Skip to content
/ terraform-google-folder-iam Public

A Terraform module to manage Identity and Access Management (IAM) for folders in Google Cloud https://cloud.google.com/functions

License

Apache-2.0 license
2 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mineiros-io/terraform-google-folder-iam

BranchesTags

Repository files navigation

Build Status GitHub tag (latest SemVer) Terraform Version Google Provider Version Join Slack

terraform-google-folder-iam

A Terraform module to create a Google Folder IAM on Google Cloud Services (GCP).

This module supports Terraform version 1 and is compatible with the Terraform Google Provider version 4. and 5._**

This module is part of our Infrastructure as Code (IaC) framework that enables our users and customers to easily deploy and manage reusable, secure, and production-grade cloud infrastructure.

Module Features

This module implements the following terraform resources:

  • google_folder_iam_binding
  • google_folder_iam_member
  • google_folder_iam_policy

Getting Started

Most basic usage just setting required arguments:

module "terraform-google-folder-iam" {
  source = "github.com/mineiros-io/terraform-google-folder-iam.git?ref=v0.2.0"

  folder  = "folders/1234567"
  role    = "roles/editor"
  members = ["user:admin@example.com"]
}

Module Argument Reference

See variables.tf and examples/ for details and use-cases.

Top-level Arguments

Module Configuration

  • module_enabled: (Optional bool)

    Specifies whether resources in the module will be created.

    Default is true.

  • module_depends_on: (Optional list(dependency))

    A list of dependencies. Any object can be assigned to this list to define a hidden external dependency.

    Example:

    module_depends_on = [
  google_network.network
]

Main Resource Configuration

  • folder: (Required string)

    The resource name of the folder the policy is attached to. Its format is folders/{folder_id}.

  • role: (Optional string)

    The role that should be applied. Only one google_folder_iam_binding can be used per role. Note that custom roles must be of the format organizations/{{org_id}}/roles/{{role_id}}.

  • members: (Optional set(string))

    Identities that will be granted the privilege in role. Each entry can have one of the following values:

    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
    • computed:{identifier}: An existing key from var.computed_members_map.

    Default is [].

  • computed_members_map: (Optional map(string))

    A map of members to replace in var.members or in members of var.policy_bindings to handle terraform computed values.

    Default is {}.

    Example:

    computed_members_map = {
  myserviceaccount = "serviceAccount:example@mail.com"
}

  • authoritative: (Optional bool)

    Whether to exclusively set (authoritative mode) or add (non-authoritative/additive mode) members to the role.

    Default is true.

  • condition: (Optional object(condition))

    An IAM Condition for a given binding.

    The condition object accepts the following attributes:

    • expression: (Required string)

      Textual representation of an expression in Common Expression Language syntax.

    • title: (Required string)

      A title for the expression, i.e. a short string describing its purpose.

    • description: (Optional string)

      An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

  • policy_bindings: (Optional list(policy_binding))

    A list of IAM policy bindings.

    Example:

    policy_bindings = [{
  role    = "roles/viewer"
  members = ["user:member@example.com"]
}]

    Each policy_binding object in the list accepts the following attributes:

    • role: (Required string)

      The role that should be applied.

    • members: (Optional set(string))

      Identities that will be granted the privilege in role.

      Default is var.members.

    • condition: (Optional object(condition))

      An IAM Condition for a given binding.

      Example:

      condition = {
  expression = "request.time < timestamp(\"2022-01-01T00:00:00Z\")"
  title      = "expires_after_2021_12_31"
}

      The condition object accepts the following attributes:

      • expression: (Required string)

        Textual representation of an expression in Common Expression Language syntax.

      • title: (Required string)

        A title for the expression, i.e. a short string describing its purpose.

      • description: (Optional string)

        An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

  • audit_configs: (Optional object(audit_config))

    List of audit logs settings to be enabled.

    Example:

    # Enable full audit log coverage for all services
audit_configs = [
    {
        service = "allServices"
        configs = [
            {
                log_type = "DATA_READ"
            },
            {
                log_type = "DATA_WRITE"
            },
            {
                log_type = "ADMIN_READ"
            },
        ]
    }
]

    The audit_config object accepts the following attributes:

    • service: (Required string)

      Service which will be enabled for audit logging.

      The special value allServices covers all services. Note that if there are audit_configs covering both allServices and a specific service then the union of the two audit_configs is used for that service: the log_types specified in each audit_log_config are enabled, and the exempted_members in each audit_log_config are exempted.

    • audit_log_configs: (Required list(audit_log_config))

      A list of logging configurations for each type of permission.

      Example:

      audit_log_configs = [{
  log_type = "ADMIN_READ"
  exempted_members = [
    "user:example@example.com"
  ]
},
{
  log_type = "DATA_WRITE"
}]

      Each audit_log_config object in the list accepts the following attributes:

      • log_type: (Required string)

        Permission type for which logging is to be configured. Must be one of DATA_READ, DATA_WRITE, or ADMIN_READ.

      • exempted_members: (Optional set(string))

        Identities that do not cause logging for this type of permission. The format is the same as that for var.members.

Module Outputs

The following attributes are exported in the outputs of the module:

  • module_enabled: (bool)

    Whether this module is enabled.

  • iam: (object(iam))

    All attributes of the created iam_binding or iam_member or iam_policy resource according to the mode.

External Documentation

Google Documentation:

Terraform Google Provider Documentation:

Module Versioning

This Module follows the principles of Semantic Versioning (SemVer).

Given a version number MAJOR.MINOR.PATCH, we increment the:

  1. MAJOR version when we make incompatible changes,
  2. MINOR version when we add functionality in a backwards compatible manner, and
  3. PATCH version when we make backwards compatible bug fixes.

Backwards compatibility in 0.0.z and 0.y.z version

  • Backwards compatibility in versions 0.0.z is not guaranteed when z is increased. (Initial development)
  • Backwards compatibility in versions 0.y.z is not guaranteed when y is increased. (Pre-release)

About Mineiros

Mineiros is a remote-first company headquartered in Berlin, Germany that solves development, automation and security challenges in cloud infrastructure.

Our vision is to massively reduce time and overhead for teams to manage and deploy production-grade and secure cloud infrastructure.

We offer commercial support for all of our modules and encourage you to reach out if you have any questions or need help. Feel free to email us at hello@mineiros.io or join our Community Slack channel.

Reporting Issues

We use GitHub Issues to track community reported issues and missing features.

Contributing

Contributions are always encouraged and welcome! For the process of accepting changes, we use Pull Requests. If you'd like more information, please see our Contribution Guidelines.

Makefile Targets

This repository comes with a handy Makefile. Run make help to see details on each available target.

License

license

This module is licensed under the Apache License Version 2.0, January 2004. Please see LICENSE for full details.

Copyright © 2020-2022 Mineiros GmbH

About

A Terraform module to manage Identity and Access Management (IAM) for folders in Google Cloud https://cloud.google.com/functions

Topics

terraform iac terraform-modules mineiros

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

2 stars

Watchers

8 watching

Forks

4 forks
Report repository

Releases 7

v0.3.0 Latest
Feb 19, 2024
+ 6 releases

Packages

No packages published

Contributors 9

Languages