Access configuration defaults to using the separate `google_bigquery_dataset_access` resource, so as to leave the default dataset access rules untouched.
You can choose to manage the `google_bigquery_dataset` access rules instead via the `dataset_access` variable, but be sure to always have at least one `OWNER` access and to avoid duplicating accesses, or `terraform apply` will fail.
The access variables are split into `access_roles` and `access_identities` variables, so that dynamic values can be passed in for identities (eg a service account email generated by a different module or resource). The `access_views` variable is separate, so as to allow proper type constraints.
Access configuration can also be specified via IAM instead of basic roles via the `iam` variable. When using IAM, basic roles cannot be used via the `access` family variables.
To create views use the `view` variable. If you're querying a table created by the same module `terraform apply` will initially fail and eventually succeed once the underlying table has been created. You can probably also use the module's output in the view's query to create a dependency on the table.
| *access* | Map of access rules with role and identity type. Keys are arbitrary and must match those in the `access_identities` variable, types are `domain`, `group`, `special_group`, `user`, `view`. | <codetitle="map(object({ role = string type = string }))">map(object({...}))</code> | | <codetitle="{} validation { condition = can([ for k, v in var.access : index(["domain", "group", "special_group", "user", "view"], v.type) ]) error_message = "Access type must be one of 'domain', 'group', 'special_group', 'user', 'view'." }">...</code> |
| *access_identities* | Map of access identities used for basic access roles. View identities have the format 'project_id|dataset_id|table_id'. | <codetitle="map(string)">map(string)</code> | | <codetitle="">{}</code> |
| *dataset_access* | Set access in the dataset resource instead of using separate resources. | <codetitle="">bool</code> | | <codetitle="">false</code> |
| *encryption_key* | Self link of the KMS key that will be used to protect destination table. | <codetitle="">string</code> | | <codetitle="">null</code> |
| *iam* | IAM bindings in {ROLE => [MEMBERS]} format. Mutually exclusive with the access_* variables used for basic roles. | <codetitle="map(list(string))">map(list(string))</code> | | <codetitle="">{}</code> |