Google Cloud Identity Group

This page shows how to write Terraform for Cloud Identity Group and write them securely.

google_cloud_identity_group (Terraform)

The Group in Cloud Identity can be configured in Terraform with the resource name google_cloud_identity_group. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub
resource "google_cloud_identity_group" "group-example-1" {
  display_name         = "group-example-1"
  initial_group_config = "WITH_INITIAL_OWNER"

  parent = "customers/C043jufqt"
resource "google_cloud_identity_group" "obe-bu2-cigroups-app3" {
  display_name = "obe-bu2-cigroups-app3"
  group_key {
    id = ""
  initial_group_config = "WITH_INITIAL_OWNER"
resource "google_cloud_identity_group" "project_groups" {
  provider = google-beta
  for_each = var.only_add_permissions ? {} : local.groups

  display_name = format("%s: %s (%s)", title(, var.project_id, upper(each.value.environment))
resource "google_cloud_identity_group" "tnt1-bu1-cigroups-app3" {
  display_name = "tnt1-bu1-cigroups-app3"
  group_key {
    id = ""
  initial_group_config = "WITH_INITIAL_OWNER"
resource "google_cloud_identity_group" "identity_groups" {
  for_each             = local.identity_groups_map
  provider             = google-beta
  initial_group_config = each.value["initial_group_config"]
  display_name         = each.value["display_name"]
  parent               = each.value["parent"]

Review your Terraform file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).


The time when the Group was created.

An extended description to help users determine the purpose of a Group. Must not be longer than 4,096 characters.

The display name of the Group.

  • id optional computed - string
  • labels required - map from string to string

The labels that apply to the Group. Must not contain more than one entry. Must contain the entry '': '' if the Group is a Google Group or 'system/groups/external': '' if the Group is an external-identity-mapped group.

  • name optional computed - string

Resource name of the Group in the format: groups/[group_id], where group_id is the unique ID assigned to the Group.

The resource name of the entity under which this Group resides in the Cloud Identity resource hierarchy. Must be of the form identitysources/[identity_source_id] for external-identity-mapped groups or customers/[customer_id] for Google Groups.

The time when the Group was last updated.

  • group_key list block
    • id required - string

    The ID of the entity. For Google-managed entities, the id must be the email address of an existing group or user. For external-identity-mapped entities, the id must be a string conforming to the Identity Source's requirements. Must be unique within a namespace.

    The namespace in which the entity exists. If not specified, the EntityKey represents a Google-managed entity such as a Google user or a Google Group. If specified, the EntityKey represents an external-identity-mapped group. The namespace must correspond to an identity source created in Admin Console and must be in the form of 'identitysources/[identity_source_id]'.

  • timeouts single block

Explanation in Terraform Registry

A Cloud Identity resource representing a Group. To get more information about Group, see:

  • API documentation
  • How-to Guides
    • Official Documentation

      Warning: If you are using User ADCs (Application Default Credentials) with this resource, you must specify a billing_project and set user_project_override to true in the provider configuration. Otherwise the Cloud Identity API will return a 403 error. Your account must have the permission on the billing_project you defined.

Frequently asked questions

What is Google Cloud Identity Group?

Google Cloud Identity Group is a resource for Cloud Identity of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google Cloud Identity Group?

For Terraform, the yesasurya/tf-gcp-iam-group, apsureda/ci-groups and c-zuo/gcp-turbo source code examples are useful. See the Terraform Example section for further details.


Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.