Add a Google Cloud Service Account to a Cloud Identity Group

readme.md

Ensure that the service account you are executing Terraform with has the "manager" role for the Group. You need to do this via Cloud Identity (Workspace) Admin Console and not via the Google Cloud Console IAM. Alternatively use: POST https://cloudidentity.googleapis.com/v1/{parent=groups/*}/memberships as described in the Cloud Identity API documentation

Once the user has the access you can add run the group via: terraform apply -var=customer_id='ID_FROM_IDENTITY' -var=group_name='[email protected]' -var=project=project-01-1

The customer_id can be found https://admin.google.com/ -> Account -> Account Settings

This Terraform will add a service account and add it to the existing group.

main.tf

variable "project" {
  type = string
}

variable "group_name" {
  type = string
}

variable "customer_id" {
  type = string
}

provider "google" {
  project = var.project
  #
  # in case application default credentials are used (e.g. Cloud Shell)
  # uncomment the following two settings
  #
  #user_project_override = true
  #billing_project = var.project
}

resource "google_project_service" "services" {
  for_each = toset([
    "cloudidentity.googleapis.com",
  ])

  disable_on_destroy         = false
  disable_dependent_services = false

  project = var.project
  service = each.key
}

resource "google_service_account" "default" {
  account_id   = "owner-sa"
  display_name = "Owner Service Account"
}

data "google_cloud_identity_groups" "all" {
  parent = "customers/${var.customer_id}"
}

resource "google_cloud_identity_group_membership" "cloud_identity_group_membership_basic" {
  group = [ for each in data.google_cloud_identity_groups.all.groups : each.name if each.group_key[0].id == var.group_name ][0]

  preferred_member_key {
    id = google_service_account.default.email
  }

  roles {
      name = "MEMBER"
  }

  depends_on = [
    google_project_service.services
  ]
}