displayed instead.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "access_denied_page_settings")
+
+    @property
+    @pulumi.getter(name="attributePropagationSettings")
+    def attribute_propagation_settings(self) -> Optional['outputs.SettingsApplicationSettingsAttributePropagationSettings']:
+        """
+        Settings to configure attribute propagation.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "attribute_propagation_settings")
+
+    @property
+    @pulumi.getter(name="cookieDomain")
+    def cookie_domain(self) -> Optional[str]:
+        """
+        The Domain value to set for cookies generated by IAP. This value is not validated by the API,
+        but will be ignored at runtime if invalid.
+        """
+        return pulumi.get(self, "cookie_domain")
+
+    @property
+    @pulumi.getter(name="csmSettings")
+    def csm_settings(self) -> Optional['outputs.SettingsApplicationSettingsCsmSettings']:
+        """
+        Settings to configure IAP's behavior for a service mesh.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "csm_settings")
+
+
+@pulumi.output_type
+class SettingsApplicationSettingsAccessDeniedPageSettings(dict):
+    @staticmethod
+    def __key_warning(key: str):
+        suggest = None
+        if key == "accessDeniedPageUri":
+            suggest = "access_denied_page_uri"
+        elif key == "generateTroubleshootingUri":
+            suggest = "generate_troubleshooting_uri"
+        elif key == "remediationTokenGenerationEnabled":
+            suggest = "remediation_token_generation_enabled"
+
+        if suggest:
+            pulumi.log.warn(f"Key '{key}' not found in SettingsApplicationSettingsAccessDeniedPageSettings. Access the value via the '{suggest}' property getter instead.")
+
+    def __getitem__(self, key: str) -> Any:
+        SettingsApplicationSettingsAccessDeniedPageSettings.__key_warning(key)
+        return super().__getitem__(key)
+
+    def get(self, key: str, default = None) -> Any:
+        SettingsApplicationSettingsAccessDeniedPageSettings.__key_warning(key)
+        return super().get(key, default)
+
+    def __init__(__self__, *,
+                 access_denied_page_uri: Optional[str] = None,
+                 generate_troubleshooting_uri: Optional[bool] = None,
+                 remediation_token_generation_enabled: Optional[bool] = None):
+        """
+        :param str access_denied_page_uri: The URI to be redirected to when access is denied.
+        :param bool generate_troubleshooting_uri: Whether to generate a troubleshooting URL on access denied events to this application.
+        :param bool remediation_token_generation_enabled: Whether to generate remediation token on access denied events to this application.
+        """
+        if access_denied_page_uri is not None:
+            pulumi.set(__self__, "access_denied_page_uri", access_denied_page_uri)
+        if generate_troubleshooting_uri is not None:
+            pulumi.set(__self__, "generate_troubleshooting_uri", generate_troubleshooting_uri)
+        if remediation_token_generation_enabled is not None:
+            pulumi.set(__self__, "remediation_token_generation_enabled", remediation_token_generation_enabled)
+
+    @property
+    @pulumi.getter(name="accessDeniedPageUri")
+    def access_denied_page_uri(self) -> Optional[str]:
+        """
+        The URI to be redirected to when access is denied.
+        """
+        return pulumi.get(self, "access_denied_page_uri")
+
+    @property
+    @pulumi.getter(name="generateTroubleshootingUri")
+    def generate_troubleshooting_uri(self) -> Optional[bool]:
+        """
+        Whether to generate a troubleshooting URL on access denied events to this application.
+        """
+        return pulumi.get(self, "generate_troubleshooting_uri")
+
+    @property
+    @pulumi.getter(name="remediationTokenGenerationEnabled")
+    def remediation_token_generation_enabled(self) -> Optional[bool]:
+        """
+        Whether to generate remediation token on access denied events to this application.
+        """
+        return pulumi.get(self, "remediation_token_generation_enabled")
+
+
+@pulumi.output_type
+class SettingsApplicationSettingsAttributePropagationSettings(dict):
+    @staticmethod
+    def __key_warning(key: str):
+        suggest = None
+        if key == "outputCredentials":
+            suggest = "output_credentials"
+
+        if suggest:
+            pulumi.log.warn(f"Key '{key}' not found in SettingsApplicationSettingsAttributePropagationSettings. Access the value via the '{suggest}' property getter instead.")
+
+    def __getitem__(self, key: str) -> Any:
+        SettingsApplicationSettingsAttributePropagationSettings.__key_warning(key)
+        return super().__getitem__(key)
+
+    def get(self, key: str, default = None) -> Any:
+        SettingsApplicationSettingsAttributePropagationSettings.__key_warning(key)
+        return super().get(key, default)
+
+    def __init__(__self__, *,
+                 enable: Optional[bool] = None,
+                 expression: Optional[str] = None,
+                 output_credentials: Optional[Sequence[str]] = None):
+        """
+        :param bool enable: Whether the provided attribute propagation settings should be evaluated on user requests.
+               If set to true, attributes returned from the expression will be propagated in the set output credentials.
+        :param str expression: Raw string CEL expression. Must return a list of attributes. A maximum of 45 attributes can
+               be selected. Expressions can select different attribute types from attributes:
+               attributes.saml_attributes, attributes.iap_attributes.
+        :param Sequence[str] output_credentials: Which output credentials attributes selected by the CEL expression should be propagated in.
+               All attributes will be fully duplicated in each selected output credential.
+               Possible values are:
+               * `HEADER`: Propagate attributes in the headers with "x-goog-iap-attr-" prefix.
+               * `JWT`: Propagate attributes in the JWT of the form:
+               "additional_claims": { "my_attribute": ["value1", "value2"] }
+               * `RCTOKEN`: Propagate attributes in the RCToken of the form: "
+               additional_claims": { "my_attribute": ["value1", "value2"] }
+               Each value may be one of: `HEADER`, `JWT`, `RCTOKEN`.
+        """
+        if enable is not None:
+            pulumi.set(__self__, "enable", enable)
+        if expression is not None:
+            pulumi.set(__self__, "expression", expression)
+        if output_credentials is not None:
+            pulumi.set(__self__, "output_credentials", output_credentials)
+
+    @property
+    @pulumi.getter
+    def enable(self) -> Optional[bool]:
+        """
+        Whether the provided attribute propagation settings should be evaluated on user requests.
+        If set to true, attributes returned from the expression will be propagated in the set output credentials.
+        """
+        return pulumi.get(self, "enable")
+
+    @property
+    @pulumi.getter
+    def expression(self) -> Optional[str]:
+        """
+        Raw string CEL expression. Must return a list of attributes. A maximum of 45 attributes can
+        be selected. Expressions can select different attribute types from attributes:
+        attributes.saml_attributes, attributes.iap_attributes.
+        """
+        return pulumi.get(self, "expression")
+
+    @property
+    @pulumi.getter(name="outputCredentials")
+    def output_credentials(self) -> Optional[Sequence[str]]:
+        """
+        Which output credentials attributes selected by the CEL expression should be propagated in.
+        All attributes will be fully duplicated in each selected output credential.
+        Possible values are:
+        * `HEADER`: Propagate attributes in the headers with "x-goog-iap-attr-" prefix.
+        * `JWT`: Propagate attributes in the JWT of the form:
+        "additional_claims": { "my_attribute": ["value1", "value2"] }
+        * `RCTOKEN`: Propagate attributes in the RCToken of the form: "
+        additional_claims": { "my_attribute": ["value1", "value2"] }
+        Each value may be one of: `HEADER`, `JWT`, `RCTOKEN`.
+        """
+        return pulumi.get(self, "output_credentials")
+
+
+@pulumi.output_type
+class SettingsApplicationSettingsCsmSettings(dict):
+    @staticmethod
+    def __key_warning(key: str):
+        suggest = None
+        if key == "rctokenAud":
+            suggest = "rctoken_aud"
+
+        if suggest:
+            pulumi.log.warn(f"Key '{key}' not found in SettingsApplicationSettingsCsmSettings. Access the value via the '{suggest}' property getter instead.")
+
+    def __getitem__(self, key: str) -> Any:
+        SettingsApplicationSettingsCsmSettings.__key_warning(key)
+        return super().__getitem__(key)
+
+    def get(self, key: str, default = None) -> Any:
+        SettingsApplicationSettingsCsmSettings.__key_warning(key)
+        return super().get(key, default)
+
+    def __init__(__self__, *,
+                 rctoken_aud: Optional[str] = None):
+        """
+        :param str rctoken_aud: Audience claim set in the generated RCToken. This value is not validated by IAP.
+        """
+        if rctoken_aud is not None:
+            pulumi.set(__self__, "rctoken_aud", rctoken_aud)
+
+    @property
+    @pulumi.getter(name="rctokenAud")
+    def rctoken_aud(self) -> Optional[str]:
+        """
+        Audience claim set in the generated RCToken. This value is not validated by IAP.
+        """
+        return pulumi.get(self, "rctoken_aud")
+
+
 @pulumi.output_type
 class TunnelDestGroupIamBindingCondition(dict):
     def __init__(__self__, *,