This module allows simplified creation and management of one a service account and its IAM bindings.
Note that outputs have no dependencies on IAM bindings to prevent resource cycles.
module "myproject-default-service-accounts" {
source = "./fabric/modules/iam-service-account"
project_id = var.project_id
name = "vm-default"
# authoritative roles granted *on* the service accounts to other identities
iam = {
"roles/iam.serviceAccountUser" = ["group:${var.group_email}"]
}
# non-authoritative roles granted *to* the service accounts on other resources
iam_project_roles = {
"${var.project_id}" = [
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
]
}
}
# tftest modules=1 resources=4 inventory=basic.yaml e2eUse the tag_bindings variable to attach tags to the service account. Provide project_number to prevent potential permadiffs with the tag binding resource.
module "service-account-with-tags" {
source = "./fabric/modules/iam-service-account"
project_id = var.project_id
name = "test-service-account"
project_number = var.project_number
tag_bindings = {
foo = "tagValues/123456789"
}
}
# tftest modules=1 resources=2 inventory=tags.yaml| name | description | resources |
|---|---|---|
| iam.tf | IAM bindings. | google_billing_account_iam_member · google_folder_iam_member · google_organization_iam_member · google_project_iam_member · google_service_account_iam_binding · google_service_account_iam_member · google_storage_bucket_iam_member |
| main.tf | Module-level locals and resources. | google_service_account · google_tags_tag_binding |
| outputs.tf | Module outputs. | |
| variables.tf | Module variables. | |
| versions.tf | Version pins. |
| name | description | type | required | default |
|---|---|---|---|---|
| name | Name of the service account to create. | string |
✓ | |
| project_id | Project id where service account will be created. | string |
✓ | |
| create_ignore_already_exists | If set to true, skip service account creation if a service account with the same email already exists. | bool |
null |
|
| description | Optional description. | string |
null |
|
| display_name | Display name of the service account to create. | string |
"Terraform-managed." |
|
| iam | IAM bindings on the service account in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
| iam_billing_roles | Billing account roles granted to this service account, by billing account id. Non-authoritative. | map(list(string)) |
{} |
|
| iam_bindings | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | map(object({…})) |
{} |
|
| iam_bindings_additive | Individual additive IAM bindings on the service account. Keys are arbitrary. | map(object({…})) |
{} |
|
| iam_folder_roles | Folder roles granted to this service account, by folder id. Non-authoritative. | map(list(string)) |
{} |
|
| iam_organization_roles | Organization roles granted to this service account, by organization id. Non-authoritative. | map(list(string)) |
{} |
|
| iam_project_roles | Project roles granted to this service account, by project id. | map(list(string)) |
{} |
|
| iam_sa_roles | Service account roles granted to this service account, by service account name. | map(list(string)) |
{} |
|
| iam_storage_roles | Storage roles granted to this service account, by bucket name. | map(list(string)) |
{} |
|
| prefix | Prefix applied to service account names. | string |
null |
|
| project_number | Project number of var.project_id. Set this to avoid permadiffs when creating tag bindings. | string |
null |
|
| service_account_create | Create service account. When set to false, uses a data source to reference an existing service account. | bool |
true |
|
| tag_bindings | Tag bindings for this service accounts, in key => tag value id format. | map(string) |
{} |
| name | description | sensitive |
|---|---|---|
| Service account email. | ||
| iam_email | IAM-format service account email. | |
| id | Fully qualified service account id. | |
| name | Service account name. | |
| service_account | Service account resource. |