Integrating with Terraform

If you use Terraform to manage your infrastructure, you can use beta version of the Google Cloud Platform Provider to define the following resources in your Terraform configuration.

Define your repository and repository-specific permissions in a Terraform module.

  1. Create the main.tf module file with google provider and the repository resource.

    The following configuration defines the provider and a repository with the Terraform resource name my-repo.

    provider "google" {
        project = "PROJECT-ID"
    }
    
    resource "google_artifact_registry_repository" "my-repo" {
      provider = google-beta
    
      location = "LOCATION"
      repository_id = "REPOSITORY"
      description = "DESCRIPTION"
      format = "DOCKER"
    }
    

    To grant repository-specific permissions in your module, use the google_artifact_registry_repository_iam resources. The following example defines a service account with the resource name repo-account and grants it read access to a repository with the resource name my-repo.

    provider "google" {
        project = "PROJECT-ID"
    }
    
    resource "google_artifact_registry_repository" "my-repo"     {
      provider = google-beta
    
      location = "LOCATION"
      repository_id = "REPOSITORY"
      description = "DESCRIPTION"
      format = "DOCKER"
    }
    
    resource "google_service_account" "repo-account" {
      provider = google-beta
    
      account_id   = "ACCOUNT-ID"
      display_name = "Repository Service Account"
    }
    
    resource "google_artifact_registry_repository_iam_member" "repo-iam" {
      provider = google-beta
    
      location = google_artifact_registry_repository.my-repo.location
      repository = google_artifact_registry_repository.my-repo.name
      role   = "roles/artifactregistry.reader"
      member = "serviceAccount:${google_service_account.repo-account.email}"
    }
    

    In these configurations:

    • PROJECT-ID is the Google Cloud project ID
    • REPOSITORY is the repository name
    • LOCATION is the repository location
    • DESCRIPTION is the optional description for the repository
    • ACCOUNT-ID is the ID of the service account. This is the the part of the service account email field before the @ symbol.

    For additional examples, including assigning permissions with a Cloud IAM policy, see the google_artifact_registry_repository_iam documentation.

  2. Initialize Terraform:

    terraform init
    
  3. Apply the Terraform configuration:

    terraform apply
    

    Confirm you want to apply the actions by entering yes.