This module allows simplified creation and management of one a service account and its IAM bindings.
A key can optionally be generated and will be stored in Terraform state. To use it create a sensitive output in your root modules referencing the key output, then extract the private key from the JSON formatted outputs.
Alternatively, the key can be generated with openssl library and only the public part uploaded to the Service Account, for more refer to the Onprem SA Key Management example.
Note that outputs have no dependencies on IAM bindings to prevent resource cycles.
module "myproject-default-service-accounts" {
source = "./fabric/modules/iam-service-account"
project_id = var.project_id
name = "vm-default"
# authoritative roles granted *on* the service accounts to other identities
iam = {
"roles/iam.serviceAccountUser" = ["group:${var.group_email}"]
}
# non-authoritative roles granted *to* the service accounts on other resources
iam_project_roles = {
"${var.project_id}" = [
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
]
}
}
# tftest modules=1 resources=4 inventory=basic.yaml e2e| name | description | resources |
|---|---|---|
| iam.tf | IAM bindings. | google_billing_account_iam_member · google_folder_iam_member · google_organization_iam_member · google_project_iam_member · google_service_account_iam_binding · google_service_account_iam_member · google_storage_bucket_iam_member |
| main.tf | Module-level locals and resources. | google_service_account · google_service_account_key |
| outputs.tf | Module outputs. | |
| variables.tf | Module variables. | |
| versions.tf | Version pins. |
| name | description | type | required | default |
|---|---|---|---|---|
| name | Name of the service account to create. | string |
✓ | |
| project_id | Project id where service account will be created. | string |
✓ | |
| description | Optional description. | string |
null |
|
| display_name | Display name of the service account to create. | string |
"Terraform-managed." |
|
| generate_key | Generate a key for service account. | bool |
false |
|
| iam | IAM bindings on the service account in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
| iam_billing_roles | Billing account roles granted to this service account, by billing account id. Non-authoritative. | map(list(string)) |
{} |
|
| iam_bindings | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | map(object({…})) |
{} |
|
| iam_bindings_additive | Individual additive IAM bindings on the service account. Keys are arbitrary. | map(object({…})) |
{} |
|
| iam_folder_roles | Folder roles granted to this service account, by folder id. Non-authoritative. | map(list(string)) |
{} |
|
| iam_organization_roles | Organization roles granted to this service account, by organization id. Non-authoritative. | map(list(string)) |
{} |
|
| iam_project_roles | Project roles granted to this service account, by project id. | map(list(string)) |
{} |
|
| iam_sa_roles | Service account roles granted to this service account, by service account name. | map(list(string)) |
{} |
|
| iam_storage_roles | Storage roles granted to this service account, by bucket name. | map(list(string)) |
{} |
|
| prefix | Prefix applied to service account names. | string |
null |
|
| public_keys_directory | Path to public keys data files to upload to the service account (should have .pem extension). |
string |
"" |
|
| service_account_create | Create service account. When set to false, uses a data source to reference an existing service account. | bool |
true |
| name | description | sensitive |
|---|---|---|
| Service account email. | ||
| iam_email | IAM-format service account email. | |
| id | Fully qualified service account id. | |
| key | Service account key. | ✓ |
| name | Service account name. | |
| service_account | Service account resource. | |
| service_account_credentials | Service account json credential templates for uploaded public keys data. |