zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/modules/iam-service-account
History
Ludovico Magnocavallo 6941313c7d
Factories refactor (#1843) 
* factories refactor doc

* Adds file schema and filesystem organization

* Update 20231106-factories.md

* move factories out of blueprints and create new factories  README

* align factory in billing-account module

* align factory in dataplex-datascan module

* align factory in billing-account module

* align factory in net-firewall-policy module

* align factory in dns-response-policy module

* align factory in net-vpc-firewall module

* align factory in net-vpc module

* align factory variable names in FAST

* remove decentralized firewall blueprint

* bump terraform version

* bump module versions

* update top-level READMEs

* move project factory to modules

* fix variable names and tests

* tfdoc

* remove changelog link

* add project factory to top-level README

* fix cludrun eventarc diff

* fix README

* fix cludrun eventarc diff

---------

Co-authored-by: Simone Ruffilli <sruffilli@google.com>
 		2024-02-26 10:16:52 +00:00
..
README.md e2e test fix for iam-service-account module (#1894) 2023-12-01 09:23:37 +01:00
iam.tf Change type of `iam_bindings` variable to allow multiple conditional bindings (#1658) 2023-09-08 08:56:31 +02:00
main.tf accept email in service account module name (#2091) 2024-02-19 12:43:04 +00:00
outputs.tf Ensure all modules have an `id` output (#1410) 2023-06-02 16:07:22 +02:00
variables.tf Change type of `iam_bindings` variable to allow multiple conditional bindings (#1658) 2023-09-08 08:56:31 +02:00
versions.tf Factories refactor (#1843) 2024-02-26 10:16:52 +00:00

README.md

Google Service Account Module

This module allows simplified creation and management of one a service account and its IAM bindings.

A key can optionally be generated and will be stored in Terraform state. To use it create a sensitive output in your root modules referencing the key output, then extract the private key from the JSON formatted outputs.

Alternatively, the key can be generated with openssl library and only the public part uploaded to the Service Account, for more refer to the Onprem SA Key Management example.

Note that outputs have no dependencies on IAM bindings to prevent resource cycles.

Example

module "myproject-default-service-accounts" {
  source     = "./fabric/modules/iam-service-account"
  project_id = var.project_id
  name       = "vm-default"
  # authoritative roles granted *on* the service accounts to other identities
  iam = {
    "roles/iam.serviceAccountUser" = ["group:${var.group_email}"]
  }
  # non-authoritative roles granted *to* the service accounts on other resources
  iam_project_roles = {
    "${var.project_id}" = [
      "roles/logging.logWriter",
      "roles/monitoring.metricWriter",
    ]
  }
}
# tftest modules=1 resources=4 inventory=basic.yaml e2e

Files

name description resources
iam.tf IAM bindings. google_billing_account_iam_member · google_folder_iam_member · google_organization_iam_member · google_project_iam_member · google_service_account_iam_binding · google_service_account_iam_member · google_storage_bucket_iam_member
main.tf Module-level locals and resources. google_service_account · google_service_account_key
outputs.tf Module outputs.
variables.tf Module variables.
versions.tf Version pins.

Variables

name description type required default
name Name of the service account to create. string
project_id Project id where service account will be created. string
description Optional description. string null
display_name Display name of the service account to create. string "Terraform-managed."
generate_key Generate a key for service account. bool false
iam IAM bindings on the service account in {ROLE => [MEMBERS]} format. map(list(string)) {}
iam_billing_roles Billing account roles granted to this service account, by billing account id. Non-authoritative. map(list(string)) {}
iam_bindings Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. map(object({…})) {}
iam_bindings_additive Individual additive IAM bindings on the service account. Keys are arbitrary. map(object({…})) {}
iam_folder_roles Folder roles granted to this service account, by folder id. Non-authoritative. map(list(string)) {}
iam_organization_roles Organization roles granted to this service account, by organization id. Non-authoritative. map(list(string)) {}
iam_project_roles Project roles granted to this service account, by project id. map(list(string)) {}
iam_sa_roles Service account roles granted to this service account, by service account name. map(list(string)) {}
iam_storage_roles Storage roles granted to this service account, by bucket name. map(list(string)) {}
prefix Prefix applied to service account names. string null
public_keys_directory Path to public keys data files to upload to the service account (should have .pem extension). string ""
service_account_create Create service account. When set to false, uses a data source to reference an existing service account. bool true

Outputs

name description sensitive
email Service account email.
iam_email IAM-format service account email.
id Fully qualified service account id.
key Service account key.
name Service account name.
service_account Service account resource.
service_account_credentials Service account json credential templates for uploaded public keys data.