Google Cloud v8.21.0, Mar 5 25

Google Cloud v8.21.0 published on Wednesday, Mar 5, 2025 by Pulumi

gcp.iap.Settings

Explore with Pulumi AI

Google Cloud v8.21.0 published on Wednesday, Mar 5, 2025 by Pulumi

pulumi/pulumi-gcp

Example Usage

Iap Settings Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const project = gcp.organizations.getProject({});
const defaultHealthCheck = new gcp.compute.HealthCheck("default", {
    name: "iap-bs-health-check",
    checkIntervalSec: 1,
    timeoutSec: 1,
    tcpHealthCheck: {
        port: 80,
    },
});
const _default = new gcp.compute.RegionBackendService("default", {
    name: "iap-settings-tf",
    region: "us-central1",
    healthChecks: defaultHealthCheck.id,
    connectionDrainingTimeoutSec: 10,
    sessionAffinity: "CLIENT_IP",
});
const iapSettings = new gcp.iap.Settings("iap_settings", {
    name: pulumi.all([project, _default.name]).apply(([project, name]) => `projects/${project.number}/iap_web/compute-us-central1/services/${name}`),
    accessSettings: {
        identitySources: ["WORKFORCE_IDENTITY_FEDERATION"],
        allowedDomainsSettings: {
            domains: ["test.abc.com"],
            enable: true,
        },
        corsSettings: {
            allowHttpOptions: true,
        },
        reauthSettings: {
            method: "SECURE_KEY",
            maxAge: "305s",
            policyType: "MINIMUM",
        },
        gcipSettings: {
            loginPageUri: "https://test.com/?apiKey=abc",
        },
        oauthSettings: {
            loginHint: "test",
        },
        workforceIdentitySettings: {
            workforcePools: "wif-pool",
            oauth2: {
                clientId: "test-client-id",
                clientSecret: "test-client-secret",
            },
        },
    },
    applicationSettings: {
        cookieDomain: "test.abc.com",
        csmSettings: {
            rctokenAud: "test-aud-set",
        },
        accessDeniedPageSettings: {
            accessDeniedPageUri: "test-uri",
            generateTroubleshootingUri: true,
            remediationTokenGenerationEnabled: false,
        },
        attributePropagationSettings: {
            outputCredentials: ["HEADER"],
            expression: "attributes.saml_attributes.filter(attribute, attribute.name in [\"test1\", \"test2\"])",
            enable: false,
        },
    },
});

import pulumi
import pulumi_gcp as gcp

project = gcp.organizations.get_project()
default_health_check = gcp.compute.HealthCheck("default",
    name="iap-bs-health-check",
    check_interval_sec=1,
    timeout_sec=1,
    tcp_health_check={
        "port": 80,
    })
default = gcp.compute.RegionBackendService("default",
    name="iap-settings-tf",
    region="us-central1",
    health_checks=default_health_check.id,
    connection_draining_timeout_sec=10,
    session_affinity="CLIENT_IP")
iap_settings = gcp.iap.Settings("iap_settings",
    name=default.name.apply(lambda name: f"projects/{project.number}/iap_web/compute-us-central1/services/{name}"),
    access_settings={
        "identity_sources": ["WORKFORCE_IDENTITY_FEDERATION"],
        "allowed_domains_settings": {
            "domains": ["test.abc.com"],
            "enable": True,
        },
        "cors_settings": {
            "allow_http_options": True,
        },
        "reauth_settings": {
            "method": "SECURE_KEY",
            "max_age": "305s",
            "policy_type": "MINIMUM",
        },
        "gcip_settings": {
            "login_page_uri": "https://test.com/?apiKey=abc",
        },
        "oauth_settings": {
            "login_hint": "test",
        },
        "workforce_identity_settings": {
            "workforce_pools": "wif-pool",
            "oauth2": {
                "client_id": "test-client-id",
                "client_secret": "test-client-secret",
            },
        },
    },
    application_settings={
        "cookie_domain": "test.abc.com",
        "csm_settings": {
            "rctoken_aud": "test-aud-set",
        },
        "access_denied_page_settings": {
            "access_denied_page_uri": "test-uri",
            "generate_troubleshooting_uri": True,
            "remediation_token_generation_enabled": False,
        },
        "attribute_propagation_settings": {
            "output_credentials": ["HEADER"],
            "expression": "attributes.saml_attributes.filter(attribute, attribute.name in [\"test1\", \"test2\"])",
            "enable": False,
        },
    })

package main

import (
	"fmt"

	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/compute"
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iap"
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		project, err := organizations.LookupProject(ctx, &organizations.LookupProjectArgs{}, nil)
		if err != nil {
			return err
		}
		defaultHealthCheck, err := compute.NewHealthCheck(ctx, "default", &compute.HealthCheckArgs{
			Name:             pulumi.String("iap-bs-health-check"),
			CheckIntervalSec: pulumi.Int(1),
			TimeoutSec:       pulumi.Int(1),
			TcpHealthCheck: &compute.HealthCheckTcpHealthCheckArgs{
				Port: pulumi.Int(80),
			},
		})
		if err != nil {
			return err
		}
		_default, err := compute.NewRegionBackendService(ctx, "default", &compute.RegionBackendServiceArgs{
			Name:                         pulumi.String("iap-settings-tf"),
			Region:                       pulumi.String("us-central1"),
			HealthChecks:                 defaultHealthCheck.ID(),
			ConnectionDrainingTimeoutSec: pulumi.Int(10),
			SessionAffinity:              pulumi.String("CLIENT_IP"),
		})
		if err != nil {
			return err
		}
		_, err = iap.NewSettings(ctx, "iap_settings", &iap.SettingsArgs{
			Name: _default.Name.ApplyT(func(name string) (string, error) {
				return fmt.Sprintf("projects/%v/iap_web/compute-us-central1/services/%v", project.Number, name), nil
			}).(pulumi.StringOutput),
			AccessSettings: &iap.SettingsAccessSettingsArgs{
				IdentitySources: pulumi.StringArray{
					pulumi.String("WORKFORCE_IDENTITY_FEDERATION"),
				},
				AllowedDomainsSettings: &iap.SettingsAccessSettingsAllowedDomainsSettingsArgs{
					Domains: pulumi.StringArray{
						pulumi.String("test.abc.com"),
					},
					Enable: pulumi.Bool(true),
				},
				CorsSettings: &iap.SettingsAccessSettingsCorsSettingsArgs{
					AllowHttpOptions: pulumi.Bool(true),
				},
				ReauthSettings: &iap.SettingsAccessSettingsReauthSettingsArgs{
					Method:     pulumi.String("SECURE_KEY"),
					MaxAge:     pulumi.String("305s"),
					PolicyType: pulumi.String("MINIMUM"),
				},
				GcipSettings: &iap.SettingsAccessSettingsGcipSettingsArgs{
					LoginPageUri: pulumi.String("https://test.com/?apiKey=abc"),
				},
				OauthSettings: &iap.SettingsAccessSettingsOauthSettingsArgs{
					LoginHint: pulumi.String("test"),
				},
				WorkforceIdentitySettings: &iap.SettingsAccessSettingsWorkforceIdentitySettingsArgs{
					WorkforcePools: pulumi.String("wif-pool"),
					Oauth2: &iap.SettingsAccessSettingsWorkforceIdentitySettingsOauth2Args{
						ClientId:     pulumi.String("test-client-id"),
						ClientSecret: pulumi.String("test-client-secret"),
					},
				},
			},
			ApplicationSettings: &iap.SettingsApplicationSettingsArgs{
				CookieDomain: pulumi.String("test.abc.com"),
				CsmSettings: &iap.SettingsApplicationSettingsCsmSettingsArgs{
					RctokenAud: pulumi.String("test-aud-set"),
				},
				AccessDeniedPageSettings: &iap.SettingsApplicationSettingsAccessDeniedPageSettingsArgs{
					AccessDeniedPageUri:               pulumi.String("test-uri"),
					GenerateTroubleshootingUri:        pulumi.Bool(true),
					RemediationTokenGenerationEnabled: pulumi.Bool(false),
				},
				AttributePropagationSettings: &iap.SettingsApplicationSettingsAttributePropagationSettingsArgs{
					OutputCredentials: pulumi.StringArray{
						pulumi.String("HEADER"),
					},
					Expression: pulumi.String("attributes.saml_attributes.filter(attribute, attribute.name in [\"test1\", \"test2\"])"),
					Enable:     pulumi.Bool(false),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var project = Gcp.Organizations.GetProject.Invoke();

    var defaultHealthCheck = new Gcp.Compute.HealthCheck("default", new()
    {
        Name = "iap-bs-health-check",
        CheckIntervalSec = 1,
        TimeoutSec = 1,
        TcpHealthCheck = new Gcp.Compute.Inputs.HealthCheckTcpHealthCheckArgs
        {
            Port = 80,
        },
    });

    var @default = new Gcp.Compute.RegionBackendService("default", new()
    {
        Name = "iap-settings-tf",
        Region = "us-central1",
        HealthChecks = defaultHealthCheck.Id,
        ConnectionDrainingTimeoutSec = 10,
        SessionAffinity = "CLIENT_IP",
    });

    var iapSettings = new Gcp.Iap.Settings("iap_settings", new()
    {
        Name = Output.Tuple(project, @default.Name).Apply(values =>
        {
            var project = values.Item1;
            var name = values.Item2;
            return $"projects/{project.Apply(getProjectResult => getProjectResult.Number)}/iap_web/compute-us-central1/services/{name}";
        }),
        AccessSettings = new Gcp.Iap.Inputs.SettingsAccessSettingsArgs
        {
            IdentitySources = new[]
            {
                "WORKFORCE_IDENTITY_FEDERATION",
            },
            AllowedDomainsSettings = new Gcp.Iap.Inputs.SettingsAccessSettingsAllowedDomainsSettingsArgs
            {
                Domains = new[]
                {
                    "test.abc.com",
                },
                Enable = true,
            },
            CorsSettings = new Gcp.Iap.Inputs.SettingsAccessSettingsCorsSettingsArgs
            {
                AllowHttpOptions = true,
            },
            ReauthSettings = new Gcp.Iap.Inputs.SettingsAccessSettingsReauthSettingsArgs
            {
                Method = "SECURE_KEY",
                MaxAge = "305s",
                PolicyType = "MINIMUM",
            },
            GcipSettings = new Gcp.Iap.Inputs.SettingsAccessSettingsGcipSettingsArgs
            {
                LoginPageUri = "https://test.com/?apiKey=abc",
            },
            OauthSettings = new Gcp.Iap.Inputs.SettingsAccessSettingsOauthSettingsArgs
            {
                LoginHint = "test",
            },
            WorkforceIdentitySettings = new Gcp.Iap.Inputs.SettingsAccessSettingsWorkforceIdentitySettingsArgs
            {
                WorkforcePools = "wif-pool",
                Oauth2 = new Gcp.Iap.Inputs.SettingsAccessSettingsWorkforceIdentitySettingsOauth2Args
                {
                    ClientId = "test-client-id",
                    ClientSecret = "test-client-secret",
                },
            },
        },
        ApplicationSettings = new Gcp.Iap.Inputs.SettingsApplicationSettingsArgs
        {
            CookieDomain = "test.abc.com",
            CsmSettings = new Gcp.Iap.Inputs.SettingsApplicationSettingsCsmSettingsArgs
            {
                RctokenAud = "test-aud-set",
            },
            AccessDeniedPageSettings = new Gcp.Iap.Inputs.SettingsApplicationSettingsAccessDeniedPageSettingsArgs
            {
                AccessDeniedPageUri = "test-uri",
                GenerateTroubleshootingUri = true,
                RemediationTokenGenerationEnabled = false,
            },
            AttributePropagationSettings = new Gcp.Iap.Inputs.SettingsApplicationSettingsAttributePropagationSettingsArgs
            {
                OutputCredentials = new[]
                {
                    "HEADER",
                },
                Expression = "attributes.saml_attributes.filter(attribute, attribute.name in [\"test1\", \"test2\"])",
                Enable = false,
            },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetProjectArgs;
import com.pulumi.gcp.compute.HealthCheck;
import com.pulumi.gcp.compute.HealthCheckArgs;
import com.pulumi.gcp.compute.inputs.HealthCheckTcpHealthCheckArgs;
import com.pulumi.gcp.compute.RegionBackendService;
import com.pulumi.gcp.compute.RegionBackendServiceArgs;
import com.pulumi.gcp.iap.Settings;
import com.pulumi.gcp.iap.SettingsArgs;
import com.pulumi.gcp.iap.inputs.SettingsAccessSettingsArgs;
import com.pulumi.gcp.iap.inputs.SettingsAccessSettingsAllowedDomainsSettingsArgs;
import com.pulumi.gcp.iap.inputs.SettingsAccessSettingsCorsSettingsArgs;
import com.pulumi.gcp.iap.inputs.SettingsAccessSettingsReauthSettingsArgs;
import com.pulumi.gcp.iap.inputs.SettingsAccessSettingsGcipSettingsArgs;
import com.pulumi.gcp.iap.inputs.SettingsAccessSettingsOauthSettingsArgs;
import com.pulumi.gcp.iap.inputs.SettingsAccessSettingsWorkforceIdentitySettingsArgs;
import com.pulumi.gcp.iap.inputs.SettingsAccessSettingsWorkforceIdentitySettingsOauth2Args;
import com.pulumi.gcp.iap.inputs.SettingsApplicationSettingsArgs;
import com.pulumi.gcp.iap.inputs.SettingsApplicationSettingsCsmSettingsArgs;
import com.pulumi.gcp.iap.inputs.SettingsApplicationSettingsAccessDeniedPageSettingsArgs;
import com.pulumi.gcp.iap.inputs.SettingsApplicationSettingsAttributePropagationSettingsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var project = OrganizationsFunctions.getProject();

        var defaultHealthCheck = new HealthCheck("defaultHealthCheck", HealthCheckArgs.builder()
            .name("iap-bs-health-check")
            .checkIntervalSec(1)
            .timeoutSec(1)
            .tcpHealthCheck(HealthCheckTcpHealthCheckArgs.builder()
                .port("80")
                .build())
            .build());

        var default_ = new RegionBackendService("default", RegionBackendServiceArgs.builder()
            .name("iap-settings-tf")
            .region("us-central1")
            .healthChecks(defaultHealthCheck.id())
            .connectionDrainingTimeoutSec(10)
            .sessionAffinity("CLIENT_IP")
            .build());

        var iapSettings = new Settings("iapSettings", SettingsArgs.builder()
            .name(default_.name().applyValue(name -> String.format("projects/%s/iap_web/compute-us-central1/services/%s", project.applyValue(getProjectResult -> getProjectResult.number()),name)))
            .accessSettings(SettingsAccessSettingsArgs.builder()
                .identitySources("WORKFORCE_IDENTITY_FEDERATION")
                .allowedDomainsSettings(SettingsAccessSettingsAllowedDomainsSettingsArgs.builder()
                    .domains("test.abc.com")
                    .enable(true)
                    .build())
                .corsSettings(SettingsAccessSettingsCorsSettingsArgs.builder()
                    .allowHttpOptions(true)
                    .build())
                .reauthSettings(SettingsAccessSettingsReauthSettingsArgs.builder()
                    .method("SECURE_KEY")
                    .maxAge("305s")
                    .policyType("MINIMUM")
                    .build())
                .gcipSettings(SettingsAccessSettingsGcipSettingsArgs.builder()
                    .loginPageUri("https://test.com/?apiKey=abc")
                    .build())
                .oauthSettings(SettingsAccessSettingsOauthSettingsArgs.builder()
                    .loginHint("test")
                    .build())
                .workforceIdentitySettings(SettingsAccessSettingsWorkforceIdentitySettingsArgs.builder()
                    .workforcePools("wif-pool")
                    .oauth2(SettingsAccessSettingsWorkforceIdentitySettingsOauth2Args.builder()
                        .clientId("test-client-id")
                        .clientSecret("test-client-secret")
                        .build())
                    .build())
                .build())
            .applicationSettings(SettingsApplicationSettingsArgs.builder()
                .cookieDomain("test.abc.com")
                .csmSettings(SettingsApplicationSettingsCsmSettingsArgs.builder()
                    .rctokenAud("test-aud-set")
                    .build())
                .accessDeniedPageSettings(SettingsApplicationSettingsAccessDeniedPageSettingsArgs.builder()
                    .accessDeniedPageUri("test-uri")
                    .generateTroubleshootingUri(true)
                    .remediationTokenGenerationEnabled(false)
                    .build())
                .attributePropagationSettings(SettingsApplicationSettingsAttributePropagationSettingsArgs.builder()
                    .outputCredentials("HEADER")
                    .expression("attributes.saml_attributes.filter(attribute, attribute.name in [\"test1\", \"test2\"])")
                    .enable(false)
                    .build())
                .build())
            .build());

    }
}

resources:
  default:
    type: gcp:compute:RegionBackendService
    properties:
      name: iap-settings-tf
      region: us-central1
      healthChecks: ${defaultHealthCheck.id}
      connectionDrainingTimeoutSec: 10
      sessionAffinity: CLIENT_IP
  defaultHealthCheck:
    type: gcp:compute:HealthCheck
    name: default
    properties:
      name: iap-bs-health-check
      checkIntervalSec: 1
      timeoutSec: 1
      tcpHealthCheck:
        port: '80'
  iapSettings:
    type: gcp:iap:Settings
    name: iap_settings
    properties:
      name: projects/${project.number}/iap_web/compute-us-central1/services/${default.name}
      accessSettings:
        identitySources:
          - WORKFORCE_IDENTITY_FEDERATION
        allowedDomainsSettings:
          domains:
            - test.abc.com
          enable: true
        corsSettings:
          allowHttpOptions: true
        reauthSettings:
          method: SECURE_KEY
          maxAge: 305s
          policyType: MINIMUM
        gcipSettings:
          loginPageUri: https://test.com/?apiKey=abc
        oauthSettings:
          loginHint: test
        workforceIdentitySettings:
          workforcePools: wif-pool
          oauth2:
            clientId: test-client-id
            clientSecret: test-client-secret
      applicationSettings:
        cookieDomain: test.abc.com
        csmSettings:
          rctokenAud: test-aud-set
        accessDeniedPageSettings:
          accessDeniedPageUri: test-uri
          generateTroubleshootingUri: true
          remediationTokenGenerationEnabled: false
        attributePropagationSettings:
          outputCredentials:
            - HEADER
          expression: attributes.saml_attributes.filter(attribute, attribute.name in ["test1", "test2"])
          enable: false
variables:
  project:
    fn::invoke:
      function: gcp:organizations:getProject
      arguments: {}

Create Settings Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new Settings(name: string, args?: SettingsArgs, opts?: CustomResourceOptions);

@overload
def Settings(resource_name: str,
             args: Optional[SettingsArgs] = None,
             opts: Optional[ResourceOptions] = None)

@overload
def Settings(resource_name: str,
             opts: Optional[ResourceOptions] = None,
             access_settings: Optional[SettingsAccessSettingsArgs] = None,
             application_settings: Optional[SettingsApplicationSettingsArgs] = None,
             name: Optional[str] = None)

func NewSettings(ctx *Context, name string, args *SettingsArgs, opts ...ResourceOption) (*Settings, error)

public Settings(string name, SettingsArgs? args = null, CustomResourceOptions? opts = null)

public Settings(String name, SettingsArgs args)
public Settings(String name, SettingsArgs args, CustomResourceOptions options)

type: gcp:iap:Settings
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args SettingsArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SettingsArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SettingsArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SettingsArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SettingsArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var settingsResource = new Gcp.Iap.Settings("settingsResource", new()
{
    AccessSettings = new Gcp.Iap.Inputs.SettingsAccessSettingsArgs
    {
        AllowedDomainsSettings = new Gcp.Iap.Inputs.SettingsAccessSettingsAllowedDomainsSettingsArgs
        {
            Domains = new[]
            {
                "string",
            },
            Enable = false,
        },
        CorsSettings = new Gcp.Iap.Inputs.SettingsAccessSettingsCorsSettingsArgs
        {
            AllowHttpOptions = false,
        },
        GcipSettings = new Gcp.Iap.Inputs.SettingsAccessSettingsGcipSettingsArgs
        {
            LoginPageUri = "string",
            TenantIds = new[]
            {
                "string",
            },
        },
        IdentitySources = new[]
        {
            "string",
        },
        OauthSettings = new Gcp.Iap.Inputs.SettingsAccessSettingsOauthSettingsArgs
        {
            LoginHint = "string",
            ProgrammaticClients = new[]
            {
                "string",
            },
        },
        ReauthSettings = new Gcp.Iap.Inputs.SettingsAccessSettingsReauthSettingsArgs
        {
            MaxAge = "string",
            Method = "string",
            PolicyType = "string",
        },
        WorkforceIdentitySettings = new Gcp.Iap.Inputs.SettingsAccessSettingsWorkforceIdentitySettingsArgs
        {
            Oauth2 = new Gcp.Iap.Inputs.SettingsAccessSettingsWorkforceIdentitySettingsOauth2Args
            {
                ClientId = "string",
                ClientSecret = "string",
                ClientSecretSha256 = "string",
            },
            WorkforcePools = "string",
        },
    },
    ApplicationSettings = new Gcp.Iap.Inputs.SettingsApplicationSettingsArgs
    {
        AccessDeniedPageSettings = new Gcp.Iap.Inputs.SettingsApplicationSettingsAccessDeniedPageSettingsArgs
        {
            AccessDeniedPageUri = "string",
            GenerateTroubleshootingUri = false,
            RemediationTokenGenerationEnabled = false,
        },
        AttributePropagationSettings = new Gcp.Iap.Inputs.SettingsApplicationSettingsAttributePropagationSettingsArgs
        {
            Enable = false,
            Expression = "string",
            OutputCredentials = new[]
            {
                "string",
            },
        },
        CookieDomain = "string",
        CsmSettings = new Gcp.Iap.Inputs.SettingsApplicationSettingsCsmSettingsArgs
        {
            RctokenAud = "string",
        },
    },
    Name = "string",
});

example, err := iap.NewSettings(ctx, "settingsResource", &iap.SettingsArgs{
	AccessSettings: &iap.SettingsAccessSettingsArgs{
		AllowedDomainsSettings: &iap.SettingsAccessSettingsAllowedDomainsSettingsArgs{
			Domains: pulumi.StringArray{
				pulumi.String("string"),
			},
			Enable: pulumi.Bool(false),
		},
		CorsSettings: &iap.SettingsAccessSettingsCorsSettingsArgs{
			AllowHttpOptions: pulumi.Bool(false),
		},
		GcipSettings: &iap.SettingsAccessSettingsGcipSettingsArgs{
			LoginPageUri: pulumi.String("string"),
			TenantIds: pulumi.StringArray{
				pulumi.String("string"),
			},
		},
		IdentitySources: pulumi.StringArray{
			pulumi.String("string"),
		},
		OauthSettings: &iap.SettingsAccessSettingsOauthSettingsArgs{
			LoginHint: pulumi.String("string"),
			ProgrammaticClients: pulumi.StringArray{
				pulumi.String("string"),
			},
		},
		ReauthSettings: &iap.SettingsAccessSettingsReauthSettingsArgs{
			MaxAge:     pulumi.String("string"),
			Method:     pulumi.String("string"),
			PolicyType: pulumi.String("string"),
		},
		WorkforceIdentitySettings: &iap.SettingsAccessSettingsWorkforceIdentitySettingsArgs{
			Oauth2: &iap.SettingsAccessSettingsWorkforceIdentitySettingsOauth2Args{
				ClientId:           pulumi.String("string"),
				ClientSecret:       pulumi.String("string"),
				ClientSecretSha256: pulumi.String("string"),
			},
			WorkforcePools: pulumi.String("string"),
		},
	},
	ApplicationSettings: &iap.SettingsApplicationSettingsArgs{
		AccessDeniedPageSettings: &iap.SettingsApplicationSettingsAccessDeniedPageSettingsArgs{
			AccessDeniedPageUri:               pulumi.String("string"),
			GenerateTroubleshootingUri:        pulumi.Bool(false),
			RemediationTokenGenerationEnabled: pulumi.Bool(false),
		},
		AttributePropagationSettings: &iap.SettingsApplicationSettingsAttributePropagationSettingsArgs{
			Enable:     pulumi.Bool(false),
			Expression: pulumi.String("string"),
			OutputCredentials: pulumi.StringArray{
				pulumi.String("string"),
			},
		},
		CookieDomain: pulumi.String("string"),
		CsmSettings: &iap.SettingsApplicationSettingsCsmSettingsArgs{
			RctokenAud: pulumi.String("string"),
		},
	},
	Name: pulumi.String("string"),
})

var settingsResource = new Settings("settingsResource", SettingsArgs.builder()
    .accessSettings(SettingsAccessSettingsArgs.builder()
        .allowedDomainsSettings(SettingsAccessSettingsAllowedDomainsSettingsArgs.builder()
            .domains("string")
            .enable(false)
            .build())
        .corsSettings(SettingsAccessSettingsCorsSettingsArgs.builder()
            .allowHttpOptions(false)
            .build())
        .gcipSettings(SettingsAccessSettingsGcipSettingsArgs.builder()
            .loginPageUri("string")
            .tenantIds("string")
            .build())
        .identitySources("string")
        .oauthSettings(SettingsAccessSettingsOauthSettingsArgs.builder()
            .loginHint("string")
            .programmaticClients("string")
            .build())
        .reauthSettings(SettingsAccessSettingsReauthSettingsArgs.builder()
            .maxAge("string")
            .method("string")
            .policyType("string")
            .build())
        .workforceIdentitySettings(SettingsAccessSettingsWorkforceIdentitySettingsArgs.builder()
            .oauth2(SettingsAccessSettingsWorkforceIdentitySettingsOauth2Args.builder()
                .clientId("string")
                .clientSecret("string")
                .clientSecretSha256("string")
                .build())
            .workforcePools("string")
            .build())
        .build())
    .applicationSettings(SettingsApplicationSettingsArgs.builder()
        .accessDeniedPageSettings(SettingsApplicationSettingsAccessDeniedPageSettingsArgs.builder()
            .accessDeniedPageUri("string")
            .generateTroubleshootingUri(false)
            .remediationTokenGenerationEnabled(false)
            .build())
        .attributePropagationSettings(SettingsApplicationSettingsAttributePropagationSettingsArgs.builder()
            .enable(false)
            .expression("string")
            .outputCredentials("string")
            .build())
        .cookieDomain("string")
        .csmSettings(SettingsApplicationSettingsCsmSettingsArgs.builder()
            .rctokenAud("string")
            .build())
        .build())
    .name("string")
    .build());

settings_resource = gcp.iap.Settings("settingsResource",
    access_settings={
        "allowed_domains_settings": {
            "domains": ["string"],
            "enable": False,
        },
        "cors_settings": {
            "allow_http_options": False,
        },
        "gcip_settings": {
            "login_page_uri": "string",
            "tenant_ids": ["string"],
        },
        "identity_sources": ["string"],
        "oauth_settings": {
            "login_hint": "string",
            "programmatic_clients": ["string"],
        },
        "reauth_settings": {
            "max_age": "string",
            "method": "string",
            "policy_type": "string",
        },
        "workforce_identity_settings": {
            "oauth2": {
                "client_id": "string",
                "client_secret": "string",
                "client_secret_sha256": "string",
            },
            "workforce_pools": "string",
        },
    },
    application_settings={
        "access_denied_page_settings": {
            "access_denied_page_uri": "string",
            "generate_troubleshooting_uri": False,
            "remediation_token_generation_enabled": False,
        },
        "attribute_propagation_settings": {
            "enable": False,
            "expression": "string",
            "output_credentials": ["string"],
        },
        "cookie_domain": "string",
        "csm_settings": {
            "rctoken_aud": "string",
        },
    },
    name="string")

const settingsResource = new gcp.iap.Settings("settingsResource", {
    accessSettings: {
        allowedDomainsSettings: {
            domains: ["string"],
            enable: false,
        },
        corsSettings: {
            allowHttpOptions: false,
        },
        gcipSettings: {
            loginPageUri: "string",
            tenantIds: ["string"],
        },
        identitySources: ["string"],
        oauthSettings: {
            loginHint: "string",
            programmaticClients: ["string"],
        },
        reauthSettings: {
            maxAge: "string",
            method: "string",
            policyType: "string",
        },
        workforceIdentitySettings: {
            oauth2: {
                clientId: "string",
                clientSecret: "string",
                clientSecretSha256: "string",
            },
            workforcePools: "string",
        },
    },
    applicationSettings: {
        accessDeniedPageSettings: {
            accessDeniedPageUri: "string",
            generateTroubleshootingUri: false,
            remediationTokenGenerationEnabled: false,
        },
        attributePropagationSettings: {
            enable: false,
            expression: "string",
            outputCredentials: ["string"],
        },
        cookieDomain: "string",
        csmSettings: {
            rctokenAud: "string",
        },
    },
    name: "string",
});

type: gcp:iap:Settings
properties:
    accessSettings:
        allowedDomainsSettings:
            domains:
                - string
            enable: false
        corsSettings:
            allowHttpOptions: false
        gcipSettings:
            loginPageUri: string
            tenantIds:
                - string
        identitySources:
            - string
        oauthSettings:
            loginHint: string
            programmaticClients:
                - string
        reauthSettings:
            maxAge: string
            method: string
            policyType: string
        workforceIdentitySettings:
            oauth2:
                clientId: string
                clientSecret: string
                clientSecretSha256: string
            workforcePools: string
    applicationSettings:
        accessDeniedPageSettings:
            accessDeniedPageUri: string
            generateTroubleshootingUri: false
            remediationTokenGenerationEnabled: false
        attributePropagationSettings:
            enable: false
            expression: string
            outputCredentials:
                - string
        cookieDomain: string
        csmSettings:
            rctokenAud: string
    name: string

Settings Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The Settings resource accepts the following input properties:

AccessSettings SettingsAccessSettings

Top level wrapper for all access related setting in IAP. Structure is documented below.

ApplicationSettings SettingsApplicationSettings

Top level wrapper for all application related settings in IAP. Structure is documented below.

Name string

The resource name of the IAP protected resource. Name can have below resources:

organizations/{organization_id}
folders/{folder_id}
projects/{project_id}
projects/{project_id}/iap_web
projects/{project_id}/iap_web/compute
projects/{project_id}/iap_web/compute-{region}
projects/{project_id}/iap_web/compute/services/{service_id}
projects/{project_id}/iap_web/compute-{region}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}/version/{version_id}

AccessSettings SettingsAccessSettingsArgs

Top level wrapper for all access related setting in IAP. Structure is documented below.

ApplicationSettings SettingsApplicationSettingsArgs

Top level wrapper for all application related settings in IAP. Structure is documented below.

Name string

The resource name of the IAP protected resource. Name can have below resources:

organizations/{organization_id}
folders/{folder_id}
projects/{project_id}
projects/{project_id}/iap_web
projects/{project_id}/iap_web/compute
projects/{project_id}/iap_web/compute-{region}
projects/{project_id}/iap_web/compute/services/{service_id}
projects/{project_id}/iap_web/compute-{region}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}/version/{version_id}

accessSettings SettingsAccessSettings

Top level wrapper for all access related setting in IAP. Structure is documented below.

applicationSettings SettingsApplicationSettings

Top level wrapper for all application related settings in IAP. Structure is documented below.

name String

The resource name of the IAP protected resource. Name can have below resources:

organizations/{organization_id}
folders/{folder_id}
projects/{project_id}
projects/{project_id}/iap_web
projects/{project_id}/iap_web/compute
projects/{project_id}/iap_web/compute-{region}
projects/{project_id}/iap_web/compute/services/{service_id}
projects/{project_id}/iap_web/compute-{region}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}/version/{version_id}

accessSettings SettingsAccessSettings

Top level wrapper for all access related setting in IAP. Structure is documented below.

applicationSettings SettingsApplicationSettings

Top level wrapper for all application related settings in IAP. Structure is documented below.

name string

The resource name of the IAP protected resource. Name can have below resources:

organizations/{organization_id}
folders/{folder_id}
projects/{project_id}
projects/{project_id}/iap_web
projects/{project_id}/iap_web/compute
projects/{project_id}/iap_web/compute-{region}
projects/{project_id}/iap_web/compute/services/{service_id}
projects/{project_id}/iap_web/compute-{region}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}/version/{version_id}

access_settings SettingsAccessSettingsArgs

Top level wrapper for all access related setting in IAP. Structure is documented below.

application_settings SettingsApplicationSettingsArgs

Top level wrapper for all application related settings in IAP. Structure is documented below.

name str

The resource name of the IAP protected resource. Name can have below resources:

organizations/{organization_id}
folders/{folder_id}
projects/{project_id}
projects/{project_id}/iap_web
projects/{project_id}/iap_web/compute
projects/{project_id}/iap_web/compute-{region}
projects/{project_id}/iap_web/compute/services/{service_id}
projects/{project_id}/iap_web/compute-{region}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}/version/{version_id}

accessSettings Property Map

Top level wrapper for all access related setting in IAP. Structure is documented below.

applicationSettings Property Map

Top level wrapper for all application related settings in IAP. Structure is documented below.

name String

The resource name of the IAP protected resource. Name can have below resources:

organizations/{organization_id}
folders/{folder_id}
projects/{project_id}
projects/{project_id}/iap_web
projects/{project_id}/iap_web/compute
projects/{project_id}/iap_web/compute-{region}
projects/{project_id}/iap_web/compute/services/{service_id}
projects/{project_id}/iap_web/compute-{region}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}/version/{version_id}

Outputs

All input properties are implicitly available as output properties. Additionally, the Settings resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing Settings Resource

Get an existing Settings resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SettingsState, opts?: CustomResourceOptions): Settings

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        access_settings: Optional[SettingsAccessSettingsArgs] = None,
        application_settings: Optional[SettingsApplicationSettingsArgs] = None,
        name: Optional[str] = None) -> Settings

func GetSettings(ctx *Context, name string, id IDInput, state *SettingsState, opts ...ResourceOption) (*Settings, error)

public static Settings Get(string name, Input<string> id, SettingsState? state, CustomResourceOptions? opts = null)

public static Settings get(String name, Output<String> id, SettingsState state, CustomResourceOptions options)

resources:  _:    type: gcp:iap:Settings    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccessSettings SettingsAccessSettings

Top level wrapper for all access related setting in IAP. Structure is documented below.

ApplicationSettings SettingsApplicationSettings

Top level wrapper for all application related settings in IAP. Structure is documented below.

Name string

The resource name of the IAP protected resource. Name can have below resources:

organizations/{organization_id}
folders/{folder_id}
projects/{project_id}
projects/{project_id}/iap_web
projects/{project_id}/iap_web/compute
projects/{project_id}/iap_web/compute-{region}
projects/{project_id}/iap_web/compute/services/{service_id}
projects/{project_id}/iap_web/compute-{region}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}/version/{version_id}

AccessSettings SettingsAccessSettingsArgs

Top level wrapper for all access related setting in IAP. Structure is documented below.

ApplicationSettings SettingsApplicationSettingsArgs

Top level wrapper for all application related settings in IAP. Structure is documented below.

Name string

The resource name of the IAP protected resource. Name can have below resources:

organizations/{organization_id}
folders/{folder_id}
projects/{project_id}
projects/{project_id}/iap_web
projects/{project_id}/iap_web/compute
projects/{project_id}/iap_web/compute-{region}
projects/{project_id}/iap_web/compute/services/{service_id}
projects/{project_id}/iap_web/compute-{region}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}/version/{version_id}

accessSettings SettingsAccessSettings

Top level wrapper for all access related setting in IAP. Structure is documented below.

applicationSettings SettingsApplicationSettings

Top level wrapper for all application related settings in IAP. Structure is documented below.

name String

The resource name of the IAP protected resource. Name can have below resources:

organizations/{organization_id}
folders/{folder_id}
projects/{project_id}
projects/{project_id}/iap_web
projects/{project_id}/iap_web/compute
projects/{project_id}/iap_web/compute-{region}
projects/{project_id}/iap_web/compute/services/{service_id}
projects/{project_id}/iap_web/compute-{region}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}/version/{version_id}

accessSettings SettingsAccessSettings

Top level wrapper for all access related setting in IAP. Structure is documented below.

applicationSettings SettingsApplicationSettings

Top level wrapper for all application related settings in IAP. Structure is documented below.

name string

The resource name of the IAP protected resource. Name can have below resources:

organizations/{organization_id}
folders/{folder_id}
projects/{project_id}
projects/{project_id}/iap_web
projects/{project_id}/iap_web/compute
projects/{project_id}/iap_web/compute-{region}
projects/{project_id}/iap_web/compute/services/{service_id}
projects/{project_id}/iap_web/compute-{region}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}/version/{version_id}

access_settings SettingsAccessSettingsArgs

Top level wrapper for all access related setting in IAP. Structure is documented below.

application_settings SettingsApplicationSettingsArgs

Top level wrapper for all application related settings in IAP. Structure is documented below.

name str

The resource name of the IAP protected resource. Name can have below resources:

organizations/{organization_id}
folders/{folder_id}
projects/{project_id}
projects/{project_id}/iap_web
projects/{project_id}/iap_web/compute
projects/{project_id}/iap_web/compute-{region}
projects/{project_id}/iap_web/compute/services/{service_id}
projects/{project_id}/iap_web/compute-{region}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}/version/{version_id}

accessSettings Property Map

Top level wrapper for all access related setting in IAP. Structure is documented below.

applicationSettings Property Map

Top level wrapper for all application related settings in IAP. Structure is documented below.

name String

The resource name of the IAP protected resource. Name can have below resources:

organizations/{organization_id}
folders/{folder_id}
projects/{project_id}
projects/{project_id}/iap_web
projects/{project_id}/iap_web/compute
projects/{project_id}/iap_web/compute-{region}
projects/{project_id}/iap_web/compute/services/{service_id}
projects/{project_id}/iap_web/compute-{region}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}
projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}/version/{version_id}

Supporting Types

SettingsAccessSettings, SettingsAccessSettingsArgs

AllowedDomainsSettings SettingsAccessSettingsAllowedDomainsSettings

Settings to configure and enable allowed domains. Structure is documented below.

CorsSettings SettingsAccessSettingsCorsSettings

Configuration to allow cross-origin requests via IAP. Structure is documented below.

GcipSettings SettingsAccessSettingsGcipSettings

GCIP claims and endpoint configurations for 3p identity providers.

Enabling gcipSetting significantly changes the way IAP authenticates users. Identity Platform does not support IAM, so IAP will not enforce any IAM policies for requests to your application. Structure is documented below.

IdentitySources List<string>

Identity sources that IAP can use to authenticate the end user. Only one identity source can be configured. The possible values are:

WORKFORCE_IDENTITY_FEDERATION: Use external identities set up on Google Cloud Workforce Identity Federation. Each value may be one of: WORKFORCE_IDENTITY_FEDERATION.

OauthSettings SettingsAccessSettingsOauthSettings

Settings to configure IAP's OAuth behavior. Structure is documented below.

ReauthSettings SettingsAccessSettingsReauthSettings

Settings to configure reauthentication policies in IAP. Structure is documented below.

WorkforceIdentitySettings SettingsAccessSettingsWorkforceIdentitySettings

Settings to configure the workforce identity federation, including workforce pools and OAuth 2.0 settings. Structure is documented below.

AllowedDomainsSettings SettingsAccessSettingsAllowedDomainsSettings

Settings to configure and enable allowed domains. Structure is documented below.

CorsSettings SettingsAccessSettingsCorsSettings

Configuration to allow cross-origin requests via IAP. Structure is documented below.

GcipSettings SettingsAccessSettingsGcipSettings

GCIP claims and endpoint configurations for 3p identity providers.

Enabling gcipSetting significantly changes the way IAP authenticates users. Identity Platform does not support IAM, so IAP will not enforce any IAM policies for requests to your application. Structure is documented below.

IdentitySources []string

Identity sources that IAP can use to authenticate the end user. Only one identity source can be configured. The possible values are:

WORKFORCE_IDENTITY_FEDERATION: Use external identities set up on Google Cloud Workforce Identity Federation. Each value may be one of: WORKFORCE_IDENTITY_FEDERATION.

OauthSettings SettingsAccessSettingsOauthSettings

Settings to configure IAP's OAuth behavior. Structure is documented below.

ReauthSettings SettingsAccessSettingsReauthSettings

Settings to configure reauthentication policies in IAP. Structure is documented below.

WorkforceIdentitySettings SettingsAccessSettingsWorkforceIdentitySettings

Settings to configure the workforce identity federation, including workforce pools and OAuth 2.0 settings. Structure is documented below.

allowedDomainsSettings SettingsAccessSettingsAllowedDomainsSettings

Settings to configure and enable allowed domains. Structure is documented below.

corsSettings SettingsAccessSettingsCorsSettings

Configuration to allow cross-origin requests via IAP. Structure is documented below.

gcipSettings SettingsAccessSettingsGcipSettings

GCIP claims and endpoint configurations for 3p identity providers.

Enabling gcipSetting significantly changes the way IAP authenticates users. Identity Platform does not support IAM, so IAP will not enforce any IAM policies for requests to your application. Structure is documented below.

identitySources List<String>

Identity sources that IAP can use to authenticate the end user. Only one identity source can be configured. The possible values are:

WORKFORCE_IDENTITY_FEDERATION: Use external identities set up on Google Cloud Workforce Identity Federation. Each value may be one of: WORKFORCE_IDENTITY_FEDERATION.

oauthSettings SettingsAccessSettingsOauthSettings

Settings to configure IAP's OAuth behavior. Structure is documented below.

reauthSettings SettingsAccessSettingsReauthSettings

Settings to configure reauthentication policies in IAP. Structure is documented below.

workforceIdentitySettings SettingsAccessSettingsWorkforceIdentitySettings

Settings to configure the workforce identity federation, including workforce pools and OAuth 2.0 settings. Structure is documented below.

allowedDomainsSettings SettingsAccessSettingsAllowedDomainsSettings

Settings to configure and enable allowed domains. Structure is documented below.

corsSettings SettingsAccessSettingsCorsSettings

Configuration to allow cross-origin requests via IAP. Structure is documented below.

gcipSettings SettingsAccessSettingsGcipSettings

GCIP claims and endpoint configurations for 3p identity providers.

Enabling gcipSetting significantly changes the way IAP authenticates users. Identity Platform does not support IAM, so IAP will not enforce any IAM policies for requests to your application. Structure is documented below.

identitySources string[]

Identity sources that IAP can use to authenticate the end user. Only one identity source can be configured. The possible values are:

WORKFORCE_IDENTITY_FEDERATION: Use external identities set up on Google Cloud Workforce Identity Federation. Each value may be one of: WORKFORCE_IDENTITY_FEDERATION.

oauthSettings SettingsAccessSettingsOauthSettings

Settings to configure IAP's OAuth behavior. Structure is documented below.

reauthSettings SettingsAccessSettingsReauthSettings

Settings to configure reauthentication policies in IAP. Structure is documented below.

workforceIdentitySettings SettingsAccessSettingsWorkforceIdentitySettings

Settings to configure the workforce identity federation, including workforce pools and OAuth 2.0 settings. Structure is documented below.

allowed_domains_settings SettingsAccessSettingsAllowedDomainsSettings

Settings to configure and enable allowed domains. Structure is documented below.

cors_settings SettingsAccessSettingsCorsSettings

Configuration to allow cross-origin requests via IAP. Structure is documented below.

gcip_settings SettingsAccessSettingsGcipSettings

GCIP claims and endpoint configurations for 3p identity providers.

Enabling gcipSetting significantly changes the way IAP authenticates users. Identity Platform does not support IAM, so IAP will not enforce any IAM policies for requests to your application. Structure is documented below.

identity_sources Sequence[str]

Identity sources that IAP can use to authenticate the end user. Only one identity source can be configured. The possible values are:

WORKFORCE_IDENTITY_FEDERATION: Use external identities set up on Google Cloud Workforce Identity Federation. Each value may be one of: WORKFORCE_IDENTITY_FEDERATION.

oauth_settings SettingsAccessSettingsOauthSettings

Settings to configure IAP's OAuth behavior. Structure is documented below.

reauth_settings SettingsAccessSettingsReauthSettings

Settings to configure reauthentication policies in IAP. Structure is documented below.

workforce_identity_settings SettingsAccessSettingsWorkforceIdentitySettings

Settings to configure the workforce identity federation, including workforce pools and OAuth 2.0 settings. Structure is documented below.

allowedDomainsSettings Property Map

Settings to configure and enable allowed domains. Structure is documented below.

corsSettings Property Map

Configuration to allow cross-origin requests via IAP. Structure is documented below.

gcipSettings Property Map

GCIP claims and endpoint configurations for 3p identity providers.

Enabling gcipSetting significantly changes the way IAP authenticates users. Identity Platform does not support IAM, so IAP will not enforce any IAM policies for requests to your application. Structure is documented below.

identitySources List<String>

Identity sources that IAP can use to authenticate the end user. Only one identity source can be configured. The possible values are:

WORKFORCE_IDENTITY_FEDERATION: Use external identities set up on Google Cloud Workforce Identity Federation. Each value may be one of: WORKFORCE_IDENTITY_FEDERATION.

oauthSettings Property Map

Settings to configure IAP's OAuth behavior. Structure is documented below.

reauthSettings Property Map

Settings to configure reauthentication policies in IAP. Structure is documented below.

workforceIdentitySettings Property Map

Settings to configure the workforce identity federation, including workforce pools and OAuth 2.0 settings. Structure is documented below.

SettingsAccessSettingsAllowedDomainsSettings, SettingsAccessSettingsAllowedDomainsSettingsArgs

Domains List<string>: List of trusted domains.
Enable bool: Configuration for customers to opt in for the feature.

Domains []string: List of trusted domains.
Enable bool: Configuration for customers to opt in for the feature.

domains List<String>: List of trusted domains.
enable Boolean: Configuration for customers to opt in for the feature.

domains string[]: List of trusted domains.
enable boolean: Configuration for customers to opt in for the feature.

domains Sequence[str]: List of trusted domains.
enable bool: Configuration for customers to opt in for the feature.

domains List<String>: List of trusted domains.
enable Boolean: Configuration for customers to opt in for the feature.

SettingsAccessSettingsCorsSettings, SettingsAccessSettingsCorsSettingsArgs

AllowHttpOptions bool: Configuration to allow HTTP OPTIONS calls to skip authorization. If undefined, IAP will not apply any special logic to OPTIONS requests.

AllowHttpOptions bool: Configuration to allow HTTP OPTIONS calls to skip authorization. If undefined, IAP will not apply any special logic to OPTIONS requests.

allowHttpOptions Boolean: Configuration to allow HTTP OPTIONS calls to skip authorization. If undefined, IAP will not apply any special logic to OPTIONS requests.

allowHttpOptions boolean: Configuration to allow HTTP OPTIONS calls to skip authorization. If undefined, IAP will not apply any special logic to OPTIONS requests.

allow_http_options bool: Configuration to allow HTTP OPTIONS calls to skip authorization. If undefined, IAP will not apply any special logic to OPTIONS requests.

allowHttpOptions Boolean: Configuration to allow HTTP OPTIONS calls to skip authorization. If undefined, IAP will not apply any special logic to OPTIONS requests.

SettingsAccessSettingsGcipSettings, SettingsAccessSettingsGcipSettingsArgs

LoginPageUri string: Login page URI associated with the GCIP tenants. Typically, all resources within the same project share the same login page, though it could be overridden at the sub resource level.
TenantIds List<string>: GCIP tenant ids that are linked to the IAP resource. tenantIds could be a string beginning with a number character to indicate authenticating with GCIP tenant flow, or in the format of _ to indicate authenticating with GCIP agent flow. If agent flow is used, tenantIds should only contain one single element, while for tenant flow, tenantIds can contain multiple elements.

LoginPageUri string: Login page URI associated with the GCIP tenants. Typically, all resources within the same project share the same login page, though it could be overridden at the sub resource level.
TenantIds []string: GCIP tenant ids that are linked to the IAP resource. tenantIds could be a string beginning with a number character to indicate authenticating with GCIP tenant flow, or in the format of _ to indicate authenticating with GCIP agent flow. If agent flow is used, tenantIds should only contain one single element, while for tenant flow, tenantIds can contain multiple elements.

loginPageUri String: Login page URI associated with the GCIP tenants. Typically, all resources within the same project share the same login page, though it could be overridden at the sub resource level.
tenantIds List<String>: GCIP tenant ids that are linked to the IAP resource. tenantIds could be a string beginning with a number character to indicate authenticating with GCIP tenant flow, or in the format of _ to indicate authenticating with GCIP agent flow. If agent flow is used, tenantIds should only contain one single element, while for tenant flow, tenantIds can contain multiple elements.

loginPageUri string: Login page URI associated with the GCIP tenants. Typically, all resources within the same project share the same login page, though it could be overridden at the sub resource level.
tenantIds string[]: GCIP tenant ids that are linked to the IAP resource. tenantIds could be a string beginning with a number character to indicate authenticating with GCIP tenant flow, or in the format of _ to indicate authenticating with GCIP agent flow. If agent flow is used, tenantIds should only contain one single element, while for tenant flow, tenantIds can contain multiple elements.

login_page_uri str: Login page URI associated with the GCIP tenants. Typically, all resources within the same project share the same login page, though it could be overridden at the sub resource level.
tenant_ids Sequence[str]: GCIP tenant ids that are linked to the IAP resource. tenantIds could be a string beginning with a number character to indicate authenticating with GCIP tenant flow, or in the format of _ to indicate authenticating with GCIP agent flow. If agent flow is used, tenantIds should only contain one single element, while for tenant flow, tenantIds can contain multiple elements.

loginPageUri String: Login page URI associated with the GCIP tenants. Typically, all resources within the same project share the same login page, though it could be overridden at the sub resource level.
tenantIds List<String>: GCIP tenant ids that are linked to the IAP resource. tenantIds could be a string beginning with a number character to indicate authenticating with GCIP tenant flow, or in the format of _ to indicate authenticating with GCIP agent flow. If agent flow is used, tenantIds should only contain one single element, while for tenant flow, tenantIds can contain multiple elements.

SettingsAccessSettingsOauthSettings, SettingsAccessSettingsOauthSettingsArgs

LoginHint string

Domain hint to send as hd=? parameter in OAuth request flow. Enables redirect to primary IDP by skipping Google's login screen. (https://developers.google.com/identity/protocols/OpenIDConnect#hd-param) Note: IAP does not verify that the id token's hd claim matches this value since access behavior is managed by IAM policies.

loginHint setting is not a replacement for access control. Always enforce an appropriate access policy if you want to restrict access to users outside your domain.

ProgrammaticClients List<string>

List of client ids allowed to use IAP programmatically.

LoginHint string

loginHint setting is not a replacement for access control. Always enforce an appropriate access policy if you want to restrict access to users outside your domain.

ProgrammaticClients []string

List of client ids allowed to use IAP programmatically.

loginHint String

loginHint setting is not a replacement for access control. Always enforce an appropriate access policy if you want to restrict access to users outside your domain.

programmaticClients List<String>

List of client ids allowed to use IAP programmatically.

loginHint string

loginHint setting is not a replacement for access control. Always enforce an appropriate access policy if you want to restrict access to users outside your domain.

programmaticClients string[]

List of client ids allowed to use IAP programmatically.

login_hint str

loginHint setting is not a replacement for access control. Always enforce an appropriate access policy if you want to restrict access to users outside your domain.

programmatic_clients Sequence[str]

List of client ids allowed to use IAP programmatically.

loginHint String

loginHint setting is not a replacement for access control. Always enforce an appropriate access policy if you want to restrict access to users outside your domain.

programmaticClients List<String>

List of client ids allowed to use IAP programmatically.

SettingsAccessSettingsReauthSettings, SettingsAccessSettingsReauthSettingsArgs

MaxAge string

Reauth session lifetime, how long before a user has to reauthenticate again. A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

Method string

Reauth method requested. The possible values are:

LOGIN: Prompts the user to log in again.
SECURE_KEY: User must use their secure key 2nd factor device.
ENROLLED_SECOND_FACTORS: User can use any enabled 2nd factor. Possible values are: LOGIN, SECURE_KEY, ENROLLED_SECOND_FACTORS.

PolicyType string

How IAP determines the effective policy in cases of hierarchical policies. Policies are merged from higher in the hierarchy to lower in the hierarchy. The possible values are:

MINIMUM: This policy acts as a minimum to other policies, lower in the hierarchy. Effective policy may only be the same or stricter.
DEFAULT: This policy acts as a default if no other reauth policy is set. Possible values are: MINIMUM, DEFAULT.

MaxAge string

Reauth session lifetime, how long before a user has to reauthenticate again. A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

Method string

Reauth method requested. The possible values are:

LOGIN: Prompts the user to log in again.
SECURE_KEY: User must use their secure key 2nd factor device.
ENROLLED_SECOND_FACTORS: User can use any enabled 2nd factor. Possible values are: LOGIN, SECURE_KEY, ENROLLED_SECOND_FACTORS.

PolicyType string

How IAP determines the effective policy in cases of hierarchical policies. Policies are merged from higher in the hierarchy to lower in the hierarchy. The possible values are:

MINIMUM: This policy acts as a minimum to other policies, lower in the hierarchy. Effective policy may only be the same or stricter.
DEFAULT: This policy acts as a default if no other reauth policy is set. Possible values are: MINIMUM, DEFAULT.

maxAge String

Reauth session lifetime, how long before a user has to reauthenticate again. A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

method String

Reauth method requested. The possible values are:

LOGIN: Prompts the user to log in again.
SECURE_KEY: User must use their secure key 2nd factor device.
ENROLLED_SECOND_FACTORS: User can use any enabled 2nd factor. Possible values are: LOGIN, SECURE_KEY, ENROLLED_SECOND_FACTORS.

policyType String

How IAP determines the effective policy in cases of hierarchical policies. Policies are merged from higher in the hierarchy to lower in the hierarchy. The possible values are:

MINIMUM: This policy acts as a minimum to other policies, lower in the hierarchy. Effective policy may only be the same or stricter.
DEFAULT: This policy acts as a default if no other reauth policy is set. Possible values are: MINIMUM, DEFAULT.

maxAge string

Reauth session lifetime, how long before a user has to reauthenticate again. A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

method string

Reauth method requested. The possible values are:

LOGIN: Prompts the user to log in again.
SECURE_KEY: User must use their secure key 2nd factor device.
ENROLLED_SECOND_FACTORS: User can use any enabled 2nd factor. Possible values are: LOGIN, SECURE_KEY, ENROLLED_SECOND_FACTORS.

policyType string

How IAP determines the effective policy in cases of hierarchical policies. Policies are merged from higher in the hierarchy to lower in the hierarchy. The possible values are:

MINIMUM: This policy acts as a minimum to other policies, lower in the hierarchy. Effective policy may only be the same or stricter.
DEFAULT: This policy acts as a default if no other reauth policy is set. Possible values are: MINIMUM, DEFAULT.

max_age str

Reauth session lifetime, how long before a user has to reauthenticate again. A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

method str

Reauth method requested. The possible values are:

LOGIN: Prompts the user to log in again.
SECURE_KEY: User must use their secure key 2nd factor device.
ENROLLED_SECOND_FACTORS: User can use any enabled 2nd factor. Possible values are: LOGIN, SECURE_KEY, ENROLLED_SECOND_FACTORS.

policy_type str

How IAP determines the effective policy in cases of hierarchical policies. Policies are merged from higher in the hierarchy to lower in the hierarchy. The possible values are:

MINIMUM: This policy acts as a minimum to other policies, lower in the hierarchy. Effective policy may only be the same or stricter.
DEFAULT: This policy acts as a default if no other reauth policy is set. Possible values are: MINIMUM, DEFAULT.

maxAge String

Reauth session lifetime, how long before a user has to reauthenticate again. A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

method String

Reauth method requested. The possible values are:

LOGIN: Prompts the user to log in again.
SECURE_KEY: User must use their secure key 2nd factor device.
ENROLLED_SECOND_FACTORS: User can use any enabled 2nd factor. Possible values are: LOGIN, SECURE_KEY, ENROLLED_SECOND_FACTORS.

policyType String

How IAP determines the effective policy in cases of hierarchical policies. Policies are merged from higher in the hierarchy to lower in the hierarchy. The possible values are:

MINIMUM: This policy acts as a minimum to other policies, lower in the hierarchy. Effective policy may only be the same or stricter.
DEFAULT: This policy acts as a default if no other reauth policy is set. Possible values are: MINIMUM, DEFAULT.

SettingsAccessSettingsWorkforceIdentitySettings, SettingsAccessSettingsWorkforceIdentitySettingsArgs

Oauth2 SettingsAccessSettingsWorkforceIdentitySettingsOauth2

OAuth 2.0 settings for IAP to perform OIDC flow with workforce identity federation services. Structure is documented below.

The oauth2 block supports:

WorkforcePools string

The workforce pool resources. Only one workforce pool is accepted.

Oauth2 SettingsAccessSettingsWorkforceIdentitySettingsOauth2

OAuth 2.0 settings for IAP to perform OIDC flow with workforce identity federation services. Structure is documented below.

The oauth2 block supports:

WorkforcePools string

The workforce pool resources. Only one workforce pool is accepted.

oauth2 SettingsAccessSettingsWorkforceIdentitySettingsOauth2

OAuth 2.0 settings for IAP to perform OIDC flow with workforce identity federation services. Structure is documented below.

The oauth2 block supports:

workforcePools String

The workforce pool resources. Only one workforce pool is accepted.

oauth2 SettingsAccessSettingsWorkforceIdentitySettingsOauth2

OAuth 2.0 settings for IAP to perform OIDC flow with workforce identity federation services. Structure is documented below.

The oauth2 block supports:

workforcePools string

The workforce pool resources. Only one workforce pool is accepted.

oauth2 SettingsAccessSettingsWorkforceIdentitySettingsOauth2

OAuth 2.0 settings for IAP to perform OIDC flow with workforce identity federation services. Structure is documented below.

The oauth2 block supports:

workforce_pools str

The workforce pool resources. Only one workforce pool is accepted.

oauth2 Property Map

OAuth 2.0 settings for IAP to perform OIDC flow with workforce identity federation services. Structure is documented below.

The oauth2 block supports:

workforcePools String

The workforce pool resources. Only one workforce pool is accepted.

SettingsAccessSettingsWorkforceIdentitySettingsOauth2, SettingsAccessSettingsWorkforceIdentitySettingsOauth2Args

ClientId string: The OAuth 2.0 client ID registered in the workforce identity federation OAuth 2.0 Server.
ClientSecret string: Input only. The OAuth 2.0 client secret created while registering the client ID.
ClientSecretSha256 string: Output only. SHA256 hash value for the client secret. This field is returned by IAP when the settings are retrieved.

ClientId string: The OAuth 2.0 client ID registered in the workforce identity federation OAuth 2.0 Server.
ClientSecret string: Input only. The OAuth 2.0 client secret created while registering the client ID.
ClientSecretSha256 string: Output only. SHA256 hash value for the client secret. This field is returned by IAP when the settings are retrieved.

clientId String: The OAuth 2.0 client ID registered in the workforce identity federation OAuth 2.0 Server.
clientSecret String: Input only. The OAuth 2.0 client secret created while registering the client ID.
clientSecretSha256 String: Output only. SHA256 hash value for the client secret. This field is returned by IAP when the settings are retrieved.

clientId string: The OAuth 2.0 client ID registered in the workforce identity federation OAuth 2.0 Server.
clientSecret string: Input only. The OAuth 2.0 client secret created while registering the client ID.
clientSecretSha256 string: Output only. SHA256 hash value for the client secret. This field is returned by IAP when the settings are retrieved.

client_id str: The OAuth 2.0 client ID registered in the workforce identity federation OAuth 2.0 Server.
client_secret str: Input only. The OAuth 2.0 client secret created while registering the client ID.
client_secret_sha256 str: Output only. SHA256 hash value for the client secret. This field is returned by IAP when the settings are retrieved.

clientId String: The OAuth 2.0 client ID registered in the workforce identity federation OAuth 2.0 Server.
clientSecret String: Input only. The OAuth 2.0 client secret created while registering the client ID.
clientSecretSha256 String: Output only. SHA256 hash value for the client secret. This field is returned by IAP when the settings are retrieved.

SettingsApplicationSettings, SettingsApplicationSettingsArgs

AccessDeniedPageSettings SettingsApplicationSettingsAccessDeniedPageSettings: Customization for Access Denied page. IAP allows customers to define a custom URI to use as the error page when access is denied to users. If IAP prevents access to this page, the default IAP error page will be displayed instead. Structure is documented below.
AttributePropagationSettings SettingsApplicationSettingsAttributePropagationSettings: Settings to configure attribute propagation. Structure is documented below.
CookieDomain string: The Domain value to set for cookies generated by IAP. This value is not validated by the API, but will be ignored at runtime if invalid.
CsmSettings SettingsApplicationSettingsCsmSettings: Settings to configure IAP's behavior for a service mesh. Structure is documented below.

AccessDeniedPageSettings SettingsApplicationSettingsAccessDeniedPageSettings: Customization for Access Denied page. IAP allows customers to define a custom URI to use as the error page when access is denied to users. If IAP prevents access to this page, the default IAP error page will be displayed instead. Structure is documented below.
AttributePropagationSettings SettingsApplicationSettingsAttributePropagationSettings: Settings to configure attribute propagation. Structure is documented below.
CookieDomain string: The Domain value to set for cookies generated by IAP. This value is not validated by the API, but will be ignored at runtime if invalid.
CsmSettings SettingsApplicationSettingsCsmSettings: Settings to configure IAP's behavior for a service mesh. Structure is documented below.

accessDeniedPageSettings SettingsApplicationSettingsAccessDeniedPageSettings: Customization for Access Denied page. IAP allows customers to define a custom URI to use as the error page when access is denied to users. If IAP prevents access to this page, the default IAP error page will be displayed instead. Structure is documented below.
attributePropagationSettings SettingsApplicationSettingsAttributePropagationSettings: Settings to configure attribute propagation. Structure is documented below.
cookieDomain String: The Domain value to set for cookies generated by IAP. This value is not validated by the API, but will be ignored at runtime if invalid.
csmSettings SettingsApplicationSettingsCsmSettings: Settings to configure IAP's behavior for a service mesh. Structure is documented below.

accessDeniedPageSettings SettingsApplicationSettingsAccessDeniedPageSettings: Customization for Access Denied page. IAP allows customers to define a custom URI to use as the error page when access is denied to users. If IAP prevents access to this page, the default IAP error page will be displayed instead. Structure is documented below.
attributePropagationSettings SettingsApplicationSettingsAttributePropagationSettings: Settings to configure attribute propagation. Structure is documented below.
cookieDomain string: The Domain value to set for cookies generated by IAP. This value is not validated by the API, but will be ignored at runtime if invalid.
csmSettings SettingsApplicationSettingsCsmSettings: Settings to configure IAP's behavior for a service mesh. Structure is documented below.

access_denied_page_settings SettingsApplicationSettingsAccessDeniedPageSettings: Customization for Access Denied page. IAP allows customers to define a custom URI to use as the error page when access is denied to users. If IAP prevents access to this page, the default IAP error page will be displayed instead. Structure is documented below.
attribute_propagation_settings SettingsApplicationSettingsAttributePropagationSettings: Settings to configure attribute propagation. Structure is documented below.
cookie_domain str: The Domain value to set for cookies generated by IAP. This value is not validated by the API, but will be ignored at runtime if invalid.
csm_settings SettingsApplicationSettingsCsmSettings: Settings to configure IAP's behavior for a service mesh. Structure is documented below.

accessDeniedPageSettings Property Map: Customization for Access Denied page. IAP allows customers to define a custom URI to use as the error page when access is denied to users. If IAP prevents access to this page, the default IAP error page will be displayed instead. Structure is documented below.
attributePropagationSettings Property Map: Settings to configure attribute propagation. Structure is documented below.
cookieDomain String: The Domain value to set for cookies generated by IAP. This value is not validated by the API, but will be ignored at runtime if invalid.
csmSettings Property Map: Settings to configure IAP's behavior for a service mesh. Structure is documented below.

SettingsApplicationSettingsAccessDeniedPageSettings, SettingsApplicationSettingsAccessDeniedPageSettingsArgs

AccessDeniedPageUri string: The URI to be redirected to when access is denied.
GenerateTroubleshootingUri bool: Whether to generate a troubleshooting URL on access denied events to this application.
RemediationTokenGenerationEnabled bool: Whether to generate remediation token on access denied events to this application.

AccessDeniedPageUri string: The URI to be redirected to when access is denied.
GenerateTroubleshootingUri bool: Whether to generate a troubleshooting URL on access denied events to this application.
RemediationTokenGenerationEnabled bool: Whether to generate remediation token on access denied events to this application.

accessDeniedPageUri String: The URI to be redirected to when access is denied.
generateTroubleshootingUri Boolean: Whether to generate a troubleshooting URL on access denied events to this application.
remediationTokenGenerationEnabled Boolean: Whether to generate remediation token on access denied events to this application.

accessDeniedPageUri string: The URI to be redirected to when access is denied.
generateTroubleshootingUri boolean: Whether to generate a troubleshooting URL on access denied events to this application.
remediationTokenGenerationEnabled boolean: Whether to generate remediation token on access denied events to this application.

access_denied_page_uri str: The URI to be redirected to when access is denied.
generate_troubleshooting_uri bool: Whether to generate a troubleshooting URL on access denied events to this application.
remediation_token_generation_enabled bool: Whether to generate remediation token on access denied events to this application.

accessDeniedPageUri String: The URI to be redirected to when access is denied.
generateTroubleshootingUri Boolean: Whether to generate a troubleshooting URL on access denied events to this application.
remediationTokenGenerationEnabled Boolean: Whether to generate remediation token on access denied events to this application.

SettingsApplicationSettingsAttributePropagationSettings, SettingsApplicationSettingsAttributePropagationSettingsArgs

Enable bool

Whether the provided attribute propagation settings should be evaluated on user requests. If set to true, attributes returned from the expression will be propagated in the set output credentials.

Expression string

Raw string CEL expression. Must return a list of attributes. A maximum of 45 attributes can be selected. Expressions can select different attribute types from attributes: attributes.saml_attributes, attributes.iap_attributes.

OutputCredentials List<string>

Which output credentials attributes selected by the CEL expression should be propagated in. All attributes will be fully duplicated in each selected output credential. Possible values are:

HEADER: Propagate attributes in the headers with "x-goog-iap-attr-" prefix.
JWT: Propagate attributes in the JWT of the form: "additional_claims": { "my_attribute": ["value1", "value2"] }
RCTOKEN: Propagate attributes in the RCToken of the form: " additional_claims": { "my_attribute": ["value1", "value2"] } Each value may be one of: HEADER, JWT, RCTOKEN.

Enable bool

Whether the provided attribute propagation settings should be evaluated on user requests. If set to true, attributes returned from the expression will be propagated in the set output credentials.

Expression string

OutputCredentials []string

Which output credentials attributes selected by the CEL expression should be propagated in. All attributes will be fully duplicated in each selected output credential. Possible values are:

HEADER: Propagate attributes in the headers with "x-goog-iap-attr-" prefix.
JWT: Propagate attributes in the JWT of the form: "additional_claims": { "my_attribute": ["value1", "value2"] }
RCTOKEN: Propagate attributes in the RCToken of the form: " additional_claims": { "my_attribute": ["value1", "value2"] } Each value may be one of: HEADER, JWT, RCTOKEN.

enable Boolean

Whether the provided attribute propagation settings should be evaluated on user requests. If set to true, attributes returned from the expression will be propagated in the set output credentials.

expression String

outputCredentials List<String>

Which output credentials attributes selected by the CEL expression should be propagated in. All attributes will be fully duplicated in each selected output credential. Possible values are:

HEADER: Propagate attributes in the headers with "x-goog-iap-attr-" prefix.
JWT: Propagate attributes in the JWT of the form: "additional_claims": { "my_attribute": ["value1", "value2"] }
RCTOKEN: Propagate attributes in the RCToken of the form: " additional_claims": { "my_attribute": ["value1", "value2"] } Each value may be one of: HEADER, JWT, RCTOKEN.

enable boolean

Whether the provided attribute propagation settings should be evaluated on user requests. If set to true, attributes returned from the expression will be propagated in the set output credentials.

expression string

outputCredentials string[]

Which output credentials attributes selected by the CEL expression should be propagated in. All attributes will be fully duplicated in each selected output credential. Possible values are:

HEADER: Propagate attributes in the headers with "x-goog-iap-attr-" prefix.
JWT: Propagate attributes in the JWT of the form: "additional_claims": { "my_attribute": ["value1", "value2"] }
RCTOKEN: Propagate attributes in the RCToken of the form: " additional_claims": { "my_attribute": ["value1", "value2"] } Each value may be one of: HEADER, JWT, RCTOKEN.

enable bool

Whether the provided attribute propagation settings should be evaluated on user requests. If set to true, attributes returned from the expression will be propagated in the set output credentials.

expression str

output_credentials Sequence[str]

Which output credentials attributes selected by the CEL expression should be propagated in. All attributes will be fully duplicated in each selected output credential. Possible values are:

HEADER: Propagate attributes in the headers with "x-goog-iap-attr-" prefix.
JWT: Propagate attributes in the JWT of the form: "additional_claims": { "my_attribute": ["value1", "value2"] }
RCTOKEN: Propagate attributes in the RCToken of the form: " additional_claims": { "my_attribute": ["value1", "value2"] } Each value may be one of: HEADER, JWT, RCTOKEN.

enable Boolean

Whether the provided attribute propagation settings should be evaluated on user requests. If set to true, attributes returned from the expression will be propagated in the set output credentials.

expression String

outputCredentials List<String>

Which output credentials attributes selected by the CEL expression should be propagated in. All attributes will be fully duplicated in each selected output credential. Possible values are:

HEADER: Propagate attributes in the headers with "x-goog-iap-attr-" prefix.
JWT: Propagate attributes in the JWT of the form: "additional_claims": { "my_attribute": ["value1", "value2"] }
RCTOKEN: Propagate attributes in the RCToken of the form: " additional_claims": { "my_attribute": ["value1", "value2"] } Each value may be one of: HEADER, JWT, RCTOKEN.

SettingsApplicationSettingsCsmSettings, SettingsApplicationSettingsCsmSettingsArgs

RctokenAud string: Audience claim set in the generated RCToken. This value is not validated by IAP.

RctokenAud string: Audience claim set in the generated RCToken. This value is not validated by IAP.

rctokenAud String: Audience claim set in the generated RCToken. This value is not validated by IAP.

rctokenAud string: Audience claim set in the generated RCToken. This value is not validated by IAP.

rctoken_aud str: Audience claim set in the generated RCToken. This value is not validated by IAP.

rctokenAud String: Audience claim set in the generated RCToken. This value is not validated by IAP.

Import

Settings can be imported using any of these accepted formats:

{{name}}/iapSettings
{{name}}

When using the pulumi import command, Settings can be imported using one of the formats above. For example:

$ pulumi import gcp:iap/settings:Settings default {{name}}/iapSettings

$ pulumi import gcp:iap/settings:Settings default {{name}}

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Google Cloud (GCP) Classic pulumi/pulumi-gcp
License: Apache-2.0
Notes: This Pulumi package is based on the google-beta Terraform Provider.

Google Cloud v8.21.0 published on Wednesday, Mar 5, 2025 by Pulumi

pulumi/pulumi-gcp

gcp.iap.Settings

On this page

On this page

Example Usage

Iap Settings Basic

Create Settings Resource

Constructor syntax

Parameters

Constructor example

Settings Resource Properties

Inputs

Outputs

Look up Existing Settings Resource

Supporting Types

SettingsAccessSettings, SettingsAccessSettingsArgs

SettingsAccessSettingsAllowedDomainsSettings, SettingsAccessSettingsAllowedDomainsSettingsArgs

SettingsAccessSettingsCorsSettings, SettingsAccessSettingsCorsSettingsArgs

SettingsAccessSettingsGcipSettings, SettingsAccessSettingsGcipSettingsArgs

SettingsAccessSettingsOauthSettings, SettingsAccessSettingsOauthSettingsArgs

SettingsAccessSettingsReauthSettings, SettingsAccessSettingsReauthSettingsArgs

SettingsAccessSettingsWorkforceIdentitySettings, SettingsAccessSettingsWorkforceIdentitySettingsArgs

SettingsAccessSettingsWorkforceIdentitySettingsOauth2, SettingsAccessSettingsWorkforceIdentitySettingsOauth2Args

SettingsApplicationSettings, SettingsApplicationSettingsArgs

SettingsApplicationSettingsAccessDeniedPageSettings, SettingsApplicationSettingsAccessDeniedPageSettingsArgs

SettingsApplicationSettingsAttributePropagationSettings, SettingsApplicationSettingsAttributePropagationSettingsArgs

SettingsApplicationSettingsCsmSettings, SettingsApplicationSettingsCsmSettingsArgs

Import

Package Details

On this page

On this page