terraform-google-modules/terraform-google-iam terraform-google-modules/terraform-google-iam

  • Stars
    star
    189
  • Rank 204,649 (Top 5 %)
  • Language HCL
  • License
    Apache License 2.0
  • Created over 6 years ago
  • Updated 2 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
terraform-google-modules/terraform-google-iam
github

terraform-google-modules

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Manages multiple IAM roles for resources on Google Cloud

Google IAM Terraform Module

This is a collection of submodules that make it easier to non-destructively manage multiple IAM roles for resources on Google Cloud Platform:

Compatibility

This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue. If you haven't upgraded and need a Terraform 0.12.x-compatible version of this module, the last released version intended for Terraform 0.12.x is v6.4.1.

Upgrading

The following guides are available to assist with upgrades:

Usage

Full examples are in the examples folder, but basic usage is as follows for managing roles on two projects:

module "projects_iam_bindings" {
  source  = "terraform-google-modules/iam/google//modules/projects_iam"
  version = "~> 7.6"

  projects = ["project-123456", "project-9876543"]

  bindings = {
    "roles/storage.admin" = [
      "group:[email protected]",
      "user:[email protected]",
    ]

    "roles/compute.networkAdmin" = [
      "group:[email protected]",
      "user:[email protected]",
    ]

    "roles/compute.imageUser" = [
      "user:[email protected]",
    ]
  }
}

The module also offers an authoritative mode which will remove all roles not assigned through Terraform. This is an example of using the authoritative mode to manage access to a storage bucket:

module "storage_buckets_iam_bindings" {
  source  = "terraform-google-modules/iam/google//modules/storage_buckets_iam"
  version = "~> 8.0"

  storage_buckets = ["my-storage-bucket"]

  mode = "authoritative"

  bindings = {
    "roles/storage.legacyBucketReader" = [
      "user:[email protected]",
      "group:[email protected]",
    ]

    "roles/storage.legacyBucketWriter" = [
      "user:[email protected]",
      "group:[email protected]",
    ]
  }
}

Additive and Authoritative Modes

The mode variable controls a submodule's behavior, by default it's set to "additive", possible options are:

  • additive: add members to role, old members are not deleted from this role.
  • authoritative: set the role's members (including removing any not listed), unlisted roles are not affected.

In authoritative mode, a submodule takes full control over the IAM bindings listed in the module. This means that any members added to roles outside the module will be removed the next time Terraform runs. However, roles not listed in the module will be unaffected.

In additive mode, a submodule leaves existing bindings unaffected. Instead, any members listed in the module will be added to the existing set of IAM bindings. However, members listed in the module are fully controlled by the module. This means that if you add a binding via the module and later remove it, the module will correctly handle removing the role binding.

Caveats

Referencing values/attributes from other resources

Each submodule performs operations over some variables before making any changes on the IAM bindings in GCP. Because of the limitations of for_each (more info), which is widely used in the submodules, there are certain limitations to what kind of dynamic values you can provide to a submodule:

  1. Dynamic entities (for example projects) are only allowed for 1 entity.
  2. If you pass 2 or more entities (for example projects), the configuration MUST be static, meaning that it can't use any of the other resources' fields to get the entity name from (this includes getting the randomly generated hashes through the random_id resource).
  3. The role names themselves can never be dynamic.
  4. Members may only be dynamic in authoritative mode.

IAM Bindings

You can choose the following resource types to apply the IAM bindings:

  • Projects (projects variable)
  • Organizations(organizations variable)
  • Folders (folders variable)
  • Service Accounts (service_accounts variable)
  • Subnetworks (subnets variable)
  • Storage buckets (storage_buckets variable)
  • Pubsub topics (pubsub_topics variable)
  • Pubsub subscriptions (pubsub_subscriptions variable)
  • Kms Key Rings (kms_key_rings variable)
  • Kms Crypto Keys (kms_crypto_keys variable)
  • Secret Manager Secrets (secrets variable)
  • DNS Zones (managed_zones variable)

Set the specified variable on the module call to choose the resources to affect. Remember to set the mode variable and give enough permissions to manage the selected resource as well. Note that the bindings variable accepts an empty map {} passed in as an argument in the case that resources don't have IAM bindings to apply.

Requirements

Terraform plugins

Permissions

In order to execute a submodule you must have a Service Account with an appropriate role to manage IAM for the applicable resource. The appropriate role differs depending on which resource you are targeting, as follows:

  • Organization:
    • Organization Administrator: Access to administer all resources belonging to the organization and does not include privileges for billing or organization role administration.
    • Custom: Add resourcemanager.organizations.getIamPolicy and resourcemanager.organizations.setIamPolicy permissions.
  • Project:
    • Owner: Full access and all permissions for all resources of the project.
    • Projects IAM Admin: allows users to administer IAM policies on projects.
    • Custom: Add resourcemanager.projects.getIamPolicy and resourcemanager.projects.setIamPolicy permissions.
  • Folder:
    • The Folder Admin: All available folder permissions.
    • Folder IAM Admin: Allows users to administer IAM policies on folders.
    • Custom: Add resourcemanager.folders.getIamPolicy and resourcemanager.folders.setIamPolicy permissions (must be added in the organization).
  • Service Account:
    • Service Account Admin: Create and manage service accounts.
    • Custom: Add resourcemanager.organizations.getIamPolicy and resourcemanager.organizations.setIamPolicy permissions.
  • Subnetwork:
    • Project compute admin: Full control of Compute Engine resources.
    • Project compute network admin: Full control of Compute Engine networking resources.
    • Project custom: Add compute.subnetworks.getIamPolicy and compute.subnetworks.setIamPolicy permissions.
  • Storage bucket:
    • Storage Admin: Full control of GCS resources.
    • Storage Legacy Bucket Owner: Read and write access to existing buckets with object listing/creation/deletion.
    • Custom: Add storage.buckets.getIamPolicy and storage.buckets.setIamPolicy permissions.
  • Pubsub topic:
    • Pub/Sub Admin: Create and manage service accounts.
    • Custom: Add pubsub.topics.getIamPolicy and pubsub.topics.setIamPolicy permissions.
  • Pubsub subscription:
    • Pub/Sub Admin role: Create and manage service accounts.
    • Custom role: Add pubsub.subscriptions.getIamPolicy and pubsub.subscriptions.setIamPolicy permissions.
  • Kms Key Ring:
    • Owner: Full access to all resources.
    • Cloud KMS Admin: Enables management of crypto resources.
    • Custom: Add cloudkms.keyRings.getIamPolicy and cloudkms.keyRings.getIamPolicy permissions.
  • Kms Crypto Key:
    • Owner: Full access to all resources.
    • Cloud KMS Admin: Enables management of cryptoresources.
    • Custom: Add cloudkms.cryptoKeys.getIamPolicy and cloudkms.cryptoKeys.setIamPolicy permissions.
  • Secret Manager:
    • Secret Manager Admin: Full access to administer Secret Manager.
    • Custom: Add secretmanager.secrets.getIamPolicy and secretmanager.secrets.setIamPolicy permissions.
  • DNS Zone:
    • DNS Administrator : Full access to administer DNS Zone.
    • Custom: Add dns.managedZones.setIamPolicy, dns.managedZones.list and dns.managedZones.getIamPolicy permissions.

Install

Terraform

Be sure you have the correct Terraform version (0.12), you can choose the binary here:

Terraform plugins

Be sure you have the compiled plugins on $HOME/.terraform.d/plugins/

See each plugin page for more information about how to compile and use them.

Fast install (optional)

For a fast install, please configure the variables on init_centos.sh or init_debian.sh script and then launch it.

The script will do:

  • Environment variables setting
  • Installation of base packages like wget, curl, unzip, gcloud, etc.
  • Installation of go 1.9.0
  • Installation of Terraform 0.10.x
  • Download the terraform-provider-google plugin
  • Compile the terraform-provider-google plugin
  • Move the terraform-provider-google to the right location

More Repositories

1

terraform-example-foundation

Shows how the CFT modules can be composed to build a secure cloud foundation
HCL
1,211
star
2

terraform-google-kubernetes-engine

Configures opinionated GKE clusters
HCL
1,131
star
3

terraform-google-project-factory

Creates an opinionated Google Cloud project by using Shared VPC, IAM, and Google Cloud APIs
HCL
826
star
4

terraform-google-network

Sets up a new VPC network on Google Cloud
HCL
411
star
5

terraform-google-lb-http

Creates a global HTTP load balancer for Compute Engine by using forwarding rules
HCL
315
star
6

terraform-docs-samples

Terraform samples intended for inclusion in cloud.google.com
HCL
290
star
7

terraform-google-sql-db

Creates a Cloud SQL database instance
HCL
263
star
8

terraform-google-vm

Provisions VMs in Google Cloud
HCL
220
star
9

terraform-google-bootstrap

Bootstraps Terraform usage and related CI/CD in a new Google Cloud organization
HCL
210
star
10

terraform-google-vault

Deploys Vault on Compute Engine
HCL
192
star
11

terraform-google-bigquery

Creates opinionated BigQuery datasets and tables
HCL
190
star
12

terraform-google-github-actions-runners

Creates self-hosted GitHub Actions Runners on Google Cloud
HCL
181
star
13

terraform-google-cloud-storage

Creates one or more Cloud Storage buckets and assigns basic permissions on them to arbitrary users
HCL
168
star
14

terraform-google-container-vm

Deploys containers on Compute Engine instances
HCL
155
star
15

terraform-google-gcloud

Executes Google Cloud CLI commands within Terraform
HCL
138
star
16

terraform-google-bastion-host

Generates a bastion host VM compatible with OS Login and IAP Tunneling that can be used to access internal VMs
HCL
126
star
17

terraform-google-service-accounts

Creates one or more service accounts and grants them basic roles
HCL
115
star
18

docs-examples

Open in Cloud Shell Examples for the Google provider docs
HCL
110
star
19

cloud-foundation-training

HCL
96
star
20

terraform-google-lb

Creates a regional TCP proxy load balancer for Compute Engine by using target pools and forwarding rules
HCL
92
star
21

terraform-google-gke-gitlab

Installs GitLab on Kubernetes Engine
HCL
90
star
22

terraform-google-vpn

Sets up a Cloud VPN gateway
HCL
88
star
23

terraform-google-log-export

Creates log exports at the project, folder, or organization level
HCL
88
star
24

terraform-google-pubsub

Creates Pub/Sub topic and subscriptions associated with the topic
HCL
85
star
25

terraform-google-lb-internal

Creates an internal load balancer for Compute Engine by using forwarding rules
HCL
81
star
26

terraform-google-org-policy

Manages Google Cloud organization policies
HCL
80
star
27

terraform-google-cloud-nat

Creates and configures Cloud NAT
HCL
80
star
28

terraform-google-startup-scripts

Provides a library of useful startup scripts to embed in VMs
Shell
73
star
29

terraform-google-k8s-gce

Modular Kubernetes Cluster for GCE using Terraform
HCL
71
star
30

terraform-google-scheduled-function

Sets up a scheduled job to trigger events and run functions
Go
71
star
31

terraform-google-slo

Creates SLOs on Google Cloud from custom Stackdriver metrics capability to export SLOs to Google Cloud services and other systems
HCL
63
star
32

terraform-google-address

Manages Google Cloud IP addresses
Shell
60
star
33

terraform-google-vpc-service-controls

Handles opinionated VPC Service Controls and Access Context Manager configuration and deployments
HCL
60
star
34

terraform-google-cloud-dns

Creates and manages Cloud DNS public or private zones and their records
HCL
57
star
35

terraform-google-event-function

Responds to logging events with a Cloud Function
HCL
52
star
36

terraform-google-composer

Manages Cloud Composer v1 and v2 along with option to manage networking
HCL
52
star
37

terraform-google-module-template

Provides a template for creating a Cloud Foundation Toolkit Terraform module
HCL
52
star
38

terraform-google-cloud-router

Manages a Cloud Router on Google Cloud
HCL
48
star
39

terraform-google-folders

Creates several Google Cloud folders under the same parent
HCL
47
star
40

terraform-google-cloud-operations

Manages Cloud Logging and Cloud Monitoring
HCL
47
star
41

terraform-google-kms

Allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys
HCL
44
star
42

terraform-google-memorystore

Creates a fully functional Google Memorystore (redis) instance
HCL
43
star
43

terraform-google-group

Manages Google Groups
HCL
40
star
44

terraform-google-dataflow

Handles opinionated Dataflow job configuration and deployments
HCL
34
star
45

terraform-google-jenkins

Creates a Compute Engine instance running Jenkins
HCL
31
star
46

terraform-google-sap

Deploys SAP products
HCL
31
star
47

terraform-google-cloud-datastore

Manages Datastore
HCL
22
star
48

terraform-google-gsuite-export

Creates a Compute Engine VM instance and sets up a cronjob to export GSuite Admin SDK data to Cloud Logging on a schedule
HCL
18
star
49

terraform-google-utils

Gets the short names for a given Google Cloud region
HCL
14
star
50

terraform-google-data-fusion

Manages Cloud Data Fusion
HCL
14
star
51

terraform-google-endpoints-dns

This module creates a DNS record on the .cloud.goog domain using Cloud Endpoints.
HCL
11
star
52

terraform-google-healthcare

Handles opinionated Google Cloud Healthcare datasets and stores
HCL
11
star
53

terraform-google-migrate

Terraform module to help with migrating VMs to GCP.
HCL
10
star
54

terraform-example-shared-services

Example of using CFT to build a Shared Services architecture on GCP
HCL
6
star
55

terraform-google-datalab

Creates DataLab instances with support for GPU instances
HCL
6
star
56

terraform-google-secret

This Terraform module makes it easier to manage to manage secrets for your Google Cloud environment, such as api keys, tokens, etc.
Python
6
star
57

terraform-google-redis

HCL
5
star
58

terraform-google-airflow

HCL
4
star
59

terraform-google-api-police

HCL
3
star
60

.allstar

1
star
61

terraform-google-mariadb

HCL
1
star