Complete the code to define a service account with a descriptive name.
resource "google_service_account" "terraform_sa" { account_id = "[1]" display_name = "Terraform Service Account" }
The account_id should be a clear identifier like terraform-sa to represent the Terraform service account.
Complete the code to assign the minimal IAM role for Terraform to manage Compute Engine instances.
resource "google_project_iam_member" "terraform_compute_role" { project = var.project_id role = "[1]" member = "serviceAccount:${google_service_account.terraform_sa.email}" }
The role roles/compute.instanceAdmin.v1 grants Terraform the least privilege needed to manage Compute Engine instances.
Fix the error in the IAM binding by completing the role with the correct least privilege for Terraform to manage Cloud Storage buckets.
resource "google_project_iam_member" "terraform_storage_role" { project = var.project_id role = "[1]" member = "serviceAccount:${google_service_account.terraform_sa.email}" }
The roles/storage.objectAdmin role allows Terraform to create, update, and delete objects in Cloud Storage buckets, which is the least privilege needed for managing bucket contents.
Fill both blanks to create a custom IAM role with minimal permissions for Terraform to manage Compute Engine instances.
resource "google_project_iam_custom_role" "terraform_custom_role" { role_id = "terraformComputeRole" title = "Terraform Compute Role" description = "Custom role with least privilege for Terraform Compute management" permissions = [ "[1]", "[2]" ] project = var.project_id }
The permissions compute.instances.create and compute.instances.delete allow Terraform to create and delete instances, covering essential management actions with least privilege.
Fill all three blanks to define a minimal IAM policy binding for Terraform service account to manage networking resources.
resource "google_project_iam_member" "terraform_network_role" { project = var.project_id role = "[1]" member = "serviceAccount:${google_service_account.terraform_sa.email}" condition { title = "Limit to VPC networks" description = "Restrict permissions to VPC network management" expression = "resource.name.startsWith('projects/${var.project_id}/global/networks/') && resource.type == '[2]' && request.time < timestamp('[3]')" } }
The role roles/compute.networkAdmin grants Terraform the ability to manage networks. The condition restricts the resource type to compute.networks and limits the permission validity until 2025-01-01T00:00:00Z, enforcing least privilege and time-bound access.