Google BigQuery Dataset Access

This page shows how to write Terraform for BigQuery Dataset Access and write them securely.

google_bigquery_dataset_access (Terraform)

The Dataset Access in BigQuery can be configured in Terraform with the resource name google_bigquery_dataset_access. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

bigquery_setup.tf#L7
resource "google_bigquery_dataset_access" "dataset_table1_rgw" {
    project = var.project_name
    dataset_id = google_bigquery_dataset.dataset_table1.dataset_id
    role = "WRITER"
    user_by_email="saurabh.thakur@datametica.com"
}
main.tf#L99
resource "google_bigquery_dataset_access" "domain" {
  for_each   = var.dataset_access ? {} : local.access_domain
  provider   = google-beta
  project    = var.project_id
  dataset_id = google_bigquery_dataset.default.dataset_id
  role       = each.value.role
main.tf#L97
resource "google_bigquery_dataset_access" "domain" {
  for_each   = var.dataset_access ? {} : local.access_domain
  provider   = google-beta
  project    = var.project_id
  dataset_id = google_bigquery_dataset.default.dataset_id
  role       = each.value.role
main.tf#L97
resource "google_bigquery_dataset_access" "domain" {
  for_each   = var.dataset_access ? {} : local.access_domain
  provider   = google-beta
  project    = var.project_id
  dataset_id = google_bigquery_dataset.default.dataset_id
  role       = each.value.role
main.tf#L99
resource "google_bigquery_dataset_access" "domain" {
  for_each   = var.dataset_access ? {} : local.access_domain
  provider   = google-beta
  project    = var.project_id
  dataset_id = google_bigquery_dataset.default.dataset_id
  role       = each.value.role

Review your Terraform file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

If true, represents that that the iam_member in the config was translated to a different member type by the API, and is stored in state as a different member type

A unique ID for this dataset, without the project name. The ID must contain only letters (a-z, A-Z), numbers (0-9), or underscores (_). The maximum length is 1,024 characters.

A domain to grant access to. Any users signed in with the domain specified will be granted the specified access

An email address of a Google Group to grant access to.

Some other type of member that appears in the IAM Policy but isn't a user, group, domain, or special group. For example: 'allUsers'

  • id optional computed - string
  • project optional computed - string
  • role optional - string

Describes the rights granted to the user specified by the other member of the access object. Basic, predefined, and custom roles are supported. Predefined roles that have equivalent basic roles are swapped by the API to their basic counterparts, and will show a diff post-create. See official docs.

A special group to grant access to. Possible values include: 'projectOwners': Owners of the enclosing project. 'projectReaders': Readers of the enclosing project. 'projectWriters': Writers of the enclosing project. 'allAuthenticatedUsers': All authenticated BigQuery users.

An email address of a user to grant access to. For example: fred@example.com

  • timeouts single block
  • view list block

    The ID of the dataset containing this table.

    The ID of the project containing this table.

    The ID of the table. The ID must contain only letters (a-z, A-Z), numbers (0-9), or underscores (_). The maximum length is 1,024 characters.

Explanation in Terraform Registry

Gives dataset access for a single entity. This resource is intended to be used in cases where it is not possible to compile a full list of access blocks to include in a google_bigquery_dataset resource, to enable them to be added separately.

Note: If this resource is used alongside a google_bigquery_dataset resource, the dataset resource must either have no defined access blocks or a lifecycle block with ignore_changes = [access] so they don't fight over which accesses should be on the dataset. To get more information about DatasetAccess, see:

  • API documentation
  • How-to Guides
    • Controlling access to datasets

      Warning: You must specify the role field using the legacy format OWNER instead of roles/bigquery.dataOwner. The API does accept both formats but it will always return the legacy format which results in Terraform showing permanent diff on each plan and apply operation.

Tips: Best Practices for The Other Google BigQuery Resources

In addition to the google_bigquery_dataset, Google BigQuery has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

google_bigquery_dataset

Ensure your BigQuery dataset blocks unwanted access

It is better to block unwanted access from users outside the organization.

Review your Google BigQuery settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Frequently asked questions

What is Google BigQuery Dataset Access?

Google BigQuery Dataset Access is a resource for BigQuery of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google BigQuery Dataset Access?

For Terraform, the 798shubhamd/terraform, sthamma/cloud-foundations and riccardoferra/gediterraform source code examples are useful. See the Terraform Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.