zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/modules/iam-service-accounts
History
Ludovico Magnocavallo aaa80bb49b refactor service account module outputs 2020-05-31 09:39:03 +02:00
..
README.md Merge development branch (#44) 2020-04-03 14:06:48 +02:00
main.tf refactor service account module outputs 2020-05-31 09:39:03 +02:00
outputs.tf refactor service account module outputs 2020-05-31 09:39:03 +02:00
variables.tf refactor service account module outputs 2020-05-31 09:39:03 +02:00
versions.tf Merge development branch (#44) 2020-04-03 14:06:48 +02:00

README.md

Google Service Accounts Module

This module allows simplified creation and management of one or more service accounts and their IAM bindings. Keys can optionally be generated and will be stored in Terraform state. To use them create a sensitive output in your root modules referencing the keys or key outputs, then extract the private key from the JSON formatted outputs.

Example

module "myproject-default-service-accounts" {
  source            = "./modules/iam-service-accounts"
  project_id        = "myproject"
  names             = ["vm-default", "gke-node-default"]
  generate_keys     = true
  # authoritative roles granted *on* the service accounts to other identities
  iam_roles         = ["roles/iam.serviceAccountUser"]
  iam_members       = {
    "roles/iam.serviceAccountUser" => ["user:foo@example.com"]
  }
  # non-authoritative roles granted *to* the service accounts on other resources
  iam_project_roles = {
    "myproject" = [
      "roles/logging.logWriter",
      "roles/monitoring.metricWriter",
    ]
  }
}

Variables

name description type required default
project_id Project id where service account will be created. string
generate_keys Generate keys for service accounts. bool false
iam_billing_roles Project roles granted to all service accounts, by billing account id. map(list(string)) {}
iam_folder_roles Project roles granted to all service accounts, by folder id. map(list(string)) {}
iam_members Map of member lists which are granted authoritative roles on the service accounts, keyed by role. map(list(string)) {}
iam_organization_roles Project roles granted to all service accounts, by organization id. map(list(string)) {}
iam_project_roles Project roles granted to all service accounts, by project id. map(list(string)) {}
iam_roles List of authoritative roles granted on the service accounts. list(string) []
iam_storage_roles Storage roles granted to all service accounts, by bucket name. map(list(string)) {}
names Names of the service accounts to create. list(string) []
prefix Prefix applied to service account names. string

Outputs

name description sensitive
email Service account email (for single use).
emails Service account emails.
emails_list Service account emails.
iam_email IAM-format service account email (for single use).
iam_emails IAM-format service account emails.
iam_emails_list IAM-format service account emails.
key Service account key (for single use).
keys Map of service account keys.
service_account Service account resource (for single use).
service_accounts Service account resources.