725f7effce
* preliminary support for wif in stage 0 * IAM wif role * IAM wif role TODO * add support for external SA IAM to SA module * add name output to SA module * separate cicd SA * tfdoc * GITLAB principal (untested) * make GCS name output static * outputs bucket * fix stage 1 test * tweak outputs * tfdoc * move wif_pool to automation variable * add support for top-level and repository providers * add missing boilerplate * fix branchless principal * initial workflow * symlink provider template in stages * remove service accounts from stage 0 cicd tfvars * add cicd interface variable to resman stage * fix cicd variable in resman stage * better condition on outputs_location * fix last change * change outputs_location type * revert outputs_location change * split outputs in stage 0 * update ci/cd temporary notes * rename additive IAM resource in SA module * split outputs in stage 1 * remove unused locals * fix stage 1 tests * tfdoc * Upload action files to outputs_bucket * Fix tests and README * rename template, streamline outputs * local templates and gcs output for all stage 2 * add workflows to local output files * Use lowercase WIF providers everywhere * Bring back suffix for workflow files * Remove unused files * Update READMEs * preliminary CI/CD implementation for stage 1 * fix stage 1 * stage 1 cicd * tfdoc * fix tests * readme and links for cicd and wif * refactor wif providers * refactor cicd for stage 1 * fix stage 1 * wif org policies * split identity provider configuration from cicd * add type attribute to cicd repositories * valid cicd repositories have a workflow template * refactor stage 01 * fix stage 01 tests * minimal CI/CD documentation * better check_links error reporting * fix links * Added Gitlab specific configurations Set the default issuer_uri for Gitlab. Added allowed audiences to OIDC configuration. * Fixed TF formatting in identity providers. * Changing identity provider audience to null Changing identity provider audience to default to null. * add instructions for renaming workflows * address Julio's comments Co-authored-by: Julio Castillo <jccb@google.com> Co-authored-by: alexmeissner <alexmeissner@google.com> |
||
|---|---|---|
| .. | ||
| README.md | ||
| iam.tf | ||
| main.tf | ||
| outputs.tf | ||
| variables.tf | ||
| versions.tf | ||
README.md
Google Service Account Module
This module allows simplified creation and management of one a service account and its IAM bindings. A key can optionally be generated and will be stored in Terraform state. To use it create a sensitive output in your root modules referencing the key output, then extract the private key from the JSON formatted outputs. Alternatively, the key can be generated with openssl library and only public part uploaded to the Service Account, for more refer to the Onprem SA Key Management example.
Example
module "myproject-default-service-accounts" {
source = "./modules/iam-service-account"
project_id = "myproject"
name = "vm-default"
generate_key = true
# authoritative roles granted *on* the service accounts to other identities
iam = {
"roles/iam.serviceAccountUser" = ["user:foo@example.com"]
}
# non-authoritative roles granted *to* the service accounts on other resources
iam_project_roles = {
"myproject" = [
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
]
}
}
# tftest modules=1 resources=5
Files
| name | description | resources |
|---|---|---|
| iam.tf | IAM bindings. | google_billing_account_iam_member · google_folder_iam_member · google_organization_iam_member · google_project_iam_member · google_service_account_iam_binding · google_service_account_iam_member · google_storage_bucket_iam_member |
| main.tf | Module-level locals and resources. | google_service_account · google_service_account_key |
| outputs.tf | Module outputs. | |
| variables.tf | Module variables. | |
| versions.tf | Version pins. |
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| name | Name of the service account to create. | string |
✓ | |
| project_id | Project id where service account will be created. | string |
✓ | |
| description | Optional description. | string |
null |
|
| display_name | Display name of the service account to create. | string |
"Terraform-managed." |
|
| generate_key | Generate a key for service account. | bool |
false |
|
| iam | IAM bindings on the service account in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
| iam_billing_roles | Billing account roles granted to this service account, by billing account id. Non-authoritative. | map(list(string)) |
{} |
|
| iam_folder_roles | Folder roles granted to this service account, by folder id. Non-authoritative. | map(list(string)) |
{} |
|
| iam_organization_roles | Organization roles granted to this service account, by organization id. Non-authoritative. | map(list(string)) |
{} |
|
| iam_project_roles | Project roles granted to this service account, by project id. | map(list(string)) |
{} |
|
| iam_sa_roles | Service account roles granted to this service account, by service account name. | map(list(string)) |
{} |
|
| iam_storage_roles | Storage roles granted to this service account, by bucket name. | map(list(string)) |
{} |
|
| prefix | Prefix applied to service account names. | string |
null |
|
| public_keys_directory | Path to public keys data files to upload to the service account (should have .pem extension). |
string |
"" |
|
| service_account_create | Create service account. When set to false, uses a data source to reference an existing service account. | bool |
true |
Outputs
| name | description | sensitive |
|---|---|---|
| Service account email. | ||
| iam_email | IAM-format service account email. | |
| key | Service account key. | ✓ |
| name | Service account id. | |
| service_account | Service account resource. | |
| service_account_credentials | Service account json credential templates for uploaded public keys data. |