0
0
Terraformcloud~30 mins

Least privilege for Terraform service accounts - Mini Project: Build & Apply

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Least privilege for Terraform service accounts
📖 Scenario: You are setting up a Terraform service account in a cloud environment. To keep your cloud secure, you want to give this service account only the permissions it absolutely needs. This is called the principle of least privilege.Imagine you have a janitor who only needs keys to the rooms they clean, not the whole building. Similarly, your Terraform service account should only have access to the resources it manages.
🎯 Goal: Build a Terraform configuration that creates a service account with the minimum required permissions to manage compute instances. You will define the service account, assign a role with limited permissions, and output the service account email.
📋 What You'll Learn
Create a Terraform resource for a service account named terraform_sa with the account ID terraform-service-account.
Create a Terraform resource to bind the role roles/compute.instanceAdmin.v1 to the service account.
Output the service account email as service_account_email.
💡 Why This Matters
🌍 Real World
Cloud engineers often create service accounts with minimal permissions to automate infrastructure deployment securely.
💼 Career
Understanding how to assign least privilege roles to service accounts is essential for cloud security and compliance roles.
Progress0 / 4 steps
1
Create the Terraform service account resource
Write a Terraform resource block named terraform_sa of type google_service_account. Set the account_id to terraform-service-account and the display_name to Terraform Service Account.
Terraform
Need a hint?

Use the google_service_account resource type and set the account_id and display_name exactly as specified.

2
Create the IAM binding for the service account
Add a Terraform resource named terraform_sa_binding of type google_project_iam_member. Set the role to roles/compute.instanceAdmin.v1. Set the member to the service account email using "serviceAccount:${google_service_account.terraform_sa.email}". Use a project ID variable var.project_id for the project attribute.
Terraform
Need a hint?

Use the google_project_iam_member resource to assign the role to the service account. Reference the service account email with interpolation.

3
Declare the project ID variable
Declare a Terraform variable named project_id of type string with no default value. This variable will hold the Google Cloud project ID.
Terraform
Need a hint?

Use the variable block to declare project_id as a string without a default.

4
Output the service account email
Add a Terraform output named service_account_email that outputs the email of the terraform_sa service account using google_service_account.terraform_sa.email.
Terraform
Need a hint?

Use the output block to expose the service account email.