確認您具備存取權核准設定編輯者 (roles/accessapproval.configEditor) Identity and Access Management (IAM) 角色。如要進一步瞭解存取核准的 IAM 角色,請參閱「存取核准角色」。
建立 Google Cloud 專案
Sign in to your Google Cloud account. If you're new to
Google Cloud,
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
In the Google Cloud console, on the project selector page,
select or create a Google Cloud project.
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[[["\u003cp\u003eTerraform is used to manage Access Approval requests, enabling actions available through Access Approval APIs.\u003c/p\u003e\n"],["\u003cp\u003eThis guide demonstrates how to create a Terraform configuration file that sets email addresses for Access Approval request notifications.\u003c/p\u003e\n"],["\u003cp\u003eThe Terraform configuration file created will enable Access Approval for all supported Google Cloud products.\u003c/p\u003e\n"],["\u003cp\u003eBefore starting, you need to meet specific support requirements for Access Approval and Access Transparency, as well as ensure you have the necessary IAM roles.\u003c/p\u003e\n"],["\u003cp\u003eThe guide provides step-by-step instructions to run the Terraform configuration file, including initializing Terraform and applying the configuration.\u003c/p\u003e\n"]]],[],null,["# Enabling Access Approval using Terraform\n========================================\n\n[Terraform](https://terraform.io) is an open-source infrastructure-as-code software tool that\nlets you manage your Access Approval requests. Terraform lets you perform\nall the actions that you can perform using Access Approval APIs.\n\nThis page describes how you can enable Access Approval using Terraform.\nThis tutorial uses the [Google Cloud Terraform Provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs).\n\nObjective\n---------\n\nThis tutorial teaches how you can create a Terraform configuration file that:\n\n- Sets email addresses for Access Approval request notifications.\n- Enables Access Approval for all supported Google Cloud products. For the complete list of Google Cloud products supported by Access Approval, see [Supported services](/assured-workloads/access-approval/docs/supported-services).\n\nBefore you begin\n----------------\n\n- To use Access Approval and Access Transparency, your organization must meet specific support requirements. For more information, see [Requirements for using\n Access Approval](/assured-workloads/access-approval/docs/overview#requirements).\n- Enable [Access Transparency](/assured-workloads/access-transparency/docs/overview) on your organization. For more information, see [Enabling Access Transparency](/assured-workloads/access-transparency/docs/enable).\n- Ensure that you have the **Access Approval\n Config Editor** (`roles/accessapproval.configEditor`) Identity and Access Management (IAM) role. For more information about IAM roles for Access Approval, see [Access Approval\n roles](/iam/docs/understanding-roles#access-approval-roles).\n\nCreating a Google Cloud project\n-------------------------------\n\n- Sign in to your Google Cloud account. If you're new to Google Cloud, [create an account](https://console.cloud.google.com/freetrial) to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n\n\n Enable the Access Approval API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=accessapproval.googleapis.com)\n\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n\n\n Enable the Access Approval API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=accessapproval.googleapis.com)\n\n\u003cbr /\u003e\n\nInstalling Google Cloud CLI\n---------------------------\n\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n- When prompted, choose the project that you selected or created earlier.\n- If you already have Google Cloud CLI installed, update it using the following command: \n\n gcloud components update\n\nCreating a Terraform configuration file\n---------------------------------------\n\n 1. [Open Cloud Shell](https://shell.cloud.google.com) to launch a standalone Cloud Shell session.\n 2. Open a workspace.\n 3. Create a new folder.\n 4. Add a Terraform configuration file named `main.tf` to this folder.\n 5. Copy the following resource, and paste it in your `main.tf` file.\n\n ### main.tf\n\n variable \"parent_value\" {\n type = string\n }\n\n variable \"email_1\" {\n type = string\n }\n\n variable \"email_2\" {\n type = string\n }\n\n resource \"google_folder\" \"my_folder\" {\n display_name = \"my-folder\"\n parent = var.parent_value\n # parent = \"organizations/123456789\"\n }\n\n resource \"google_folder_access_approval_settings\" \"folder_access_approval\" {\n folder_id = google_folder.my_folder.folder_id\n notification_emails = [var.email_1, var.email_2]\n\n enrolled_services {\n cloud_product = \"all\"\n }\n }\n\n Enter values for the following variables:\n - `email_1` and `email_2`: provide the email addresses of users who you want to set as reviewers for the access requests for this project.\n\n | **Note:** These users must have the IAM roles with required permissions to view or approve an Access Approval request. To ensure these users have sufficient permissions, follow these steps: \n | 1. Go to the [**IAM**\n | page](https://console.cloud.google.com/iam-admin/iam) in the Google Cloud console.\n | 2. To enable a user or service account to approve access requests for a project, grant them the **Access Approval Approver** (`roles/accessapproval.approver`) IAM role.\n - `parent_value`: name of the folder in which you want to create the `my_folder` folder. For more information about folders, see [Creating and\n managing folders](/resource-manager/docs/creating-managing-folders).\n\nRunning the Terraform configuration file\n----------------------------------------\n\n- Run the following commands in Cloud Shell.\n 1. Initialize Terraform in the directory.\n\n terraform init\n\n 2. Run the created Terraform configuration file.\n\n terraform apply\n\n 3. When prompted to confirm if you want to run the configuration file, enter\n **yes**.\n\n- For more information about operating Access Approval with Terraform, see this Terraform document: [google_folder_access_approval_settings](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/folder_access_approval_settings).\n\nWhat's next\n-----------\n\n - [Using Terraform with Google Cloud](/docs/terraform)\n - [Using Terraform with Access Approval](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/folder_access_approval_settings)\n - [Getting started with Terraform on Google Cloud](/docs/terraform/get-started-with-terraform)\n - [Kickstart Terraform on Google Cloud with Cloud Shell](https://hashicorp.com/blog/kickstart-terraform-on-gcp-with-google-cloud-shell)"]]
