Using Terraform with Access Approval

This page describes how you can use Terraform with Access Approval. This tutorial uses the Google Cloud Terraform Provider for Terraform.

Overview

Terraform is an open-source infrastructure-as-code software tool that lets you manage your Access Approval requests. All Access Approval APIs can be converted into a Terraform library.

Getting started

To use Access Approval and Access Transparency, your organization must meet specific support requirements. For more information, see Requirements for using Access Approval.

Create a Google Cloud project

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Enable the Access Approval API.

    Enable the API

Install the Google Cloud SDK

Install and initialize the Cloud SDK.

When prompted, choose the project that you selected or created above.

If you already have the Cloud SDK installed, update it using the following command.

gcloud components update

Create a Terraform configuration file

  1. Open Cloud Shell to launch a stand-alone Cloud Shell session.
  2. Open a workspace.
  3. Create a new folder and add a file named main.tf to it.
  4. Add the following resource to your main.tf file.
variable "parent_value" {
  type        = string
}

resource "google_folder" "my_folder" {
  display_name = "my-folder"
  parent       = var.parent_value
  # parent = "organizations/123456789"
}

resource "google_folder_access_approval_settings" "folder_access_approval" {
  folder_id           = google_folder.my_folder.folder_id
  notification_emails = ["testuser@example.com", "example.user@example.com"]

  enrolled_services {
      cloud_product = "all"
  }
}

This created configuration file performs the following actions:

  • google_folder.my_folder gets created with display name as my-folder.
  • google_folder_access_approval_settings.folder_access_approval gets created with notification emails as example.user@example.com and testuser@example.com.

Run the Terraform configuration file

Execute the following commands in Cloud Shell.

  1. Initialize Terraform in the directory.

    terraform init
    
  2. Execute the created Terraform configuration file.

    terraform apply
    
  3. When prompted to confirm the execution of the configuration file, enter yes.

For more information on operating Access Approval with Terraform, see this Terraform document google_folder_access_approval_settings.

What's next