This module allows simplified creation and management of one a service account and its IAM bindings. A key can optionally be generated and will be stored in Terraform state. To use it create a sensitive output in your root modules referencing the key output, then extract the private key from the JSON formatted outputs. Alternatively, the key can be generated with openssl library and only public part uploaded to the Service Account, for more refer to the Onprem SA Key Management example.
Note that this module does not fully comply with our design principles, as outputs have no dependencies on IAM bindings to prevent resource cycles.
Original Module from Cloud-Foundation-Fabric
This module creates a service-account under the specified google project
variable "project_id" {
description = "project_id to create the service account in"
type = string
}
provider "google" {
}
resource "random_id" "service_account_name" {
byte_length = 8
}
module "google_service_account" {
source = "../../"
project_id = var.project_id
name = "sa-test-${random_id.service_account_name.hex}"
}| Name | Version |
|---|---|
| terraform | >= 1.3.1 |
| >= 4.40.0 | |
| google-beta | >= 4.40.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| name | Name of the service account to create. | string |
n/a | yes |
| project_id | Project id where service account will be created. | string |
n/a | yes |
| description | Optional description. | string |
null |
no |
| display_name | Display name of the service account to create. | string |
"Terraform-managed." |
no |
| generate_key | Generate a key for service account. | bool |
false |
no |
| group_memberships | Group IDs this service account should be a member of | list(string) |
[] |
no |
| iam | IAM bindings on the service account in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
no |
| iam_additive | IAM additive bindings on the service account in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
no |
| iam_billing_roles | Billing account roles granted to this service account, by billing account id. Non-authoritative. | map(list(string)) |
{} |
no |
| iam_folder_roles | Folder roles granted to this service account, by folder id. Non-authoritative. | map(list(string)) |
{} |
no |
| iam_organization_roles | Organization roles granted to this service account, by organization id. Non-authoritative. | map(list(string)) |
{} |
no |
| iam_project_roles | Project roles granted to this service account, by project id. | map(list(string)) |
{} |
no |
| iam_sa_roles | Service account roles granted to this service account, by service account name. | map(list(string)) |
{} |
no |
| iam_storage_roles | Storage roles granted to this service account, by bucket name. | map(list(string)) |
{} |
no |
| prefix | Prefix applied to service account names. | string |
null |
no |
| public_keys_directory | Path to public keys data files to upload to the service account (should have .pem extension). |
string |
"" |
no |
| service_account_create | Create service account. When set to false, uses a data source to reference an existing service account. | bool |
true |
no |
| Name | Description |
|---|---|
| Service account email. | |
| iam_email | IAM-format service account email. |
| id | Service account id. |
| key | Service account key. |
| name | Service account name. |
| service_account | Service account resource. |
| service_account_credentials | Service account json credential templates for uploaded public keys data. |
Used only includes resource blocks. for_each and count meta arguments, as well as resource blocks of modules are not considered.
No modules.
| Name | Type |
|---|---|
| google_billing_account_iam_member.billing-roles | resource |
| google_cloud_identity_group_membership.group-memberships | resource |
| google_folder_iam_member.folder-roles | resource |
| google_organization_iam_member.organization-roles | resource |
| google_project_iam_member.project-roles | resource |
| google_service_account_iam_binding.roles | resource |
| google_service_account_iam_member.additive | resource |
| google_service_account_iam_member.roles | resource |
| google_storage_bucket_iam_member.bucket-roles | resource |
| Name | Type |
|---|---|
| google_service_account.service_account | resource |
| google_service_account_key.key | resource |
| google_service_account_key.upload_key | resource |
| google_service_account.service_account | data source |
This module is derived from google cloud foundation fabric module iam-service-accounts v19. It is designed to be able to integrate new changes from the base repository. Refer to guide in terraform-google-landing-zone repository for information on integrating changes.