Enabling Access Approval using Terraform

Terraform is an open-source infrastructure-as-code software tool that lets you manage your Access Approval requests. Terraform lets you perform all the actions that you can perform using Access Approval APIs.

This page describes how you can enable Access Approval using Terraform. This tutorial uses the Google Cloud Terraform Provider.

Objective

This tutorial teaches how you can create a Terraform configuration file that:

• Sets email addresses for Access Approval request notifications.
• Enables Access Approval for all supported Google Cloud products. For the complete list of Google Cloud products supported by Access Approval, see Supported services.

Before you begin

• To use Access Approval and Access Transparency, your organization must meet specific support requirements. For more information, see Requirements for using Access Approval.
• Enable Access Transparency on your organization. For more information, see Enabling Access Transparency.
• Ensure that you have the Access Approval Config Editor (roles/accessapproval.configEditor) Identity and Access Management (IAM) role. For more information about IAM roles for Access Approval, see Access Approval roles.

Creating a Google Cloud project

1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

   Go to project selector

3. Enable the Access Approval API.

   Enable the API

4. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

   Go to project selector

5. Enable the Access Approval API.

   Enable the API

Installing Google Cloud CLI

Install the Google Cloud CLI, then initialize it by running the following command:

gcloud init

When prompted, choose the project that you selected or created earlier.

If you already have Google Cloud CLI installed, update it using the following command:

gcloud components update

Creating a Terraform configuration file

1. Open Cloud Shell to launch a standalone Cloud Shell session.
2. Open a workspace.
3. Create a new folder.
4. Add a Terraform configuration file named main.tf to this folder.

5. Copy the following resource, and paste it in your main.tf file.

   main.tf

   variable "parent_value" {
   type        = string
   }
   
   variable "email_1" {
   type        = string
   }
   
   variable "email_2" {
   type        = string
   }
   
   resource "google_folder" "my_folder" {
   display_name = "my-folder"
   parent       = var.parent_value
   # parent = "organizations/123456789"
   }
   
   resource "google_folder_access_approval_settings" "folder_access_approval" {
   folder_id           = google_folder.my_folder.folder_id
   notification_emails = [var.email_1, var.email_2]
   
   enrolled_services {
     cloud_product = "all"
     }
   }
   

   Enter values for the following variables:

   • email_1 and email_2: provide the email addresses of users who you want to set as reviewers for the access requests for this project.

   • parent_value: name of the folder in which you want to create the my_folder folder. For more information about folders, see Creating and managing folders.

Running the Terraform configuration file

Run the following commands in Cloud Shell.

1. Initialize Terraform in the directory.

   terraform init
   

2. Run the created Terraform configuration file.

   terraform apply
   

3. When prompted to confirm if you want to run the configuration file, enter yes.

For more information about operating Access Approval with Terraform, see this Terraform document: google_folder_access_approval_settings.

What's next

• Using Terraform with Google Cloud
• Using Terraform with Access Approval
• Getting started with Terraform on Google Cloud
• Kickstart Terraform on Google Cloud with Cloud Shell