Google Cloud Platform Project Service Identity
This page shows how to write Terraform for Cloud Platform Project Service Identity and write them securely.
google_project_service_identity (Terraform)
The Project Service Identity in Cloud Platform can be configured in Terraform with the resource name google_project_service_identity. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "google_project_service_identity" "gke_hostagent_sa" {
provider = google-beta
project = var.service_project_id
service = "container.googleapis.com"
depends_on = [google_project_service.gke_svc]
resource "google_project_service_identity" "gke_hostagent_sa" {
provider = google-beta
project = var.service_project_id
service = "container.googleapis.com"
depends_on = [google_project_service.gke_svc]
resource "google_project_service_identity" "gke_hostagent_sa" {
provider = google-beta
project = var.service_project_id
service = "container.googleapis.com"
depends_on = [google_project_service.gke_svc]
resource "google_project_service_identity" "gke_hostagent_sa" {
provider = google-beta
project = var.service_project_id
service = "container.googleapis.com"
depends_on = [google_project_service.gke_svc]
Parameters
The following arguments are supported:
service- (Required) The service to generate identity for.
project- (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
In addition to the arguments listed above, the following computed attributes are exported:
email- The email address of the Google managed service account.
Explanation in Terraform Registry
Warning: These resources are in beta, and should be used with the terraform-provider-google-beta provider. See Provider Versions for more details on beta resources. Generate service identity for a service.
Note: Once created, this resource cannot be updated or destroyed. These actions are a no-op.
Note: This resource can be used to retrieve the emails of the Google-managed service accounts of the APIs that Google has configured with a Service Identity. You can run
gcloud beta services identity create --service SERVICE_NAME.googleapis.comto verify if an API supports this. To get more information about Service Identity, see:
Tips: Best Practices for The Other Google Cloud Platform Resources
In addition to the google_project, Google Cloud Platform has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
google_project
Ensure project-level default network creation is disabled
It is better to disable the auto-creation of default networks. The default network for a GCP project is usually configured coarsely, leaving the risk of unwanted access to resources in the network.
Frequently asked questions
What is Google Cloud Platform Project Service Identity?
Google Cloud Platform Project Service Identity is a resource for Cloud Platform of Google Cloud Platform. Settings can be wrote in Terraform.
Where can I find the example code for the Google Cloud Platform Project Service Identity?
For Terraform, the rjmco/terraform-google-sentinel-double-nested-module, rjmco/terraform-google-sentinel-illegal-nested-module and rjmco/terraform-google-sentinel-illegal-module source code examples are useful. See the Terraform Example section for further details.
