DEV Community: Takahiro Sakai The latest articles on DEV Community by Takahiro Sakai (@ttsakai). https://dev.to/ttsakai https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F147023%2Fd09bf00e-beb8-4d37-89cc-7c4058e44a31.jpg DEV Community: Takahiro Sakai https://dev.to/ttsakai en terraform tips: gcp project IAM Takahiro Sakai Mon, 26 Jun 2023 11:12:40 +0000 https://dev.to/ttsakai/terraform-tips-gcp-project-iam-32i9 https://dev.to/ttsakai/terraform-tips-gcp-project-iam-32i9 <h2> Introduction </h2> <p>In this post, we'll go over some tips for managing GCP Project IAM resources using Terraform. These tips are drawn from my experience working with 10 GCP projects and approximately 500 IAM resources. I hope that regardless of whether you're a beginner or a seasoned Terraform user, you might find something of interest or value in this post.</p> <h2> For groups, users </h2> <h3> for_each with map objects for arguments </h3> <p>In the following code, we utilize for_each with map objects for arguments. This approach significantly reduces resource declaration and we can focus on "for whom" and "to what".<br> This helped me when I collaborated with an engineer who is not familiar with terraform.</p> <h4> google_project_iam_member </h4> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">group_list</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">group</span><span class="err">:</span> <span class="s2">"developer@example.com"</span><span class="p">,</span> <span class="nx">role</span><span class="err">:</span> <span class="s2">"roles/viewer"</span><span class="p">,</span> <span class="nx">project</span><span class="err">:</span> <span class="s2">"your-project-id"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">group</span><span class="err">:</span> <span class="s2">"admin@example.com"</span><span class="p">,</span> <span class="nx">role</span><span class="err">:</span> <span class="s2">"roles/owner"</span><span class="p">,</span> <span class="nx">project</span><span class="err">:</span> <span class="s2">"your-project-id"</span> <span class="p">},</span> <span class="p">]</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_project_iam_member"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="c1"># By making inex like that, state is uniqu</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">i</span> <span class="nx">in</span> <span class="kd">local</span><span class="p">.</span><span class="nx">group_list</span> <span class="err">:</span> <span class="s2">"</span><span class="k">${</span><span class="nx">i</span><span class="p">.</span><span class="nx">group</span><span class="k">}</span><span class="s2">_</span><span class="k">${</span><span class="nx">i</span><span class="p">.</span><span class="nx">role</span><span class="k">}</span><span class="s2">_</span><span class="k">${</span><span class="nx">i</span><span class="p">.</span><span class="nx">project</span><span class="k">}</span><span class="s2">"</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">i</span> <span class="p">}</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">role</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"group:</span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">group</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> </code></pre> </div> <ul> <li>pros: it is very simple. this tip can be applyed to other iam_mambers resourses not only google_project_iam_member.</li> <li>cons: it tends to increase map object size because iam member resoueces do not allaw multiple members.</li> </ul> <h4> google_project_iam_bindings </h4> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">group_list</span> <span class="p">=</span> <span class="p">[</span> <span class="c1"># projects can be parameterize if there are a lot.</span> <span class="p">{</span> <span class="nx">role</span> <span class="err">:</span> <span class="s2">"roles/viewer"</span><span class="p">,</span> <span class="nx">projects</span> <span class="err">:</span> <span class="p">[</span><span class="s2">"your-project-id-1"</span><span class="p">,</span><span class="s2">"your-project-id-2"</span><span class="p">],</span> <span class="nx">members</span> <span class="err">:</span> <span class="p">[</span> <span class="s2">"group:admin@example.com"</span><span class="p">,</span> <span class="s2">"group:developer@example.com"</span><span class="p">,</span> <span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">role</span> <span class="err">:</span> <span class="s2">"roles/owner"</span><span class="p">,</span> <span class="nx">projects</span> <span class="err">:</span> <span class="p">[</span><span class="s2">"your-project-id-1"</span><span class="p">,</span><span class="s2">"your-project-id-2"</span><span class="p">],</span> <span class="nx">members</span> <span class="err">:</span> <span class="p">[</span> <span class="s2">"group:admin@example.com"</span><span class="p">,</span> <span class="p">]</span> <span class="p">},</span> <span class="p">]</span> <span class="c1"># need some tricks for nested map object</span> <span class="nx">group_list_flattened</span> <span class="p">=</span> <span class="nx">flatten</span><span class="p">([</span> <span class="nx">for</span> <span class="nx">i</span> <span class="nx">in</span> <span class="kd">local</span><span class="p">.</span><span class="nx">group_list</span> <span class="err">:</span> <span class="p">[</span> <span class="nx">for</span> <span class="nx">project</span> <span class="nx">in</span> <span class="nx">i</span><span class="p">.</span><span class="nx">projects</span> <span class="err">:</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">i</span><span class="p">.</span><span class="nx">role</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">project</span> <span class="nx">members</span> <span class="p">=</span> <span class="nx">i</span><span class="p">.</span><span class="nx">members</span> <span class="p">}</span> <span class="p">]</span> <span class="p">])</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_project_iam_binding"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">i</span> <span class="nx">in</span> <span class="kd">local</span><span class="p">.</span><span class="nx">group_list_flattened</span> <span class="err">:</span> <span class="s2">"</span><span class="k">${</span><span class="nx">i</span><span class="p">.</span><span class="nx">role</span><span class="k">}</span><span class="s2">_</span><span class="k">${</span><span class="nx">i</span><span class="p">.</span><span class="nx">project</span><span class="k">}</span><span class="s2">"</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">i</span> <span class="p">}</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">role</span> <span class="nx">members</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">members</span> <span class="p">}</span> </code></pre> </div> <ul> <li>pros: reduce more code compared with google_project_iam_member if you need to create common iam for a lot of projects.</li> <li>cons: the nature of iam_binding, there is a risk to override iam settings outside of this resource.</li> </ul> <h2> For service accounts </h2> <h3> Types of service accounts </h3> <p>there are generally two types of service accounts.</p> <ul> <li>service accounts for tools(cicd pipeline,ETL pipeline, monitoring tool, something like that).</li> <li>service accounts for application code.</li> </ul> <h3> Service accounts for tools </h3> <p>For this type of service accounts, calling resources directly or using a simple custom module is good because these service accounts need limited permission to one project. Sometimes we need to add an extra role for a specific purpose like accessing a BigQuery dataset that is located in other GCP projects (e.g. data analysts need specific logs for the application or something similar). In those cases, using a single IAM member/IAM binding resource is sufficient because it emphasizes that those roles are exceptional.<br> Here's an example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">projects</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"your-projec-id-1"</span><span class="p">,</span> <span class="s2">"your-projec-id-2"</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="k">module</span> <span class="s2">"service_account"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-google-modules/service-accounts/google"</span> <span class="nx">project_id</span> <span class="p">=</span> <span class="s2">"service-account-project-id"</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">names</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"service-account-name"</span><span class="p">]</span> <span class="nx">project_roles</span> <span class="p">=</span> <span class="nx">concat</span><span class="p">(</span> <span class="c1"># for custom role</span> <span class="nx">formatlist</span><span class="p">(</span><span class="s2">"%s=&gt;projects/%s/roles/custom_role_name"</span><span class="p">,</span> <span class="kd">local</span><span class="p">.</span><span class="nx">projects</span><span class="p">,</span> <span class="kd">local</span><span class="p">.</span><span class="nx">projects</span><span class="p">),</span> <span class="c1"># for default role</span> <span class="nx">formatlist</span><span class="p">(</span><span class="s2">"%s=&gt;roles/viewer"</span><span class="p">,</span> <span class="kd">local</span><span class="p">.</span><span class="nx">projects</span><span class="p">),</span> <span class="p">}</span> </code></pre> </div> <h3> Service accounts for application code </h3> <ul> <li>For this type of service accounts, calling resources directly or using a simple custom module is good because this service accounts need limited permission to one projects. sometimes we need to add an extra role for a specific purpose like accessing bigquery dataset that is located to other gcp projects.(data analysts need specific log for application or something like that). In those cases, using single iam member/iam binding resource is sufficient because that emphasize those roles are unusual. </li> </ul> <p>Here's an example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># module definition. </span> <span class="k">resource</span> <span class="s2">"google_service_account"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">name</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"time_sleep"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="c1"># add some deletion because google_project_iam_member sometimes fail if immediately add iam after service account creation.</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">google_service_account</span><span class="p">.</span><span class="nx">this</span> <span class="p">]</span> <span class="nx">triggers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">email</span> <span class="p">=</span> <span class="nx">google_service_account</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">email</span> <span class="p">}</span> <span class="nx">create_duration</span> <span class="p">=</span> <span class="s2">"10s"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_project_iam_member"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">time_sleep</span><span class="p">.</span><span class="nx">this</span><span class="p">]</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">roles</span><span class="p">)</span> <span class="nx">project</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:</span><span class="k">${</span><span class="nx">google_service_account</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">email</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"project"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"roles"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[]</span> <span class="p">}</span> <span class="c1"># call module</span> <span class="k">module</span> <span class="s2">"serviceaccount"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"your-module-path"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"service-account-name"</span> <span class="nx">project</span> <span class="p">=</span> <span class="s2">"your-project-id"</span> <span class="nx">roles</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"roles/viewer"</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h2> Wrapping Up </h2> <p>We've walked through a few different ways to juggle Project IAM resources in GCP using Terraform, This is just a small tip But Hopefully, you've found a trick or two you can use in your own Terraform codes.<br> Actually, this is my first tech post, so I welcome your feedback. <br> Thank you for reading!</p> terraform