Skip to content

Latest commit

 

History

History

iam-service-account

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 

Google Service Account Module

This module allows simplified creation and management of one a service account and its IAM bindings.

A key can optionally be generated and will be stored in Terraform state. To use it create a sensitive output in your root modules referencing the key output, then extract the private key from the JSON formatted outputs.

Alternatively, the key can be generated with openssl library and only the public part uploaded to the Service Account, for more refer to the Onprem SA Key Management example.

Note that outputs have no dependencies on IAM bindings to prevent resource cycles.

Example

module "myproject-default-service-accounts" {
  source     = "./fabric/modules/iam-service-account"
  project_id = var.project_id
  name       = "vm-default"
  # authoritative roles granted *on* the service accounts to other identities
  iam = {
    "roles/iam.serviceAccountUser" = ["group:${var.group_email}"]
  }
  # non-authoritative roles granted *to* the service accounts on other resources
  iam_project_roles = {
    "${var.project_id}" = [
      "roles/logging.logWriter",
      "roles/monitoring.metricWriter",
    ]
  }
}
# tftest modules=1 resources=4 inventory=basic.yaml e2e

Files

name description resources
iam.tf IAM bindings. google_billing_account_iam_member · google_folder_iam_member · google_organization_iam_member · google_project_iam_member · google_service_account_iam_binding · google_service_account_iam_member · google_storage_bucket_iam_member
main.tf Module-level locals and resources. google_service_account · google_service_account_key
outputs.tf Module outputs.
variables.tf Module variables.
versions.tf Version pins.

Variables

name description type required default
name Name of the service account to create. string
project_id Project id where service account will be created. string
description Optional description. string null
display_name Display name of the service account to create. string "Terraform-managed."
generate_key Generate a key for service account. bool false
iam IAM bindings on the service account in {ROLE => [MEMBERS]} format. map(list(string)) {}
iam_billing_roles Billing account roles granted to this service account, by billing account id. Non-authoritative. map(list(string)) {}
iam_bindings Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. map(object({…})) {}
iam_bindings_additive Individual additive IAM bindings on the service account. Keys are arbitrary. map(object({…})) {}
iam_folder_roles Folder roles granted to this service account, by folder id. Non-authoritative. map(list(string)) {}
iam_organization_roles Organization roles granted to this service account, by organization id. Non-authoritative. map(list(string)) {}
iam_project_roles Project roles granted to this service account, by project id. map(list(string)) {}
iam_sa_roles Service account roles granted to this service account, by service account name. map(list(string)) {}
iam_storage_roles Storage roles granted to this service account, by bucket name. map(list(string)) {}
prefix Prefix applied to service account names. string null
public_keys_directory Path to public keys data files to upload to the service account (should have .pem extension). string ""
service_account_create Create service account. When set to false, uses a data source to reference an existing service account. bool true

Outputs

name description sensitive
email Service account email.
iam_email IAM-format service account email.
id Fully qualified service account id.
key Service account key.
name Service account name.
service_account Service account resource.
service_account_credentials Service account json credential templates for uploaded public keys data.