Cloud Composer 3 | Cloud Composer 2 | Cloud Composer 1
This page is a companion to the main page about creating environments. It demonstrates how to set up a Cloud Composer environment and a user-managed service account for this environment in an existing Google Cloud project with Terraform. You can use this page as a start, then add more configuration parameters for your environment, as needed.
About Terraform modules for Cloud Composer
Google maintains the Terraform provider for Google Cloud, which includes the google_composer_environment resource. This is the officially supported module for Terraform.
There are other Terraform modules maintained by the open source community. To resolve problems with such modules, you can create issues in their repositories on GitHub. One example of an open source project maintaned on GitHub is the terraform-google-composer module, which is a part of Terraform blueprints and modules for Google Cloud. While Google contributes to this project, the module is not maintained by Google and is not related to the Terraform provider for Google Cloud.
Before you begin
- This guide assumes that you have a Google Cloud project with configured billing: - You can use an existing project.
- You can create a new project using Google Cloud console, Google Cloud CLI, API, or a Python client library.
- You can create and manage your project using Terraform. For more
information, see Terraform documentation for the
google_projectresource.
 
Authenticate with Google Cloud
To authenticate with Google Cloud, run:
gcloud auth application-default login
For more information about this command, see
gcloud auth application-default.
Configure the Google provider in Terraform
Specify your existing project ID and a default region for resources. Your Cloud Composer environment uses this region.
The google-beta provider supports Cloud Composer features
that are in Preview. If you want to use only GA features of
Cloud Composer, use the google provider instead of google-beta.
provider "google-beta" {
  project = "example-project"
  region  = "us-central1"
}
Enable the Cloud Composer API
Enable the Cloud Composer API in your project:
resource "google_project_service" "composer_api" {
  provider = google-beta
  project = "example-project"
  service = "composer.googleapis.com"
  // Disabling Cloud Composer API might irreversibly break all other
  // environments in your project.
  // This parameter prevents automatic disabling
  // of the API when the resource is destroyed.
  // We recommend to disable the API only after all environments are deleted.
  disable_on_destroy = false
  // this flag is introduced in 5.39.0 version of Terraform. If set to true it will
  //prevent you from disabling composer_api through Terraform if any environment was
  //there in the last 30 days
  check_if_service_has_usage_on_destroy = true
}
Create an environment's service account in your project
This guide demonstrates how to create an environment's service account that has all required permissions to run a Cloud Composer environment.
We strongly recommend to set up a user-managed service account for your Cloud Composer environments that has only permissions required to run your environment and operations in your DAGs, as described in this guide.
Although we recommend against using this approach, if you do not specify an environment's service account, then your Cloud Composer environment uses the default Compute Engine service account.
The service account of your environment might need additional permissions to access other resources in your project. For example, if your DAGs transfer data into BigQuery, this account might need permissions or roles specific to BigQuery.
Define a custom service account with the following roles and permissions:
resource "google_service_account" "custom_service_account" {
  provider = google-beta
  account_id   = "custom-service-account"
  display_name = "Example Custom Service Account"
}
resource "google_project_iam_member" "custom_service_account" {
  provider = google-beta
  project  = "example-project"
  member   = format("serviceAccount:%s", google_service_account.custom_service_account.email)
  // Role for Public IP environments
  role     = "roles/composer.worker"
}
Create an environment
Create your environment using Terraform.
The example demonstrates how to create an environment that uses a custom service account. You can add more parameters that define other configuration parameters of your environment, such as custom scale and performance parameters, or additional PyPI packages.
For more information about other parameters, see Create environments.
resource "google_composer_environment" "example_environment" {
  provider = google-beta
  name = "example-environment"
  config {
    software_config {
      image_version = "composer-3-airflow-2.10.5-build.16"
    }
    node_config {
      service_account = google_service_account.custom_service_account.email
    }
  }
}
Full Terraform script
provider "google-beta" {
  project = "example-project"
  region  = "us-central1"
}
resource "google_project_service" "composer_api" {
  provider = google-beta
  project = "example-project"
  service = "composer.googleapis.com"
  // Disabling Cloud Composer API might irreversibly break all other
  // environments in your project.
  disable_on_destroy = false
  // this flag is introduced in 5.39.0 version of Terraform. If set to true it will
  //prevent you from disabling composer_api through Terraform if any environment was
  //there in the last 30 days
  check_if_service_has_usage_on_destroy = true
}
resource "google_service_account" "custom_service_account" {
  provider = google-beta
  account_id   = "custom-service-account"
  display_name = "Example Custom Service Account"
}
resource "google_project_iam_member" "custom_service_account" {
  provider = google-beta
  project  = "example-project"
  member   = format("serviceAccount:%s", google_service_account.custom_service_account.email)
  // Role for Public IP environments
  role     = "roles/composer.worker"
}
resource "google_composer_environment" "example_environment" {
  provider = google-beta
  name = "example-environment"
  config {
    software_config {
      image_version = "composer-3-airflow-2.10.5-build.16"
    }
    node_config {
      service_account = google_service_account.custom_service_account.email
    }
  }
}
What's next
See other documentation pages for information about configuring your environment with Terraform. For example:
- Create environments
- Override Airflow configuration options
- Set environment variables
- Install Python dependencies
- Scale environments