google_folder_access_approval_settings

Access Approval enables you to require your explicit approval whenever Google support and engineering need to access your customer content.

To get more information about FolderSettings, see:

Example Usage - Folder Access Approval Full

resource "google_folder" "my_folder" {
  display_name = "my-folder"
  parent       = "organizations/123456789"
}

resource "google_folder_access_approval_settings" "folder_access_approval" {
  folder_id           = google_folder.my_folder.folder_id
  notification_emails = ["testuser@example.com", "example.user@example.com"]

  enrolled_services {
    cloud_product = "all"
  }
}

Example Usage - Folder Access Approval Active Key Version

resource "google_folder" "my_folder" {
  display_name = "my-folder"
  parent       = "organizations/123456789"
}

resource "google_project" "my_project" {
  name       = "My Project"
  project_id = "your-project-id"
  folder_id  = google_folder.my_folder.name
}

resource "google_kms_key_ring" "key_ring" {
  name     = "key-ring"
  location = "global"
  project  = google_project.my_project.project_id
}

resource "google_kms_crypto_key" "crypto_key" {
  name = "crypto-key"
  key_ring = google_kms_key_ring.key_ring.id
  purpose = "ASYMMETRIC_SIGN"

  version_template {
    algorithm = "EC_SIGN_P384_SHA384"
  }
}

data "google_access_approval_folder_service_account" "service_account" {
  folder_id = google_folder.my_folder.folder_id
}

resource "google_kms_crypto_key_iam_member" "iam" {
  crypto_key_id = google_kms_crypto_key.crypto_key.id
  role          = "roles/cloudkms.signerVerifier"
  member        = "serviceAccount:${data.google_access_approval_folder_service_account.service_account.account_email}"
}

data "google_kms_crypto_key_version" "crypto_key_version" {
  crypto_key = google_kms_crypto_key.crypto_key.id
}

resource "google_folder_access_approval_settings" "folder_access_approval" {
  folder_id           = google_folder.my_folder.folder_id
  active_key_version  = data.google_kms_crypto_key_version.crypto_key_version.name

  enrolled_services {
    cloud_product = "all"
  }

  depends_on = [google_kms_crypto_key_iam_member.iam]
}

Argument Reference

The following arguments are supported:

The enrolled_services block supports:


Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Timeouts

This resource provides the following Timeouts configuration options:

Import

FolderSettings can be imported using any of these accepted formats:

In Terraform v1.5.0 and later, use an import block to import FolderSettings using one of the formats above. For example:

import {
  id = "folders/{{folder_id}}/accessApprovalSettings"
  to = google_folder_access_approval_settings.default
}

When using the terraform import command, FolderSettings can be imported using one of the formats above. For example:

$ terraform import google_folder_access_approval_settings.default folders/{{folder_id}}/accessApprovalSettings
$ terraform import google_folder_access_approval_settings.default {{folder_id}}