Google Service Account Module
This module allows simplified creation and management of one a service account and its IAM bindings. A key can optionally be generated and will be stored in Terraform state. To use it create a sensitive output in your root modules referencing the key
output, then extract the private key from the JSON formatted outputs. Alternatively, the key
can be generated with openssl
library and only public part uploaded to the Service Account, for more refer to the Onprem SA Key Management example.
Example
module "myproject-default-service-accounts" {
source = "./modules/iam-service-account"
project_id = "myproject"
name = "vm-default"
generate_key = true
# authoritative roles granted *on* the service accounts to other identities
iam = {
"roles/iam.serviceAccountUser" = ["user:foo@example.com"]
}
# non-authoritative roles granted *to* the service accounts on other resources
iam_project_roles = {
"myproject" = [
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
]
}
}
# tftest:modules=1:resources=5
Variables
name |
description |
type |
required |
default |
name |
Name of the service account to create. |
string |
✓ |
|
project_id |
Project id where service account will be created. |
string |
✓ |
|
description |
Optional description. |
string |
|
null |
display_name |
Display name of the service account to create. |
string |
|
"Terraform-managed." |
generate_key |
Generate a key for service account. |
bool |
|
false |
iam |
IAM bindings on the service account in {ROLE => [MEMBERS]} format. |
map(list(string)) |
|
{} |
iam_billing_roles |
Billing account roles granted to the service account, by billing account id. Non-authoritative. |
map(list(string)) |
|
{} |
iam_folder_roles |
Folder roles granted to the service account, by folder id. Non-authoritative. |
map(list(string)) |
|
{} |
iam_organization_roles |
Organization roles granted to the service account, by organization id. Non-authoritative. |
map(list(string)) |
|
{} |
iam_project_roles |
Project roles granted to the service account, by project id. |
map(list(string)) |
|
{} |
iam_storage_roles |
Storage roles granted to the service account, by bucket name. |
map(list(string)) |
|
{} |
prefix |
Prefix applied to service account names. |
string |
|
null |
public_keys_directory |
Path to public keys data files to upload to the service account (should have .pem extension). |
string |
|
"" |
service_account_create |
Create service account. When set to false, uses a data source to reference an existing service account. |
bool |
|
true |
Outputs