GCP: Remove IAM policy from Service Account using Terraform

Question

Im creating an app engine using the following module: google_app_engine_flexible_app_version .

By default, Google creates a Default App Engine Service Account with roles/editor permissions.

I want to reduce the permissions of my AppEngine. Therefore, I want to remove the roles/editor permission and add it my custom role.

In order to remove it I know I can use gcloud projects remove-iam-policy-binding cli. But I want it to be part of my terraform plan.

Answer 1

If you are using https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/app_engine_flexible_app_version to creating your infrastructure then you must have seen the following line in it.

  role    = "roles/compute.networkUser"

This role is used when setting up your infra and you can tinker it after referring from https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_deny_policy

Note: When setting up role, please ensure valid permissions are in place for your app engine to work properly.

I. Using Provided Terraform Code as template & Tinker it

One simple hack I would suggest you, is to (1) First setup your infra-structure with the basic terraform code your have and then (2) Update/tinker your infra as per your expectations (3) Now you can do terraform refresh and terraform plan to find the differences required to update your code.

Below is not related but only as an example.

resource "google_dns_record_set" "default" {
  name         = google_dns_managed_zone.default.dns_name
  managed_zone = google_dns_managed_zone.default.name
  type         = "A"
  ttl          = 300
  rrdatas = [
    google_compute_instance.default.network_interface.0.access_config.0.nat_ip
  ]
}

Above is the code for creating a DNS record using Terraform. After mentioned above step 1, 2 & 3, I get following differences to update my code

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # google_dns_record_set.default will be updated in-place
  ~ resource "google_dns_record_set" "default" {
        id           = "projects/mmterraform03/managedZones/example-zone-googlecloudexample/rrsets/googlecloudexample.com./A"
        name         = "googlecloudexample.com."
      ~ ttl          = 360 -> 300
        # (4 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

II. Using Terraform Import

Google Cloud Platform tool - gcloud , terraform and several other open source platform are available today that can read your existing infrastructure and write Terraform code for you.

So you can check terraform import or Google's docs - https://cloud.google.com/docs/terraform/resource-management/import#:~:text=Terraform%20can%20import%20existing%20infrastructure,manage%20your%20deployment%20in%20Terraform .

But to use this method, you have to setup your infrastructure first. You either do it completely manually from Google Console UI or use terraform first and then update it.

As a III option, you can reach out/hire a Terraform Expert to do this task for you but I and II options works best for many cases.

On a different note, please https://stackoverflow.com/help/how-to-ask , https://stackoverflow.com/help/minimal-reproducible-example . Opinion based and how/what to do questions are usually discouraged in StackOverflow.

Answer 2

This is one situation where you might consider to use google_project_iam_policy

That could be used to knock out the Editor role, but it will knock out everything else you don't explicitly list in the policy!

Beware - There is a risk of locking yourself out of your project if you are not sure what you are doing.

Another option would be to use a custom service account. Use terraform to create the account and apply the desired roles. Use gcloud app deploy --service-account={custom-sa} to deploy a service to app engine that uses the custom account.

But you may still wish to remove the Editor role from the default service account. Given that you already have the gcloud command to do it, gcloud projects remove-iam-policy-binding you could use resource terraform-google-gcloud to execute the command from terraform.

See also this feature request .