IAM Service Account
Create a dedicated IAM Service Account that will be used to run firewall instances. This module is optional - even if you don't use it, firewalls run fine on the default Google Service Account.
The account produced by this module is intended to have minimal required permissions.
Reference
Requirements
terraform
, version: >= 1.3, < 2.0google
, version: >= 4.54
Providers
google
, version: >= 4.54
Resources
project_iam_member
(managed)service_account
(managed)
Required Inputs
Name | Type | Description |
---|---|---|
project_id | string | ID of a project in which the service account will be created. |
Optional Inputs
Name | Type | Description |
---|---|---|
service_account_id | string | . |
display_name | string | . |
roles | set | List of IAM role names, such as ["roles/compute. |
Outputs
Name | Description |
---|---|
email |
Required Inputs details
project_id
ID of a project in which the service account will be created.
Type: string
Optional Inputs details
service_account_id
Type: string
Default value: The google_service_account.account_id of the created IAM account, unique string per project.
display_name
Type: string
Default value: Palo Alto Networks Firewall Service Account
roles
List of IAM role names, such as ["roles/compute.viewer"] or ["project/A/roles/B"]. The default list is suitable for Palo Alto Networks Firewall to run and publish custom metrics to GCP Stackdriver.
Type: set(string)
Default value: [roles/compute.networkViewer roles/logging.logWriter roles/monitoring.metricWriter roles/monitoring.viewer roles/viewer roles/stackdriver.accounts.viewer roles/stackdriver.resourceMetadata.writer]