Creating recommended user settings and access for Terraform in Google Cloud Platform (GCP) with appropriate privileges involves using a dedicated service account and granting it the necessary IAM roles. This approach ensures a secure and auditable way for Terraform to interact with your GCP resources.
Step-by-step guidance:
- Create a dedicated Service Account:
- Navigate to IAM & Admin > Service Accounts in the GCP Console.
- Click CREATE SERVICE ACCOUNT.
- Provide a descriptive Service account name (e.g.,
terraform-sa), a Service account ID, and a Service account description. - Click CREATE AND CONTINUE.
- Grant Necessary IAM Roles to the Service Account:
- In the “Grant this service account access to project” step, you will assign roles. The principle of least privilege should be followed, granting only the permissions required for Terraform to manage your infrastructure.
- Common roles for Terraform:
- Project Editor (or more granular roles): For general resource creation and management. Consider using more specific roles like
Compute Admin,Storage Admin,Cloud SQL Admin, etc., if you know exactly which resources Terraform will manage. - Service Account User: If Terraform will impersonate other service accounts.
- Storage Object Admin: If Terraform needs to manage Cloud Storage buckets for state files.
- Project Editor (or more granular roles): For general resource creation and management. Consider using more specific roles like
- Click DONE.
- Generate a Service Account Key (JSON):
- Go back to the Service Accounts page.
- Click on the newly created service account.
- Navigate to the KEYS tab.
- Click ADD KEY > Create new key.
- Select JSON as the key type and click CREATE.
- The JSON key file will be downloaded to your local machine. Securely store this file, as it grants access to your GCP resources.
{
"type": "service_account",
"project_id": "<PROJECT_ID>",
"private_key_id": "<PIVATE_KEY_ID>",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIE...37TtWGH\n-----END PRIVATE KEY-----\n",
"client_email": "<SERVICE_ACC_NAME>@<PROJECT_ID>.iam.gserviceaccount.com",
"client_id": "<CLIENT_ID>",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/",
"universe_domain": "googleapis.com"
}
- Configure Terraform to Use the Service Account:
- In your Terraform configuration (
.tffiles), configure the Google provider to use the service account key. - Add the following block to your
main.tforprovider.tffile, replacingpath/to/your/service-account-key.jsonwith the actual path to your downloaded JSON key file:
- In your Terraform configuration (
provider "google" {
project = "your-gcp-project-id" # Replace with your GCP project ID
region = "your-gcp-region" # Optional: e.g., "us-central1"
credentials = file("path/to/your/service-account-key.json")
}- Initialize and Apply Terraform:
- Open your terminal in the directory containing your Terraform configuration files.
- Run
terraform initto initialize the working directory and download necessary provider plugins. - Run
terraform planto review the changes Terraform will make. - Run
terraform applyto provision the resources in GCP.
Important Considerations:
- Least Privilege: Always grant the minimum necessary permissions to your service account.
- Key Security: Protect your service account key file. Do not commit it to version control or expose it publicly. Consider using secure methods like environment variables or secret management services for storing credentials in production environments.
- State Management: For collaborative environments, configure Terraform backend to store state files in a shared location like a Cloud Storage bucket, and ensure the service account has the necessary permissions to manage these state files.
Discover more from Altgr Blog
Subscribe to get the latest posts sent to your email.
