Managing IAM & Security with Terraform

Learn how to manage Google Cloud IAM and Security using Terraform

In this guide, we’ll explore how to manage Google Cloud IAM and Security using Terraform.

Video Tutorial

Prerequisites

  • Google Cloud SDK installed and configured
  • Terraform installed (version 1.0.0 or later)
  • A GCP project with billing enabled

Project Structure

.
├── main.tf                   # Main Terraform configuration file
├── variables.tf              # Variable definitions
├── outputs.tf               # Output definitions
├── terraform.tfvars         # Variable values
└── modules/
    └── iam/
        ├── main.tf          # IAM specific configurations
        ├── variables.tf      # Module variables
        ├── roles.tf         # Custom role configurations
        └── outputs.tf       # Module outputs

Provider Configuration

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "~> 4.0"
    }
  }
}

provider "google" {
  project = var.project_id
  region  = var.region
}

Variables

variable "project_id" {
  description = "The ID of the GCP project"
  type        = string
}

variable "region" {
  description = "The region to deploy resources to"
  type        = string
  default     = "us-central1"
}

Service Account Configuration

resource "google_service_account" "service_account" {
  account_id   = "my-service-account"
  display_name = "My Service Account"
  description  = "Service account for application XYZ"
}

resource "google_service_account_key" "key" {
  service_account_id = google_service_account.service_account.name
}

resource "google_project_iam_member" "project" {
  project = var.project_id
  role    = "roles/editor"
  member  = "serviceAccount:${google_service_account.service_account.email}"
}

Custom Role Configuration

resource "google_project_iam_custom_role" "custom_role" {
  role_id     = "myCustomRole"
  title       = "My Custom Role"
  description = "A custom role with specific permissions"
  permissions = [
    "compute.instances.get",
    "compute.instances.list",
    "storage.buckets.get",
    "storage.objects.list"
  ]
}

IAM Policy Configuration

data "google_iam_policy" "admin" {
  binding {
    role = "roles/storage.objectViewer"
    members = [
      "user:jane@example.com",
    ]
  }

  binding {
    role = "roles/storage.admin"
    members = [
      "user:john@example.com",
    ]
  }
}

resource "google_storage_bucket_iam_policy" "policy" {
  bucket      = google_storage_bucket.bucket.name
  policy_data = data.google_iam_policy.admin.policy_data
}

Organization Policy Configuration

resource "google_org_policy_policy" "primary" {
  name   = "projects/${var.project_id}/policies/compute.disableSerialPortAccess"
  parent = "projects/${var.project_id}"

  spec {
    rules {
      enforce = "TRUE"
    }
  }
}

Security Policy Configuration

resource "google_compute_security_policy" "policy" {
  name = "my-security-policy"

  rule {
    action   = "deny(403)"
    priority = "1000"
    match {
      versioned_expr = "SRC_IPS_V1"
      config {
        src_ip_ranges = ["9.9.9.0/24"]
      }
    }
    description = "Deny access to specific IPs"
  }

  rule {
    action   = "allow"
    priority = "2147483647"
    match {
      versioned_expr = "SRC_IPS_V1"
      config {
        src_ip_ranges = ["*"]
      }
    }
    description = "Default rule"
  }
}

Outputs

output "service_account_email" {
  value       = google_service_account.service_account.email
  description = "The email address of the service account"
}

output "custom_role_id" {
  value       = google_project_iam_custom_role.custom_role.role_id
  description = "The ID of the custom role"
}

Best Practices

  1. IAM Management:

    • Follow least privilege
    • Use service accounts
    • Regular access review
    • Document permissions

  2. Security:

    • Enable audit logging
    • Use organization policies
    • Implement security policies
    • Regular monitoring

  3. Compliance:

    • Follow regulations
    • Document policies
    • Regular audits
    • Monitor changes

  4. Access Control:

    • Use groups
    • Implement role hierarchy
    • Regular rotation
    • Monitor access

Common Operations

Creating Resources

terraform init
terraform plan
terraform apply

Managing Service Accounts

# Create key file
terraform output service_account_key > key.json

# Activate service account
gcloud auth activate-service-account --key-file=key.json

Best Practices and Tips

  1. IAM Structure:

    • Use groups
    • Implement hierarchy
    • Regular review
    • Document changes

  2. Security:

    • Regular audits
    • Monitor access
    • Update policies
    • Track changes

  3. Operations:

    • Monitor usage
    • Track changes
    • Set up alerts
    • Regular maintenance

Conclusion

You’ve learned how to set up and manage Google Cloud IAM and Security using Terraform. This setup provides:

  • Secure access control
  • Compliance management
  • Best practices implementation
  • Easy security management