819894d2ba
* IAM modules refactor proposal * policy * subheading * Update 20230816-iam-refactor.md * log Julio's +1 * data-catalog-policy-tag * dataproc * dataproc * folder * folder * folder * folder * project * better filtering in test examples * project * folder * folder * organization * fix variable descriptions * kms * net-vpc * dataplex-datascan * modules/iam-service-account * modules/source-repository/ * blueprints/cloud-operations/vm-migration/ * blueprints/third-party-solutions/wordpress * dataplex-datascan * blueprints/cloud-operations/workload-identity-federation * blueprints/data-solutions/cloudsql-multiregion/ * blueprints/data-solutions/composer-2 * Update 20230816-iam-refactor.md * Update 20230816-iam-refactor.md * capture discussion in architectural doc * update variable names and refactor proposal * project * blueprints first round * folder * organization * data-catalog-policy-tag * re-enable folder inventory * project module style fix * dataproc * source-repository * source-repository tests * dataplex-datascan * dataplex-datascan tests * net-vpc * net-vpc test examples * iam-service-account * iam-service-account test examples * kms * boilerplate * tfdoc * fix module tests * more blueprint fixes * fix typo in data blueprints * incomplete refactor of data platform foundations * tfdoc * data platform foundation * refactor data platform foundation iam locals * remove redundant example test * shielded folder fix * fix typo * project factory * project factory outputs * tfdoc * test workflow: less verbose tests, fix tf version * re-enable -vv, shorter traceback, fix action version * ignore github extension warning, re-enable action version * fast bootstrap IAM, untested * bootstrap stage IAM fixes * stage 0 tests * fast stage 1 * tenant stage 1 * minor changes to fast stage 0 and 1 * fast security stage * fast mt stage 0 * fast mt stage 0 * fast pf |
||
|---|---|---|
| .. | ||
| README.md | ||
| iam.tf | ||
| main.tf | ||
| outputs.tf | ||
| variables.tf | ||
| versions.tf | ||
README.md
Google Service Account Module
This module allows simplified creation and management of one a service account and its IAM bindings.
A key can optionally be generated and will be stored in Terraform state. To use it create a sensitive output in your root modules referencing the key output, then extract the private key from the JSON formatted outputs.
Alternatively, the key can be generated with openssl library and only the public part uploaded to the Service Account, for more refer to the Onprem SA Key Management example.
Note that outputs have no dependencies on IAM bindings to prevent resource cycles.
Example
module "myproject-default-service-accounts" {
source = "./fabric/modules/iam-service-account"
project_id = "myproject"
name = "vm-default"
# authoritative roles granted *on* the service accounts to other identities
iam = {
"roles/iam.serviceAccountUser" = ["user:foo@example.com"]
}
# non-authoritative roles granted *to* the service accounts on other resources
iam_project_roles = {
"myproject" = [
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
]
}
}
# tftest modules=1 resources=4 inventory=basic.yaml
Files
| name | description | resources |
|---|---|---|
| iam.tf | IAM bindings. | google_billing_account_iam_member · google_folder_iam_member · google_organization_iam_member · google_project_iam_member · google_service_account_iam_binding · google_service_account_iam_member · google_storage_bucket_iam_member |
| main.tf | Module-level locals and resources. | google_service_account · google_service_account_key |
| outputs.tf | Module outputs. | |
| variables.tf | Module variables. | |
| versions.tf | Version pins. |
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| name | Name of the service account to create. | string |
✓ | |
| project_id | Project id where service account will be created. | string |
✓ | |
| description | Optional description. | string |
null |
|
| display_name | Display name of the service account to create. | string |
"Terraform-managed." |
|
| generate_key | Generate a key for service account. | bool |
false |
|
| iam | IAM bindings on the service account in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
| iam_billing_roles | Billing account roles granted to this service account, by billing account id. Non-authoritative. | map(list(string)) |
{} |
|
| iam_bindings | Authoritative IAM bindings on the service account in {ROLE => {members = [], condition = {}}}. | map(object({…})) |
{} |
|
| iam_bindings_additive | Individual additive IAM bindings on the service account. Keys are arbitrary. | map(object({…})) |
{} |
|
| iam_folder_roles | Folder roles granted to this service account, by folder id. Non-authoritative. | map(list(string)) |
{} |
|
| iam_organization_roles | Organization roles granted to this service account, by organization id. Non-authoritative. | map(list(string)) |
{} |
|
| iam_project_roles | Project roles granted to this service account, by project id. | map(list(string)) |
{} |
|
| iam_sa_roles | Service account roles granted to this service account, by service account name. | map(list(string)) |
{} |
|
| iam_storage_roles | Storage roles granted to this service account, by bucket name. | map(list(string)) |
{} |
|
| prefix | Prefix applied to service account names. | string |
null |
|
| public_keys_directory | Path to public keys data files to upload to the service account (should have .pem extension). |
string |
"" |
|
| service_account_create | Create service account. When set to false, uses a data source to reference an existing service account. | bool |
true |
Outputs
| name | description | sensitive |
|---|---|---|
| Service account email. | ||
| iam_email | IAM-format service account email. | |
| id | Fully qualified service account id. | |
| key | Service account key. | ✓ |
| name | Service account name. | |
| service_account | Service account resource. | |
| service_account_credentials | Service account json credential templates for uploaded public keys data. |