diff --git a/examples/api/README.MD b/examples/api/README.MD
new file mode 100644
index 0000000..673106a
--- /dev/null
+++ b/examples/api/README.MD
@@ -0,0 +1,32 @@
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [google](#provider\_google) | 6.8.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [google_project_service.enabled_services](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [project](#input\_project) | The project ID to create the service account in. For project collection, this will also assign the IAM roles to the account in the project. | `string` | n/a | yes |
+| [services](#input\_services) | The list of APIs to enable for observe collection | `set(string)` | [
"cloudasset.googleapis.com",
"iam.googleapis.com",
"logging.googleapis.com",
"monitoring.googleapis.com",
"pubsub.googleapis.com",
"cloudresourcemanager.googleapis.com",
"cloudfunctions.googleapis.com",
"cloudbuild.googleapis.com",
"cloudscheduler.googleapis.com",
"storage.googleapis.com",
"sqladmin.googleapis.com",
"compute.googleapis.com",
"serviceusage.googleapis.com",
"container.googleapis.com",
"redis.googleapis.com",
"run.googleapis.com",
"cloudtasks.googleapis.com"
]
| no |
+
+## Outputs
+
+No outputs.
+
\ No newline at end of file
diff --git a/examples/api/api.auto.tfvars b/examples/api/api.auto.tfvars
new file mode 100644
index 0000000..fbeae35
--- /dev/null
+++ b/examples/api/api.auto.tfvars
@@ -0,0 +1 @@
+project = "my_project_id"
diff --git a/examples/api/main.tf b/examples/api/main.tf
new file mode 100644
index 0000000..8338a9d
--- /dev/null
+++ b/examples/api/main.tf
@@ -0,0 +1,7 @@
+
+resource "google_project_service" "enabled_services" {
+ for_each = var.services
+
+ project = var.project
+ service = each.key
+}
\ No newline at end of file
diff --git a/examples/api/variables.tf b/examples/api/variables.tf
new file mode 100644
index 0000000..7a04539
--- /dev/null
+++ b/examples/api/variables.tf
@@ -0,0 +1,29 @@
+
+variable "project" {
+ type = string
+ description = "The project ID where apis will be enabled"
+}
+
+variable "services" {
+ description = "The list of APIs to enable for observe collection"
+ type = set(string)
+ default = [
+ "cloudasset.googleapis.com",
+ "iam.googleapis.com",
+ "logging.googleapis.com",
+ "monitoring.googleapis.com",
+ "pubsub.googleapis.com",
+ "cloudresourcemanager.googleapis.com",
+ "cloudfunctions.googleapis.com",
+ "cloudbuild.googleapis.com",
+ "cloudscheduler.googleapis.com",
+ "storage.googleapis.com",
+ "sqladmin.googleapis.com",
+ "compute.googleapis.com",
+ "serviceusage.googleapis.com",
+ "container.googleapis.com",
+ "redis.googleapis.com",
+ "run.googleapis.com",
+ "cloudtasks.googleapis.com"
+ ]
+}
\ No newline at end of file
diff --git a/examples/service_account/README.MD b/examples/service_account/README.MD
index e57f685..79de356 100644
--- a/examples/service_account/README.MD
+++ b/examples/service_account/README.MD
@@ -7,7 +7,7 @@ No requirements.
| Name | Version |
|------|---------|
-| [google](#provider\_google) | 4.78.0 |
+| [google](#provider\_google) | 5.19.0 |
## Modules
@@ -17,22 +17,24 @@ No modules.
| Name | Type |
|------|------|
-| [google_folder_iam_member.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/folder_iam_member) | resource |
| [google_project_iam_member.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
| [google_service_account.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_service_account_iam_member.sa_token_creator_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_member) | resource |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [current\_user](#input\_current\_user) | Your user principal to add to terraform service account. Can be retrieved via `gcloud config get-value account` | `string` | n/a | yes |
| [folder](#input\_folder) | The folder ID to grant the IAM roles to service account in. | `string` | `null` | no |
-| [folder\_collection\_roles](#input\_folder\_collection\_roles) | A list of IAM roles to give to the service account for folder collection. Note that permissions are broad and this account should only be used to set up collection intially and not for anything else. | `set(string)` | [
"roles/browser",
"roles/cloudasset.owner",
"roles/cloudfunctions.admin",
"roles/cloudscheduler.admin",
"roles/cloudtasks.admin",
"roles/iam.serviceAccountCreator",
"roles/iam.serviceAccountDeleter",
"roles/iam.serviceAccountKeyAdmin",
"roles/iam.serviceAccountTokenCreator",
"roles/iam.serviceAccountUser",
"roles/logging.admin",
"roles/monitoring.admin",
"roles/pubsub.admin",
"roles/resourcemanager.folderAdmin",
"roles/resourcemanager.projectCreator",
"roles/resourcemanager.projectDeleter",
"roles/resourcemanager.projectMover",
"roles/serviceusage.serviceUsageAdmin",
"roles/serviceusage.serviceUsageConsumer",
"roles/servicemanagement.admin",
"roles/storage.admin"
]
| no |
+| [folder\_collection\_roles](#input\_folder\_collection\_roles) | A list of IAM roles to give to the service account for folder collection. Note that permissions are broad and this account should only be used to set up collection intially and not for anything else. | `set(string)` | [
"roles/browser",
"roles/cloudasset.owner",
"roles/cloudfunctions.admin",
"roles/cloudscheduler.admin",
"roles/cloudtasks.admin",
"roles/cloudtasks.queueAdmin",
"roles/iam.serviceAccountCreator",
"roles/iam.serviceAccountDeleter",
"roles/iam.serviceAccountKeyAdmin",
"roles/iam.serviceAccountTokenCreator",
"roles/iam.serviceAccountUser",
"roles/logging.admin",
"roles/monitoring.admin",
"roles/pubsub.admin",
"roles/resourcemanager.folderAdmin",
"roles/serviceusage.serviceUsageAdmin",
"roles/serviceusage.serviceUsageConsumer",
"roles/servicemanagement.admin",
"roles/storage.admin"
]
| no |
| [project](#input\_project) | The project ID to create the service account in. For project collection, this will also assign the IAM roles to the account in the project. | `string` | n/a | yes |
-| [project\_collection\_roles](#input\_project\_collection\_roles) | A list of IAM roles to give to the service account. Note that permissions are broad and this account should only be used to set up collection intially and not for anything else. | `set(string)` | [
"roles/browser",
"roles/cloudasset.owner",
"roles/cloudfunctions.admin",
"roles/cloudscheduler.admin",
"roles/cloudtasks.admin",
"roles/iam.serviceAccountCreator",
"roles/iam.serviceAccountDeleter",
"roles/iam.serviceAccountKeyAdmin",
"roles/iam.serviceAccountTokenCreator",
"roles/iam.serviceAccountUser",
"roles/logging.admin",
"roles/monitoring.admin",
"roles/pubsub.admin",
"roles/resourcemanager.projectIamAdmin",
"roles/serviceusage.serviceUsageAdmin",
"roles/serviceusage.serviceUsageConsumer",
"roles/servicemanagement.admin",
"roles/storage.admin"
]
| no |
+| [project\_collection\_roles](#input\_project\_collection\_roles) | A list of IAM roles to give to the service account. Note that permissions are broad and this account should only be used to set up collection intially and not for anything else. | `set(string)` | [
"roles/browser",
"roles/cloudasset.owner",
"roles/cloudfunctions.admin",
"roles/cloudscheduler.admin",
"roles/cloudtasks.admin",
"roles/cloudtasks.queueAdmin",
"roles/cloudfunctions.admin",
"roles/iam.serviceAccountCreator",
"roles/iam.serviceAccountDeleter",
"roles/iam.serviceAccountKeyAdmin",
"roles/iam.serviceAccountTokenCreator",
"roles/iam.serviceAccountUser",
"roles/logging.admin",
"roles/monitoring.admin",
"roles/pubsub.admin",
"roles/resourcemanager.projectIamAdmin",
"roles/serviceusage.serviceUsageAdmin",
"roles/serviceusage.serviceUsageConsumer",
"roles/servicemanagement.admin",
"roles/storage.admin"
]
| no |
## Outputs
| Name | Description |
|------|-------------|
| [service\_account](#output\_service\_account) | n/a |
+| [service\_account\_email](#output\_service\_account\_email) | n/a |
\ No newline at end of file
diff --git a/examples/service_account/main.tf b/examples/service_account/main.tf
index c4863dd..e6a7b6d 100644
--- a/examples/service_account/main.tf
+++ b/examples/service_account/main.tf
@@ -1,25 +1,34 @@
resource "google_service_account" "this" {
- account_id = "observe-collect"
+ account_id = "terraform-observe-collect-sa"
description = "Used to set up collection"
project = var.project
}
+# Grant yourself the Service Token Creator Role
+resource "google_service_account_iam_member" "sa_token_creator_role" {
+ service_account_id = google_service_account.this.name
+ role = "roles/iam.serviceAccountTokenCreator"
+ member = "user:${var.current_user}"
+}
+
###############
#
# Uncomment the first section for a service account that can deploy to a project
# and uncomment the second section for folder collection. If you are deploying to
# a folder, you need to add the folder id to the service_account.auto.tfvars file as well.
-#
+#
+# The default is to use a project
+
################
-# resource "google_project_iam_member" "this" {
-# for_each = var.project_collection_roles
+resource "google_project_iam_member" "this" {
+ for_each = var.project_collection_roles
-# project = var.project
-# role = each.key
-# member = "serviceAccount:${google_service_account.this.email}"
-# }
+ project = var.project
+ role = each.key
+ member = "serviceAccount:${google_service_account.this.email}"
+}
# resource "google_folder_iam_member" "this" {
# for_each = var.folder_collection_roles
@@ -27,4 +36,5 @@ resource "google_service_account" "this" {
# folder = var.folder
# role = each.key
# member = "serviceAccount:${google_service_account.this.email}"
-# }
\ No newline at end of file
+# }
+
diff --git a/examples/service_account/output.tf b/examples/service_account/output.tf
index a15d87e..4665c0e 100644
--- a/examples/service_account/output.tf
+++ b/examples/service_account/output.tf
@@ -1,3 +1,7 @@
output "service_account" {
- value = google_service_account.this
+ value = google_service_account.this
+}
+
+output "service_account_email" {
+ value = google_service_account.this.email
}
\ No newline at end of file
diff --git a/examples/service_account/service_account.auto.tfvars b/examples/service_account/service_account.auto.tfvars
index ebd3cd3..bbcb5a9 100644
--- a/examples/service_account/service_account.auto.tfvars
+++ b/examples/service_account/service_account.auto.tfvars
@@ -1,2 +1,3 @@
project = "my_project_id"
-# folder ="my_folder_id" #uncomment for folder collection
\ No newline at end of file
+# folder ="my_folder_id" #uncomment for folder collection
+current_user = "my-principal-email@gmail.com" #Get via gcloud config get-value account
diff --git a/examples/service_account/variables.tf b/examples/service_account/variables.tf
index 3a1c288..f5a80c9 100644
--- a/examples/service_account/variables.tf
+++ b/examples/service_account/variables.tf
@@ -1,3 +1,24 @@
+
+variable "project" {
+ type = string
+ description = <<-EOF
+ The project ID to create the service account in. For project collection, this will also assign the IAM roles to the account in the project.
+ EOF
+}
+
+variable "folder" {
+ type = string
+ description = <<-EOF
+ The folder ID to grant the IAM roles to service account in.
+ EOF
+ default = null
+}
+
+variable "current_user" {
+ type = string
+ description = "Your user principal email to add to terraform service account. Can be retrieved via `gcloud config get-value account`"
+}
+
variable "project_collection_roles" {
description = <<-EOF
A list of IAM roles to give to the service account. Note that permissions are broad and this account should only be used to set up collection intially and not for anything else.
@@ -10,6 +31,8 @@ variable "project_collection_roles" {
"roles/cloudfunctions.admin",
"roles/cloudscheduler.admin",
"roles/cloudtasks.admin",
+ "roles/cloudtasks.queueAdmin",
+ "roles/cloudfunctions.admin",
"roles/iam.serviceAccountCreator",
"roles/iam.serviceAccountDeleter",
"roles/iam.serviceAccountKeyAdmin",
@@ -38,6 +61,7 @@ variable "folder_collection_roles" {
"roles/cloudfunctions.admin",
"roles/cloudscheduler.admin",
"roles/cloudtasks.admin",
+ "roles/cloudtasks.queueAdmin",
"roles/iam.serviceAccountCreator",
"roles/iam.serviceAccountDeleter",
"roles/iam.serviceAccountKeyAdmin",
@@ -47,27 +71,9 @@ variable "folder_collection_roles" {
"roles/monitoring.admin",
"roles/pubsub.admin",
"roles/resourcemanager.folderAdmin",
- "roles/resourcemanager.projectCreator",
- "roles/resourcemanager.projectDeleter",
- "roles/resourcemanager.projectMover",
"roles/serviceusage.serviceUsageAdmin",
"roles/serviceusage.serviceUsageConsumer",
"roles/servicemanagement.admin",
"roles/storage.admin",
]
}
-
-variable "project" {
- type = string
- description = <<-EOF
- The project ID to create the service account in. For project collection, this will also assign the IAM roles to the account in the project.
- EOF
-}
-
-variable "folder" {
- type = string
- description = <<-EOF
- The folder ID to grant the IAM roles to service account in.
- EOF
- default = null
-}
\ No newline at end of file