0

I have created a Google Cloud Compute Engine managed instance group (MIG) in Terraform using the google_compute_instance_template and google_compute_instance_group_manager resources and would like to set up access via the identity aware proxy (IAP).

When creating a standalone Compute Engine instance, you can use one of the three google_iap_tunnel_instance_iam_* resources to attach the roles/iap.tunnelResourceAccessor role to the instances, for example:

resource "google_iap_tunnel_instance_iam_member" "member" {
  project = "my-project"

  zone     = "europe-west2-a"
  instance = "my-instance"
  role     = "roles/iap.tunnelResourceAccessor"
  member   = "user:foo@bar.com"
}

However, with a MIG, we don't have Terraform references to the actual instances (and even if we did, they're dynamic anyway), so it seems we can't use the google_iap_tunnel_instance_iam_* resources.

I can't find a Terraform-native way of doing this, without granting roles/iap.tunnelResourceAccessor to the members at the project level. However, this is not always desirable, and sometimes instance level bindings are required.

Is this currently possible with MIGs?

Grzenio
  • 35,875
  • 47
  • 158
  • 240
Matt Dunn
  • 5,106
  • 6
  • 31
  • 55

1 Answers1

1

In situations like these, you can often use IAM conditions: The idea is to grant a role on the project level, but to constrain it to a subset of resources. Unfortunately, IAM conditions are currently not supported for IAP-TCP, so that approach won't work here.

Assuming you use OS Login, the following might be a viable workaround though:

  1. Grant roles/iap.tunnelResourceAccessor on the project (applying to all instances)
  2. Grant roles/compute.osLogin on the project, with a condition that constrains the role to instances that match your MIG's naming scheme: 
    resource.type == 'compute.googleapis.com/Instance' && 
resource.name.extract('/instances/{name}').startsWith('mymig-')
Johannes Passing
  • 2,715
  • 16
  • 13