Recently Added

Service account roles used by Terraform to manage resources Comparing AWS Aurora and GCP Spanner

Nasser Naini

Unlocking the Data Realm

Service account roles used by Terraform to manage resources

When working with Google Cloud Platform (GCP) resources such as google_compute_network and google_compute_disk in Terraform, you need to assign specific roles to the service account that Terraform uses to ensure it has the necessary permissions. Here are the roles typically required for managing these resources:

For google_compute_network

Managing VPC networks (google_compute_network) generally requires permissions to create, modify, and delete network resources. The following roles are commonly used:

  1. Compute Network Admin (roles/compute.networkAdmin):
    • This role includes permissions to create, modify, and delete networks and subnets.
    • It’s suitable for managing most aspects of networking in GCP, including firewalls, routes, and VPNs.
  2. Project Editor (roles/editor):
    • This broader role includes permissions to modify almost all resources in a project.
    • It’s often used in development environments but might grant more permissions than necessary for production environments.

For google_compute_disk

Managing disks (google_compute_disk) typically requires permissions for disk creation, attachment, detachment, and deletion. The following roles are relevant:

  1. Compute Storage Admin (roles/compute.storageAdmin):
    • This role grants permissions to create, modify, and delete disk resources.
    • It’s suitable for managing persistent disks and snapshots.
  2. Project Editor (roles/editor):
    • Like with network management, this role provides broad access to modify resources within the project, including compute disks.

Best Practices for Role Assignment

  • Principle of Least Privilege: Assign only the roles that provide the minimum necessary permissions to perform the intended tasks. For example, if your Terraform script only needs to manage networks, the Compute Network Admin role would be sufficient.
  • Custom Roles: For more granular control, consider creating custom roles in GCP with precisely the permissions you need. This approach is particularly useful in tightly controlled environments or when adhering to specific compliance requirements.

Using the Roles in Terraform

When configuring your Terraform provider, you don’t specify these roles directly in the Terraform script. Instead, you assign these roles to the service account that Terraform uses, either through the Google Cloud Console or using the gcloud command-line tool.

After the service account is set up with the necessary roles, you use the service account’s credentials in your Terraform provider configuration:

provider "google" {
  credentials = file("<PATH_TO_SERVICE_ACCOUNT_KEY>.json")
  project     = "<YOUR_PROJECT_ID>"
  region      = "<YOUR_REGION>"
  zone        = "<YOUR_ZONE>"
}

Replace <PATH_TO_SERVICE_ACCOUNT_KEY>.json, <YOUR_PROJECT_ID>, <YOUR_REGION>, and <YOUR_ZONE> with your actual file path and project details.

Related

automation

Service account roles used by Terraform to manage resources

cloud

Comparing AWS Aurora and GCP Spanner

Copyright 2023, Nasser Naini, All rights reserved