stackoom
  简体   繁体   中英

How to assign multiple roles to multiple service accounts in GCP using Terraform?

 原文  2022-09-27 15:24:08       google-cloud-platform/ terraform/ infrastructure

Question

I have a list of Service Accounts that will be created, and to assign roles to them I'm using a module that Google provides , and my code is as follows:

module "service-accounts" {
  source  = "terraform-google-modules/service-accounts/google"
  version = "4.1.1"

  project_id = var.project
  names = var.sa_list
  project_roles = [
    "${var.project}=>roles/appengine.appAdmin",
    "${var.project}=>roles/artifactregistry.reader",
    "${var.project}=>roles/cloudbuild.builds.builder",
    "${var.project}=>roles/cloudsql.client",
    "${var.project}=>roles/cloudsql.instanceUser"
  ]

  display_name = "Google App Engine SA - Managed by Terraform"
}

This works just fine. But I don't want to make the roles in project_roles explicit, so I've tried to use the for_each meta-argument"

variables.tf :

variable "rolesList" {
  type =list(string)
  default = ["roles/appengine.appAdmin","roles/artifactregistry.reader", "roles/cloudbuild.builds.builder", "roles/cloudsql.client", "roles/cloudsql.instanceUser"]
}

main.tf :

module "service-accounts" {
  source  = "terraform-google-modules/service-accounts/google"
  version = "4.1.1"

  project_id = var.project
  names = var.sa_list

  for_each = (toset[var.rolesList])
  project_roles = ["${var.project}=>${each.key}"]

  display_name = "Google App Engine SA - Managed by Terraform"
}

This way won't work because Terraform will create multiple accounts with the same id. How can I remove the hard code from project_roles ? Is there a way to store the roles elsewhere and then call them? Or I'll need to assign roles individually?

2 answers

solution1
 1  2022-09-28 17:50:21

So, I managed to fix the issued by changing

variable "rolesList" {
  type =list(string)
  default = ["roles/appengine.appAdmin","roles/artifactregistry.reader", 
             "roles/cloudbuild.builds.builder", "roles/cloudsql.client", 
             "roles/cloudsql.instanceUser"]
     }

to

 variable "rolesList" {
      type =setstring)
      default = ["roles/appengine.appAdmin","roles/artifactregistry.reader", 
                 "roles/cloudbuild.builds.builder", "roles/cloudsql.client", 
                 "roles/cloudsql.instanceUser"]
         }

and removing the for_each in favour of

module "service-accounts" {
  source  = "terraform-google-modules/service-accounts/google"
  version = "4.1.1"

  project_id = var.project
  names = var.sa_list
  project_roles = [ for role in var.rolesList : "${var.project}=>${role}" ]

  display_name = "Google App Engine SA - Managed by Terraform"
}

solution2
 0  2022-09-27 21:39:26

If you want to give many roles to many services accounts, you can try by using the resources from official Google provider:

First, put the service accounts you want to create in a config file like a JSON file, ot allows to be more flexible in case of modification. You will change the config file, not the Terraform code:

{
  "servicesAccount": {
    "first-service-account": {
      "account_id": "first-service-account",
      "display_name": "First SA managed by Terraform",
  "roles": [
        "roles/appengine.appAdmin",
        "roles/artifactregistry.reader",
        "roles/cloudbuild.builds.builder",
        "roles/cloudsql.client",
        "roles/cloudsql.instanceUser"
      ]
    },
    "second-service-account": {
      "account_id": "second-service-account",
      "display_name": "Second SA managed by Terraform",
  "roles": [
        "roles/appengine.appAdmin",
        "roles/artifactregistry.reader",
        "roles/cloudbuild.builds.builder",
        "roles/cloudsql.client",
        "roles/cloudsql.instanceUser"
      ]
    }
  }
}

Then you can parse this JSON file and putting in a local variable:

locals {
  services_account = jsondecode(file("${path.module}/path/to/your/file.json"))["servicesAccount"]
  sa_flattened = flatten([
    for sa in local.services_account : [
      for role in sa["roles"] : {
        account_id   = sa["account_id"]
        display_name = sa["display_name"]
        role         = role
      }
    ]
  ])
}

Finally you can create the SA and then give them the associated roles:

resource "google_service_account" "sa_names" {
  project      = var.project
  for_each     = local.services_account
  account_id   = each.value["account_id"]
  display_name = each.value["display_name"]
}

resource "google_project_iam_member" "sa_roles" {
  depends_on = [google_service_account.sa_names]
  for_each   = {for idx, sa in local.sa_flattened: "${sa["account_id"]}_${sa["role"]}" => sa}
  project    = var.project
  role       = each.value["role"]
  member     = "serviceAccount:${each.value["account_id"]}@${var.project}.iam.gserviceaccount.com"
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Getting error while allowing accounts and roles in Terraform for GCP GCP terraform service accounts keys export create service account and assign permissions/roles at the organization level in GCP Terraform - Deploying GCP Bucket With Multiple Storage Classes? GCP: Remove IAM policy from Service Account using Terraform GCP Log-export pub/sub with multiple sink filters with Terraform How to add an ssh key to an GCP instance using terraform? Use Multiple google bigquery service accounts in Power BI (Service & Desktop) How to deploy AWS CDK stacks to multiple accounts? How should I create service accounts for accessing secrets between GCP projects with Google KMS?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM