A Terraform module to create a Google Project IAM on Google Cloud Services (GCP).

This module supports Terraform version 1 and is compatible with the Terraform Google Provider version 3.

This module is part of our Infrastructure as Code (IaC) framework that enables our users and customers to easily deploy and manage reusable, secure, and production-grade cloud infrastructure.

• Module Features
• Getting Started
• Module Argument Reference
  • Top-level Arguments
    • Module Configuration
    • Main Resource Configuration
    • Extended Resource Configuration
• Module Attributes Reference
• External Documentation
• Module Versioning
  • Backwards compatibility in 0.0.z and 0.y.z version
• About Mineiros
• Reporting Issues
• Contributing
• Makefile Targets
• License

A Terraform base module for creating a google_project_iam_* resources.

It allows authoritative bindings (exclusive setting members), non-authoritative (adding additional members), or policy based IAM management of resource level access.

Most basic usage just setting required arguments:

module "terraform-google-project-iam" {
  source = "github.com/mineiros-io/terraform-google-project-iam.git?ref=v0.1.0"

  project = "your-project-id"
  role    = "roles/editor"
  members = ["user:admin@example.com"]
}

See variables.tf and examples/ for details and use-cases.

• module_enabled: (Optional bool)

  Specifies whether resources in the module will be created. Default is true.

• module_depends_on: (Optional list(dependencies))

  A list of dependencies. Any object can be assigned to this list to define a hidden external dependency.

  Example:

  module_depends_on = [
    google_network.network
  ]

• project: (Required string)

  The project id of the target project. This is not inferred from the provider.

• role: (Optional string)

  The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

• members: (Optional set(string))

  Identities that will be granted the privilege in role. Each entry can have one of the following values:

  • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
  • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.

  Default is [].

• authoritative: (Optional bool)

  Whether to exclusively set (authoritative mode) or add (non-authoritative/additive mode) members to the role.

  Default is false.

• condition: (Optional object(condition))

  An IAM Condition for the target project IAM binding.

  Example

  role          = "roles/storage.admin"
  authoritative = true
  condition = {
    title = "no_terraform_state_access"
    expression = <<EOT
      resource.type ==  "storage.googleapis.com/Bucket" &&
      resource.name != "terraform-state"
    EOT
  }

  A condition object accepts the following fields:

  • expression: (Required string)

    Textual representation of an expression in Common Expression Language syntax.

  • title: (Required string)

    A title for the expression, i.e., a short string describing its purpose.

  • description: (Optional string)

    An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

• policy_bindings: (Optional list(policy_bindings))

  A list of IAM policy bindings.

  You can accidentally lock yourself out of your project using this resource. Deleting a google_project_iam_policy removes access from anyone without organization-level access to the project. Proceed with caution. It's not recommended to use google_project_iam_policy with your provider project to avoid locking yourself out, and it should generally only be used with projects fully managed by Terraform. If you do use this resource, it's recommended to import the policy before applying the change.

  Example

  policy_bindings = [{
    role    = "roles/viewer"
    members = ["user:member@example.com"]
  }]

  Each policy_bindings object accepts the following fields:

  • role: (Required string)

    The role that should be applied.

  • members: (Optional set(string))

    Identities that will be granted the privilege in role.

    Default is var.members.

  • condition: (Optional object(condition))

    An IAM Condition for a given binding.

    Example

    condition = {
      expression = "request.time < timestamp(\"2022-01-01T00:00:00Z\")"
      title      = "expires_after_2021_12_31"
    }

    A condition object accepts the following fields:

    • expression: (Required string)

      Textual representation of an expression in Common Expression Language syntax.

    • title: (Required string)

      A title for the expression, i.e. a short string describing its purpose.

    • description: (Optional string)

      An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

The following attributes are exported in the outputs of the module:

• module_enabled

  Whether this module is enabled.

• iam

  All attributes of the created 'iam_binding' or 'iam_member' or 'iam_policy' resource according to the mode.

• Project Access Control: https://cloud.google.com/resource-manager/docs/access-control-proj

• https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam

This Module follows the principles of Semantic Versioning (SemVer).

Given a version number MAJOR.MINOR.PATCH, we increment the:

1. MAJOR version when we make incompatible changes,
2. MINOR version when we add functionality in a backwards compatible manner, and
3. PATCH version when we make backwards compatible bug fixes.

• Backwards compatibility in versions 0.0.z is not guaranteed when z is increased. (Initial development)
• Backwards compatibility in versions 0.y.z is not guaranteed when y is increased. (Pre-release)

Mineiros is a remote-first company headquartered in Berlin, Germany that solves development, automation and security challenges in cloud infrastructure.

Our vision is to massively reduce time and overhead for teams to manage and deploy production-grade and secure cloud infrastructure.

We offer commercial support for all of our modules and encourage you to reach out if you have any questions or need help. Feel free to email us at hello@mineiros.io or join our Community Slack channel.

We use GitHub Issues to track community reported issues and missing features.

Contributions are always encouraged and welcome! For the process of accepting changes, we use Pull Requests. If you'd like more information, please see our Contribution Guidelines.

This repository comes with a handy Makefile. Run make help to see details on each available target.

This module is licensed under the Apache License Version 2.0, January 2004. Please see LICENSE for full details.

Copyright © 2020-2021 Mineiros GmbH