Google BigQuery Dataset Access
This page shows how to write Terraform for BigQuery Dataset Access and write them securely.
google_bigquery_dataset_access (Terraform)
The Dataset Access in BigQuery can be configured in Terraform with the resource name google_bigquery_dataset_access
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "google_bigquery_dataset_access" "dataset_table1_rgw" {
project = var.project_name
dataset_id = google_bigquery_dataset.dataset_table1.dataset_id
role = "WRITER"
user_by_email="saurabh.thakur@datametica.com"
}
resource "google_bigquery_dataset_access" "domain" {
for_each = var.dataset_access ? {} : local.access_domain
provider = google-beta
project = var.project_id
dataset_id = google_bigquery_dataset.default.dataset_id
role = each.value.role
resource "google_bigquery_dataset_access" "domain" {
for_each = var.dataset_access ? {} : local.access_domain
provider = google-beta
project = var.project_id
dataset_id = google_bigquery_dataset.default.dataset_id
role = each.value.role
resource "google_bigquery_dataset_access" "domain" {
for_each = var.dataset_access ? {} : local.access_domain
provider = google-beta
project = var.project_id
dataset_id = google_bigquery_dataset.default.dataset_id
role = each.value.role
resource "google_bigquery_dataset_access" "domain" {
for_each = var.dataset_access ? {} : local.access_domain
provider = google-beta
project = var.project_id
dataset_id = google_bigquery_dataset.default.dataset_id
role = each.value.role
Parameters
-
api_updated_member
optional computed - bool
If true, represents that that the iam_member in the config was translated to a different member type by the API, and is stored in state as a different member type
-
dataset_id
required - string
A unique ID for this dataset, without the project name. The ID must contain only letters (a-z, A-Z), numbers (0-9), or underscores (_). The maximum length is 1,024 characters.
-
domain
optional - string
A domain to grant access to. Any users signed in with the domain specified will be granted the specified access
-
group_by_email
optional - string
An email address of a Google Group to grant access to.
-
iam_member
optional - string
Some other type of member that appears in the IAM Policy but isn't a user, group, domain, or special group. For example: 'allUsers'
Describes the rights granted to the user specified by the other member of the access object. Basic, predefined, and custom roles are supported. Predefined roles that have equivalent basic roles are swapped by the API to their basic counterparts, and will show a diff post-create. See official docs.
-
special_group
optional - string
A special group to grant access to. Possible values include: 'projectOwners': Owners of the enclosing project. 'projectReaders': Readers of the enclosing project. 'projectWriters': Writers of the enclosing project. 'allAuthenticatedUsers': All authenticated BigQuery users.
-
user_by_email
optional - string
An email address of a user to grant access to. For example: fred@example.com
-
timeouts
single block -
view
list block-
dataset_id
required - string
The ID of the dataset containing this table.
-
project_id
required - string
The ID of the project containing this table.
-
table_id
required - string
The ID of the table. The ID must contain only letters (a-z, A-Z), numbers (0-9), or underscores (_). The maximum length is 1,024 characters.
-
Explanation in Terraform Registry
Gives dataset access for a single entity. This resource is intended to be used in cases where it is not possible to compile a full list of access blocks to include in a
google_bigquery_dataset
resource, to enable them to be added separately.Note: If this resource is used alongside a
google_bigquery_dataset
resource, the dataset resource must either have no definedaccess
blocks or alifecycle
block withignore_changes = [access]
so they don't fight over which accesses should be on the dataset. To get more information about DatasetAccess, see:
- API documentation
- How-to Guides
- Controlling access to datasets
Warning: You must specify the role field using the legacy format
OWNER
instead ofroles/bigquery.dataOwner
. The API does accept both formats but it will always return the legacy format which results in Terraform showing permanent diff on each plan and apply operation.
Tips: Best Practices for The Other Google BigQuery Resources
In addition to the google_bigquery_dataset, Google BigQuery has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
google_bigquery_dataset
Ensure your BigQuery dataset blocks unwanted access
It is better to block unwanted access from users outside the organization.
Frequently asked questions
What is Google BigQuery Dataset Access?
Google BigQuery Dataset Access is a resource for BigQuery of Google Cloud Platform. Settings can be wrote in Terraform.
Where can I find the example code for the Google BigQuery Dataset Access?
For Terraform, the 798shubhamd/terraform, sthamma/cloud-foundations and riccardoferra/gediterraform source code examples are useful. See the Terraform Example section for further details.