Enabling Access Approval using Terraform

Terraform is an open-source infrastructure-as-code software tool that lets you manage your Access Approval requests. Terraform lets you perform all the actions that you can perform using Access Approval APIs.

This page describes how you can enable Access Approval using Terraform. This tutorial uses the Google Cloud Terraform Provider.

Objective

This tutorial teaches how you can create a Terraform configuration file that:

  • Sets email addresses for Access Approval request notifications.
  • Enables Access Approval for all supported Google Cloud products. For the complete list of Google Cloud products supported by Access Approval, see Supported services.

Before you begin

Creating a Google Cloud project

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Enable the Access Approval API.

    Enable the API

  4. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  5. Enable the Access Approval API.

    Enable the API

Installing Cloud SDK

Install and initialize the Cloud SDK.

When prompted, choose the project that you selected or created earlier.

If you already have Cloud SDK installed, update it using the following command:

gcloud components update

Creating a Terraform configuration file

  1. Open Cloud Shell to launch a standalone Cloud Shell session.
  2. Open a workspace.
  3. Create a new folder.
  4. Add a Terraform configuration file named main.tf to this folder.
  5. Copy the following resource, and paste it in your main.tf file.

    main.tf

    variable "parent_value" {
    type        = string
    }
    
    variable "email_1" {
    type        = string
    }
    
    variable "email_2" {
    type        = string
    }
    
    resource "google_folder" "my_folder" {
    display_name = "my-folder"
    parent       = var.parent_value
    # parent = "organizations/123456789"
    }
    
    resource "google_folder_access_approval_settings" "folder_access_approval" {
    folder_id           = google_folder.my_folder.folder_id
    notification_emails = [var.email_1, var.email_2]
    
    enrolled_services {
      cloud_product = "all"
      }
    }
    

    Enter values for the following variables:

    • email_1 and email_2: provide the email addresses of users who you want to set as reviewers for the access requests for this project.
    • parent_value: name of the folder in which you want to create the my_folder folder. For more information about folders, see Creating and managing folders.

Executing the Terraform configuration file

Execute the following commands in Cloud Shell.

  1. Initialize Terraform in the directory.

    terraform init
    
  2. Execute the created Terraform configuration file.

    terraform apply
    
  3. When prompted to confirm the execution of the configuration file, enter yes.

For more information about operating Access Approval with Terraform, see this Terraform document: google_folder_access_approval_settings.

What's next