75418bbbd0
Generate the service account output statically based on the service account name and parent project. This allows, among other things, to use service accounts as map keys (e.g. to be used in the `iam` argument in other modules). |
||
---|---|---|
.. | ||
README.md | ||
main.tf | ||
outputs.tf | ||
variables.tf | ||
versions.tf |
README.md
Google Service Account Module
This module allows simplified creation and management of one a service account and its IAM bindings. A key can optionally be generated and will be stored in Terraform state. To use it create a sensitive output in your root modules referencing the key
output, then extract the private key from the JSON formatted outputs.
Example
module "myproject-default-service-accounts" {
source = "./modules/iam-service-account"
project_id = "myproject"
name = "vm-default"
generate_key = true
# authoritative roles granted *on* the service accounts to other identities
iam = {
"roles/iam.serviceAccountUser" = ["user:foo@example.com"]
}
# non-authoritative roles granted *to* the service accounts on other resources
iam_project_roles = {
"myproject" = [
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
]
}
}
# tftest:modules=1:resources=5
Variables
name | description | type | required | default |
---|---|---|---|---|
name | Name of the service account to create. | string |
✓ | |
project_id | Project id where service account will be created. | string |
✓ | |
display_name | Display name of the service account to create. | string |
Terraform-managed. |
|
generate_key | Generate a key for service account. | bool |
false |
|
iam | IAM bindings on the service account in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
iam_billing_roles | Project roles granted to the service account, by billing account id. | map(list(string)) |
{} |
|
iam_folder_roles | Project roles granted to the service account, by folder id. | map(list(string)) |
{} |
|
iam_organization_roles | Project roles granted to the service account, by organization id. | map(list(string)) |
{} |
|
iam_project_roles | Project roles granted to the service account, by project id. | map(list(string)) |
{} |
|
iam_storage_roles | Storage roles granted to the service account, by bucket name. | map(list(string)) |
{} |
|
prefix | Prefix applied to service account names. | string |
null |
|
service_account_create | Create service account. When set to false, uses a data source to reference an existing service account. | bool |
true |
Outputs
name | description | sensitive |
---|---|---|
Service account email. | ||
iam_email | IAM-format service account email. | |
key | Service account key. | ✓ |
service_account | Service account resource. |