Access configuration defaults to using the separate `google_bigquery_dataset_access` resource, so as to leave the default dataset access rules untouched.
You can choose to manage the `google_bigquery_dataset` access rules instead via the `dataset_access` variable, but be sure to always have at least one `OWNER` access and to avoid duplicating accesses, or `terraform apply` will fail.
The access variables are split into `access` and `access_identities` variables, so that dynamic values can be passed in for identities (eg a service account email generated by a different module or resource).
Access configuration can also be specified via IAM instead of basic roles via the `iam` variable. When using IAM, basic roles cannot be used via the `access` family variables.
You can specify authorized [views](https://cloud.google.com/bigquery/docs/authorized-views), [datasets](https://cloud.google.com/bigquery/docs/authorized-datasets?hl=en), and [routines](https://cloud.google.com/bigquery/docs/authorized-routines) via the `authorized_views`, `authorized_datasets` and `authorized_routines` variables, respectively.
```hcl
// Create private BigQuery dataset that will not be publicly accessible, except via the authorized BigQuery resources
Authorized views can be specified both using the standard `access` options and the `authorized_views` blocks. The example configuration below uses both blocks, and will create a dataset with three authorized views `view_id_1`, `view_id_2`, and `view_id_3`.
To create views use the `view` variable. If you're querying a table created by the same module `terraform apply` will initially fail and eventually succeed once the underlying table has been created. You can probably also use the module's output in the view's query to create a dependency on the table.
| [access](variables.tf#L17) | Map of access rules with role and identity type. Keys are arbitrary and must match those in the `access_identities` variable, types are `domain`, `group`, `special_group`, `user`, `view`. | <codetitle="map(object({ role = string type = string }))">map(object({…}))</code> | | <code>{}</code> |
| [access_identities](variables.tf#L33) | Map of access identities used for basic access roles. View identities have the format 'project_id\|dataset_id\|table_id'. | <code>map(string)</code> | | <code>{}</code> |
| [authorized_datasets](variables.tf#L39) | An array of datasets to be authorized on the dataset. | <codetitle="list(object({ dataset_id = string, project_id = string, }))">list(object({…}))</code> | | <code>[]</code> |
| [authorized_routines](variables.tf#L48) | An array of authorized routine to be authorized on the dataset. | <codetitle="list(object({ project_id = string, dataset_id = string, routine_id = string }))">list(object({…}))</code> | | <code>[]</code> |
| [authorized_views](variables.tf#L58) | An array of views to be authorized on the dataset. | <codetitle="list(object({ dataset_id = string, project_id = string, table_id = string # this is the view id, but we keep table_id to stay consistent as the resource }))">list(object({…}))</code> | | <code>[]</code> |
| [dataset_access](variables.tf#L68) | Set access in the dataset resource instead of using separate resources. | <code>bool</code> | | <code>false</code> |
| [encryption_key](variables.tf#L80) | Self link of the KMS key that will be used to protect destination table. | <code>string</code> | | <code>null</code> |
| [iam](variables.tf#L92) | IAM bindings in {ROLE => [MEMBERS]} format. Mutually exclusive with the access_* variables used for basic roles. | <code>map(list(string))</code> | | <code>{}</code> |
| [tables](variables.tf#L167) | Table definitions. Options and partitioning default to null. Partitioning can only use `range` or `time`, set the unused one to null. | <codetitle="map(object({ deletion_protection=optional(bool) description=optional(string,"Terraformmanaged.") friendly_name=optional(string) labels=optional(map(string),{}) require_partition_filter=optional(bool) schema=optional(string) external_data_configuration=optional(object({ autodetect=bool source_uris=list(string) avro_logical_types=optional(bool) compression=optional(string) connection_id=optional(string) file_set_spec_type=optional(string) ignore_unknown_values=optional(bool) metadata_cache_mode=optional(string) object_metadata=optional(string) json_options_encoding=optional(string) reference_file_schema_uri=optional(string) schema=optional(string) source_format=optional(string) max_bad_records=optional(number) csv_options=optional(object({ quote=string allow_jagged_rows=optional(bool) allow_quoted_newlines=optional(bool) encoding=optional(string) field_delimiter=optional(string) skip_leading_rows=optional(number) })) google_sheets_options=optional(object({ range=optional(string) skip_leading_rows=optional(number) })) hive_partitioning_options=optional(object({ mode=optional(string) require_partition_filter=optional(bool) source_uri_prefix=optional(string) })) parquet_options=optional(object({ enum_as_string=optional(bool) enable_list_inference=optional(bool) })) })) options=optional(object({ clustering=optional(list(string)) encryption_key=optional(string) expiration_time=optional(number) max_staleness=optional(string) }),{}) partitioning=optional(object({ field=optional(string) range=optional(object({ end=number interval=number start=number })) time=optional(object({ type=string expiration_ms=optional(number) field=optional(string) })) })) table_constraints=optional(object({ primary_key_columns=optional(list(string)) foreign_keys=optional(object({ referenced_table=object({ project_id=string dataset_id=string table_id=string }) column_references=object({ referencing_column=string referenc