Skip to content

Latest commit

 

History

History
 
 

iam-service-account

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

Google Service Account Module

This module allows simplified creation and management of one a service account and its IAM bindings. A key can optionally be generated and will be stored in Terraform state. To use it create a sensitive output in your root modules referencing the key output, then extract the private key from the JSON formatted outputs.

Example

module "myproject-default-service-accounts" {
  source            = "./modules/iam-service-account"
  project_id        = "myproject"
  name              = "vm-default"
  generate_key      = true
  # authoritative roles granted *on* the service accounts to other identities
  iam       = {
    "roles/iam.serviceAccountUser" = ["user:[email protected]"]
  }
  # non-authoritative roles granted *to* the service accounts on other resources
  iam_project_roles = {
    "myproject" = [
      "roles/logging.logWriter",
      "roles/monitoring.metricWriter",
    ]
  }
}
# tftest:modules=1:resources=5

Variables

name description type required default
name Name of the service account to create. string
project_id Project id where service account will be created. string
display_name Display name of the service account to create. string Terraform-managed.
generate_key Generate a key for service account. bool false
iam IAM bindings on the service account in {ROLE => [MEMBERS]} format. map(list(string)) {}
iam_billing_roles Project roles granted to the service account, by billing account id. map(list(string)) {}
iam_folder_roles Project roles granted to the service account, by folder id. map(list(string)) {}
iam_organization_roles Project roles granted to the service account, by organization id. map(list(string)) {}
iam_project_roles Project roles granted to the service account, by project id. map(list(string)) {}
iam_storage_roles Storage roles granted to the service account, by bucket name. map(list(string)) {}
prefix Prefix applied to service account names. string null
service_account_create Create service account. When set to false, uses a data source to reference an existing service account. bool true

Outputs

name description sensitive
email Service account email.
iam_email IAM-format service account email.
key Service account key.
service_account Service account resource.