Enabling Access Approval using Terraform
Terraform is an open-source infrastructure-as-code software tool that lets you manage your Access Approval requests. Terraform lets you perform all the actions that you can perform using Access Approval APIs.
This page describes how you can enable Access Approval using Terraform. This tutorial uses the Google Cloud Terraform Provider.
Objective
This tutorial teaches how you can create a Terraform configuration file that:
- Sets email addresses for Access Approval request notifications.
- Enables Access Approval for all supported Google Cloud products. For the complete list of Google Cloud products supported by Access Approval, see Supported services.
Before you begin
- To use Access Approval and Access Transparency, your organization must meet specific support requirements. For more information, see Requirements for using Access Approval.
- Enable Access Transparency on your organization. For more information, see Enabling Access Transparency.
- Ensure that you have the Access Approval
Config Editor (roles/accessapproval.configEditor) Identity and Access Management (IAM) role. For more information about IAM roles for Access Approval, see Access Approval roles.
Creating a Google Cloud project
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
- 
    
    
      In the Google Cloud console, on the project selector page, select or create a Google Cloud project. Roles required to select or create a project - Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- 
      Create a project: To create a project, you need the Project Creator
      (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
 
- 
  
  
    
      Enable the Access Approval API. Roles required to enable APIs To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.
- 
    
    
      In the Google Cloud console, on the project selector page, select or create a Google Cloud project. Roles required to select or create a project - Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- 
      Create a project: To create a project, you need the Project Creator
      (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
 
- 
  
  
    
      Enable the Access Approval API. Roles required to enable APIs To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.
Installing Google Cloud CLI
Install the Google Cloud CLI. After installation, initialize the Google Cloud CLI by running the following command:
gcloud initIf you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
When prompted, choose the project that you selected or created earlier.
If you already have Google Cloud CLI installed, update it using the following command:
gcloud components update
Creating a Terraform configuration file
- Open Cloud Shell to launch a standalone Cloud Shell session.
- Open a workspace.
- Create a new folder.
- Add a Terraform configuration file named main.tfto this folder.
- Copy the following resource, and paste it in your - main.tffile.- main.tf- variable "parent_value" { type = string } variable "email_1" { type = string } variable "email_2" { type = string } resource "google_folder" "my_folder" { display_name = "my-folder" parent = var.parent_value # parent = "organizations/123456789" } resource "google_folder_access_approval_settings" "folder_access_approval" { folder_id = google_folder.my_folder.folder_id notification_emails = [var.email_1, var.email_2] enrolled_services { cloud_product = "all" } }- Enter values for the following variables: - email_1and- email_2: provide the email addresses of users who you want to set as reviewers for the access requests for this project.
 - parent_value: name of the folder in which you want to create the- my_folderfolder. For more information about folders, see Creating and managing folders.
 
Running the Terraform configuration file
Run the following commands in Cloud Shell.
- Initialize Terraform in the directory. - terraform init
- Run the created Terraform configuration file. - terraform apply
- When prompted to confirm if you want to run the configuration file, enter yes. 
For more information about operating Access Approval with Terraform, see this Terraform document: google_folder_access_approval_settings.
What's next
- Using Terraform with Google Cloud
- Using Terraform with Access Approval
- Getting started with Terraform on Google Cloud
- Kickstart Terraform on Google Cloud with Cloud Shell