terraform-google-project-iam

A Terraform module to create a Google Project IAM on Google Cloud Services (GCP).

This module supports Terraform version 1 and is compatible with the Terraform Google Provider version 4. and 5._**

This module is part of our Infrastructure as Code (IaC) framework that enables our users and customers to easily deploy and manage reusable, secure, and production-grade cloud infrastructure.

• Module Features
• Getting Started
• Module Argument Reference
  • Top-level Arguments
    • Main Resource Configuration
    • Module Configuration
• Module Outputs
• External Documentation
  • Google Documentation:
  • Terraform Google Provider Documentation:
• Module Versioning
  • Backwards compatibility in 0.0.z and 0.y.z version
• About Mineiros
• Reporting Issues
• Contributing
• Makefile Targets
• License

Module Features

A Terraform base module for creating a google_project_iam_* resources.

It allows authoritative bindings (exclusive setting members), non-authoritative (adding additional members), or policy based IAM management of resource level access.

Default GCP service accounts are added to specific roles.

Getting Started

Most basic usage just setting required arguments:

module "iam" {
  source = "github.com/mineiros-io/terraform-google-project-iam.git?ref=v0.3.0"

  project = "your-project-id"

  role    = "roles/editor"
  members = ["user:admin@example.com"]
}

module "audit" {
  source = "github.com/mineiros-io/terraform-google-project-iam.git?ref=v0.3.0"

  project = "your-project-id"

  audit_configs = [
    {
      service = "allServices"
      audit_log_configs = [
        {
          log_type = "DATA_WRITE"
        },
        {
          log_type = "DATA_READ"
        }
      ]
    }
  ]
}

Module Argument Reference

See variables.tf and examples/ for details and use-cases.

Top-level Arguments

Main Resource Configuration

• project: (Required string)

  The project id of the target project. This is not inferred from the provider.

• role: (Optional string)

  The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

• members: (Optional set(string))

  Identities that will be granted the privilege in role. Each entry can have one of the following values:

  • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
  • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • computed:{identifier}: An existing key from var.computed_members_map.

  Default is [].

• computed_members_map: (Optional map(string))

  A map of identifiers to identities to be replaced in 'var.members' or in members of policy_bindings to handle terraform computed values. The format of each value must satisfy the format as described in var.members.

  Default is {}.

• authoritative: (Optional bool)

  Whether to exclusively set (authoritative mode) or add (non-authoritative/additive mode) members to the role.

  Default is false.

• condition: (Optional object(condition))

  An IAM Condition for the target project IAM binding.

  Example:

  role          = "roles/storage.admin"
  authoritative = true
  condition = {
    title = "no_terraform_state_access"
    expression = <<EOT
      resource.type ==  "storage.googleapis.com/Bucket" &&
      resource.name != "terraform-state"
    EOT
  }

  The condition object accepts the following attributes:

  • expression: (Required string)

    Textual representation of an expression in Common Expression Language syntax.

  • title: (Required string)

    A title for the expression, i.e., a short string describing its purpose.

  • description: (Optional string)

    An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• policy_bindings: (Optional list(policy_binding))

  A list of IAM policy bindings.

  You can accidentally lock yourself out of your project using this resource. Deleting a google_project_iam_policy removes access from anyone without organization-level access to the project. Proceed with caution. It's not recommended to use google_project_iam_policy with your provider project to avoid locking yourself out, and it should generally only be used with projects fully managed by Terraform. If you do use this resource, it's recommended to import the policy before applying the change.

  Example:

  policy_bindings = [{
    role    = "roles/viewer"
    members = ["user:member@example.com"]
  }]

  Each policy_binding object in the list accepts the following attributes:

  • role: (Required string)

    The role that should be applied.

  • members: (Optional set(string))

    Identities that will be granted the privilege in role.

    Default is var.members.

  • condition: (Optional object(condition))

    An IAM Condition for a given binding.

    Example:

    condition = {
      expression = "request.time < timestamp(\"2022-01-01T00:00:00Z\")"
      title      = "expires_after_2021_12_31"
    }

    The condition object accepts the following attributes:

    • expression: (Required string)

      Textual representation of an expression in Common Expression Language syntax.

    • title: (Required string)

      A title for the expression, i.e. a short string describing its purpose.

    • description: (Optional string)

      An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• audit_configs: (Optional object(audit_log))

  List of audit logs settings to be enabled.

  Example:

  audit_configs = [
    {
      service = "allServices"
      audit_log_configs = [
        {
          log_type         = "DATA_WRITE"
          exempted_members = ["user:example@example.com"]
        }
      ]
    }
  ]

  The audit_log object accepts the following attributes:

  • service: (Required string)

    Service which will be enabled for audit logging.

    The special value allServices covers all services.

    Note that if there are google_project_iam_audit_config resources covering both allServices and a specific service then the union of the two AuditConfigs is used for that service: the log_types specified in each audit_log_config are enabled, and the exempted_members in each audit_log_config are exempted.

  • audit_log_configs: (Required list(audit_log_config))

    A list of logging configurations for each type of permission.

    Each audit_log_config object in the list accepts the following attributes:

    • log_type: (Required string)

      Permission type for which logging is to be configured.

      Must be one of DATA_READ, DATA_WRITE, or ADMIN_READ.

    • exempted_members: (Optional set(string))

      Identities that do not cause logging for this type of permission.

      The format is the same as that for var.members.

Module Configuration

• module_enabled: (Optional bool)

  Specifies whether resources in the module will be created.

  Default is true.

• module_depends_on: (Optional list(dependency))

  A list of dependencies. Any object can be assigned to this list to define a hidden external dependency.

  Example:

  module_depends_on = [
    google_network.network
  ]

Module Outputs

The following attributes are exported in the outputs of the module:

• iam: (object(iam))

  All attributes of the created iam_binding or iam_member or iam_policy resource according to the mode.

External Documentation

Google Documentation:

• Project Access Control: https://cloud.google.com/resource-manager/docs/access-control-proj
• Default service accounts: https://cloud.google.com/iam/docs/service-accounts#default
• Google managed service accounts https://cloud.google.com/iam/docs/service-accounts#google-managed

Terraform Google Provider Documentation:

• https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam

Module Versioning

This Module follows the principles of Semantic Versioning (SemVer).

Given a version number MAJOR.MINOR.PATCH, we increment the:

1. MAJOR version when we make incompatible changes,
2. MINOR version when we add functionality in a backwards compatible manner, and
3. PATCH version when we make backwards compatible bug fixes.

Backwards compatibility in 0.0.z and 0.y.z version

• Backwards compatibility in versions 0.0.z is not guaranteed when z is increased. (Initial development)
• Backwards compatibility in versions 0.y.z is not guaranteed when y is increased. (Pre-release)

About Mineiros

Mineiros is a remote-first company headquartered in Berlin, Germany that solves development, automation and security challenges in cloud infrastructure.

Our vision is to massively reduce time and overhead for teams to manage and deploy production-grade and secure cloud infrastructure.

We offer commercial support for all of our modules and encourage you to reach out if you have any questions or need help. Feel free to email us at hello@mineiros.io or join our Community Slack channel.

Reporting Issues

We use GitHub Issues to track community reported issues and missing features.

Contributing

Contributions are always encouraged and welcome! For the process of accepting changes, we use Pull Requests. If you'd like more information, please see our Contribution Guidelines.

Makefile Targets

This repository comes with a handy Makefile. Run make help to see details on each available target.

License

This module is licensed under the Apache License Version 2.0, January 2004. Please see LICENSE for full details.

Copyright © 2020-2022 Mineiros GmbH