Integrating with Terraform

If you use Terraform to manage your infrastructure, you can use beta version of the Google Cloud Provider to define the following resources in your Terraform configuration.

Define your repository and repository-specific permissions in a Terraform module.

  1. Create the main.tf module file with google provider and the repository resource.

    The following configuration defines the provider and a repository with the Terraform resource name my-repo.

    provider "google" {
        project = "PROJECT-ID"
    }
    
    resource "google_artifact_registry_repository" "my-repo" {
      provider = google-beta
    
      location = "LOCATION"
      repository_id = "REPOSITORY"
      description = "DESCRIPTION"
      format = "DOCKER"
      kms_key_name = "KEY"
    }
    

    Where

    • PROJECT-ID is the Google Cloud project ID
    • REPOSITORY is the repository name
    • LOCATION is the repository location
    • DESCRIPTION is the optional description for the repository
    • KEY is the name of the Cloud Key Management Service key, if you are using customer-managed encryption keys (CMEK) for encryption. Omit this argument to use the default setting, Google-managed encryption keys.
  2. To grant repository-specific permissions in your module, add the google_artifact_registry_repository_iam resources. The following example defines a service account with the resource name repo-account and grants it read access to a repository with the resource name my-repo.

    provider "google" {
        project = "PROJECT-ID"
    }
    
    resource "google_artifact_registry_repository" "my-repo"     {
      provider = google-beta
    
      location = "LOCATION"
      repository_id = "REPOSITORY"
      description = "DESCRIPTION"
      format = "DOCKER"
    }
    
    resource "google_service_account" "repo-account" {
      provider = google-beta
    
      account_id   = "ACCOUNT-ID"
      display_name = "Repository Service Account"
    }
    
    resource "google_artifact_registry_repository_iam_member" "repo-iam" {
      provider = google-beta
    
      location = google_artifact_registry_repository.my-repo.location
      repository = google_artifact_registry_repository.my-repo.name
      role   = "roles/artifactregistry.reader"
      member = "serviceAccount:${google_service_account.repo-account.email}"
    }
    

    ACCOUNT-ID is the ID of the service account. This is the the part of the service account email field before the @ symbol.

    For additional examples, including assigning permissions with an IAM policy, see the google_artifact_registry_repository_iam documentation.

  3. Initialize Terraform:

    terraform init
    
  4. Apply the Terraform configuration:

    terraform apply
    

    Confirm you want to apply the actions by entering yes.