Google Cloud Service Account assign datastore.owner via Terraform

2
votes

I have a Google Cloud Service Account user created in Terraform:

resource "google_service_account" "firestore_sa" {
  account_id   = "firestore_sa_${random_id.project-unique-id.hex}"
}

I want to give the Service Account owner access to Firestore and tried this without any luck:

resource "google_service_account_iam_binding" "firestore_sa_role" {
  service_account_id = google_service_account.firestore_sa.name
  role               = "roles/datastore.owner"
  members            = ["serviceAccount:${google_service_account.firestore_sa.email}"]
}

The error I get is:

Error 400: Role roles/datastore.owner is not supported for this resource., badRequest

I can add this easily enough using GCloud:

gcloud projects add-iam-policy-binding MyProject-ABC123 \
  --member serviceAccount:[email protected] \
  --role roles/datastore.owner

I am having a problem translating between the two and could use some help.

1
terraform-provider-gcp

1 Answers

4
votes

I got it!

The first part is that the gcloud command hides something Terraform does not - you need all 3 of these:

  1. google_service_account (+key)
  2. google_project_iam_binding
  3. google_project_iam_member

The second part was I was using google_service_account_iam_binding instead of using the project binding. The project binding is what I really needed here. So my final configuration wound up looking like:

resource "google_project_iam_binding" "firestore_sa_binding" 
{
  role    = "roles/datastore.owner"
  members = ["serviceAccount:${google_service_account.firestore_sa.email}"]
}

resource "google_project_iam_member" "firestore_sa_member" {
  role   = "roles/datastore.owner"
  member = "serviceAccount:${google_service_account.firestore_sa.email}"
}