Skip to content

AckeeCZ/terraform-gcp-iap

BranchesTags

Repository files navigation

Ackee Identity-Aware proxy provisioning Terraform module

Indestructible google_iap_brand

Once created, google_iap_brand can not be destroyed, Terraform will successfully run terraform destroy on this object, but when you try to recreate it, you have to run terraform import. You can get ID of existing IAP brand in GCP project using https://cloud.google.com/iap/docs/reference/rest/v1/projects.brands/list

This is also reason why we set disable_on_destroy = false on IAP API object (google_project_service.iap) - when we run destroy, API is disabled. So we must run terraform apply that fails (or enable API manually) and run terraform import

Usage

module "iap" {
  source         = "git@gitlab.ack.ee:Infra/tf-module/iap.git?ref=v3.0.0"
  project        = var.project
  region         = var.region
  location       = var.zone
  iap_brand_name = var.project
  support_email  = "martin.beranek@ackee.cz"
  source_project = "flash-news-iap-development"
  allowed_users = [
    "domain:ackee.cz",
    "user:ackeedevice@gmail.com",
  ]
  iap_clients = [
    "iap-web-development",
  ]
}

Before you do anything in this module

Install pre-commit hooks by running following commands:

brew install pre-commit terraform-docs
pre-commit install

Requirements

Name Version
terraform >= 0.13

Providers

Name Version
google n/a

Modules

No modules.

Resources

Name Type
google_iap_brand.project_brand resource
google_iap_client.iap_clients resource
google_iap_web_iam_policy.iam_allowed_users resource
google_project_service.iap resource
google_iam_policy.iam_allowed_users data source
google_project.source_project data source

Inputs

Name Description Type Default Required
allowed_users Users allowed to access IAP protected content list(string) [] no
iap_brand_name Name used in OAuth consent screen - will be shown to users when logging in string n/a yes
iap_clients List containing IAP client names list(string) [] no
location Default GCP zone string "europe-west3-c" no
project GCP project name string n/a yes
region GCP region string "europe-west3" no
source_project In case your GCP project already use IAP setup somewhere, create new one and set it in this variable string null no
support_email Support email used in OAuth consent screen - must be personal email or Google Group, that you are Owner of string n/a yes

Outputs

Name Description
iap_clients n/a

About

GCP IAP setup helper module

Topics

terraform-module gcp-iap

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

3 tags

Packages

No packages published

Contributors 2

  •  
  •  

Languages