Terraform module for Google IAM memberships
Role parameters:
- Google roles
- Project custom roles
- Organization custom roles
- IAM Conditions
Resource bindings to:
- Organization
- Project
- Storage bucket roles
- BigQuery dataset roles
- BigQuery table roles
- Cloud Run jobs
- Secrets
- Service Accounts
- Artifact Registry Repositories
The role strings taken as input embed multiple identifiers for where the IAM binding is made, what role is bound, and to what resource. Custom project/org level roles require a prefix as well.
The general format is:
<resource type>:[<org|project>-]<role name>:<resource type parameters: ...>
A prefix/alias that controls what type of resource the binding is made on. Can be excluded, which will make the binding on the configured project/organization by default.
The ID of the role to bind. For default roles, do not include the roles/ prefix. For custom roles, it depends on where the role is configured. If in the project, prefix the ID with project-. If in the organization, prefix the ID with org-.
An identifier for the resource the binding is made too. Usually a name/single ID, sometimes multiple colon-separated values. Depends on resource type, see below.
| resource type | resource type | resource type params |
|---|---|---|
| project/org | null | null |
| storage bucket | storage | bucket name |
| bigquery dataset | bigquery-dataset | datasetId |
| bigquery table | bigquery-table | datasetId:tableId |
| cloud run jobs | cloud-run-job | job name |
| billing acct | billing | null |
| gcsm secrets | secret | secret name |
| service accounts | service-account | service account name |
| artifact registry repository | artifact-registry | repository name |
organization\_id XOR project\_id MUST be specified
Basic usage of this module is as follows:
module "example" {
source = "notablehealth/<module-name>/google"
# Recommend pinning every module to a specific version
# version = "x.x.x"
# Required variables
members =
}| Name | Version |
|---|---|
| terraform | >= 1.5.7 |
| >= 7.12.0 |
| Name | Version |
|---|---|
| 7.12.0 |
No modules.
| Name | Type |
|---|---|
| google_artifact_registry_repository_iam_member.self | resource |
| google_bigquery_dataset_iam_member.self | resource |
| google_bigquery_table_iam_member.self | resource |
| google_billing_account_iam_member.self | resource |
| google_cloud_run_v2_job_iam_member.self | resource |
| google_organization_iam_member.self | resource |
| google_project_iam_member.self | resource |
| google_secret_manager_secret_iam_member.self | resource |
| google_service_account_iam_member.self | resource |
| google_storage_bucket_iam_member.self | resource |
| google_billing_account.self | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| billing_account_name | Billing account name. | string |
"" |
no |
| default_location | The default location | string |
null |
no |
| members | List of members and roles to add them to. | list(object({ |
n/a | yes |
| organization_id | Organization ID. | string |
"" |
no |
| project_id | Project ID. | string |
"" |
no |
No outputs.