release_tracks: [ALPHA, BETA, GA]
help_text:
  brief: Add IAM policy binding for an organization
  description: |
    Adds a policy binding to the IAM policy of an organization, given an organization ID and the
    binding. One binding consists of a member, a role, and an optional condition.

  examples: |
    To add an IAM policy binding with the role of 'roles/editor' for the user 'test-user@example.com'
    on an organization with identifier 'example-organization-id-1', run:

        $ {command} example-organization-id-1 --member='user:test-user@example.com' --role='roles/editor'

    To add an IAM policy binding with the role of 'roles/editor' for the service account
    'my-iam-account@my-project.iam.gserviceaccount.com' on an organization with identifier
    'example-organization-id-1', run:

        $ {command} example-organization-id-1 --member='serviceAccount:my-iam-account@my-project.iam.gserviceaccount.com' --role='roles/editor'

    To add an IAM policy binding which expires at the end of the year 2018 for the role of
    'roles/browser' and the user 'test-user@example.com' on an organization with identifier
    'example-organization-id-1', run:

        $ {command} example-organization-id-1 --member='user:test-user@example.com' --role='roles/browser' --condition='expression=request.time < timestamp("2019-01-01T00:00:00Z"),title=expires_end_of_2018,description=Expires at midnight on 2018-12-31'

    See https://cloud.google.com/iam/docs/managing-policies for details of
    policy role and member types.

request:
  collection: cloudresourcemanager.organizations

arguments:
  resource:
    help_text: The organization to add the IAM policy binding.
    spec: !REF googlecloudsdk.command_lib.organizations.resources:organization

iam:
  enable_condition: true
  policy_version: 3
  get_iam_policy_version_path: getIamPolicyRequest.options.requestedPolicyVersion