This Terraform module is a helper to create a custom IAM role that has the permissions required for F5 Distributed Cloud to manage a Google Cloud environment. The role will be created in the specified project by default, but can be created as an Organization role if preferred, for reuse across projects.
Unless a specific identifier is provided in the id variable, a semi-random
identifier will be generated of the form f5_xc_xxxx to avoid unique
identifier collisions during the time after a custom role is deleted but before
it is purged from the project or organization.
F5 has similar community supported modules available for AWS and Azure.
NOTE: This module is unsupported and not an official F5 product. If you require assistance please join our Slack GCP channel and ask!
F5 publishes a YAML declaration that encapsulates F5 recommended permissions in a fixed role; this Terraform module includes additional permissions that seem to be needed.
compute.addresses.createInternalcompute.addresses.deleteInternalcompute.addresses.listcompute.addresses.useInternal
compute.addresses.createInternalcompute.addresses.deleteInternalcompute.addresses.listcompute.addresses.useInternalresourcemanager.projects.list
See Simple project role example for more details.
module "role" {
source = "memes/f5-distributed-cloud-role/google"
version = "1.0.9"
target_id = "my-project-id"
members = ["serviceAccount:f5-xc@my-project-id.iam.gserviceaccount.com"]
}See Simple org role example for more details.
module "org_role" {
source = "memes/f5-distributed-cloud-role/google"
version = "1.0.9"
target_type = "org"
target_id = "my-org-id"
}See Fixed id example for more details.
module "role" {
source = "memes/f5-distributed-cloud-role/google"
version = "1.0.9"
id = "my_custom_role"
target_id = "my-project-id"
title = "An example F5 Distributed Cloud custom role"
members = ["serviceAccount:f5-xc@my-project-id.iam.gserviceaccount.com"]
}Deeper examples that show how to create a service account, add the custom role, and create a Cloud Credential that can be used for GPC VPC Sites in XC.
See Blindfold Cloud Credential and Plaintext Cloud Credential examples for full details.
| Name | Version |
|---|---|
| terraform | >= 1.3 |
| >= 4.38, < 7.0 | |
| random | >= 3.4 |
| Name | Source | Version |
|---|---|---|
| role | terraform-google-modules/iam/google//modules/custom_role_iam | 8.0.0 |
| Name | Type |
|---|---|
| random_id.role_id | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| target_id | Sets the target for role creation; must be either an organization ID (target_type = 'org'), or project ID (target_type = 'project'). |
string |
n/a | yes |
| description | The optional description to assign to the custom IAM role. If left blank (default), a suitable description will be created. |
string |
null |
no |
| id | An identifier to use for the new role; default is an empty string which will generate a unique identifier. If a value is provided, it must be unique at the organization or project level depending on value of target_type respectively. E.g. multiple projects can all have a 'f5_xc' role defined, but an organization level role must be uniquely named. |
string |
null |
no |
| members | An optional list of accounts that will be assigned the custom role. Default is an empty list. |
list(string) |
[] |
no |
| random_id_prefix | The prefix to use when generating random role identifier for the new role ifid field is blank. The default is 'f5_xc' which will generate a unique roleidentifier of the form 'f5_xc_XXXX', where XXXX is a random hex string. |
string |
"f5_xc" |
no |
| target_type | Determines if the F5 Distributed Cloud role is to be created for the whole organization ('org') or at a 'project' level. Default is 'project'. |
string |
"project" |
no |
| title | The human-readable title to assign to the custom IAM role. If left blank (default), a suitable title will be created. |
string |
null |
no |
| Name | Description |
|---|---|
| qualified_role_id | The qualified role-id for the custom CFE role. |