google_project_access_approval_settings

Access Approval enables you to require your explicit approval whenever Google support and engineering need to access your customer content.

To get more information about ProjectSettings, see:

Example Usage - Project Access Approval Full

resource "google_project_access_approval_settings" "project_access_approval" {
  project_id          = "my-project-name"
  notification_emails = ["testuser@example.com", "example.user@example.com"]

  enrolled_services {
    cloud_product = "all"
    enrollment_level = "BLOCK_ALL"
  }
}

Example Usage - Project Access Approval Active Key Version

resource "google_kms_key_ring" "key_ring" {
  name     = "key-ring"
  location = "global"
  project  = "my-project-name"
}

resource "google_kms_crypto_key" "crypto_key" {
  name = "crypto-key"
  key_ring = google_kms_key_ring.key_ring.id
  purpose = "ASYMMETRIC_SIGN"

  version_template {
    algorithm = "EC_SIGN_P384_SHA384"
  }
}

data "google_access_approval_project_service_account" "service_account" {
  project_id = "my-project-name"
}

resource "google_kms_crypto_key_iam_member" "iam" {
  crypto_key_id = google_kms_crypto_key.crypto_key.id
  role          = "roles/cloudkms.signerVerifier"
  member        = "serviceAccount:${data.google_access_approval_project_service_account.service_account.account_email}"
}

data "google_kms_crypto_key_version" "crypto_key_version" {
  crypto_key = google_kms_crypto_key.crypto_key.id
}

resource "google_project_access_approval_settings" "project_access_approval" {
  project_id          = "my-project-name"
  active_key_version  = data.google_kms_crypto_key_version.crypto_key_version.name

  enrolled_services {
    cloud_product = "all"
  }

  depends_on = [google_kms_crypto_key_iam_member.iam]
}

Argument Reference

The following arguments are supported:

The enrolled_services block supports:


Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Timeouts

This resource provides the following Timeouts configuration options:

Import

ProjectSettings can be imported using any of these accepted formats:

In Terraform v1.5.0 and later, use an import block to import ProjectSettings using one of the formats above. For example:

import {
  id = "projects/{{project_id}}/accessApprovalSettings"
  to = google_project_access_approval_settings.default
}

When using the terraform import command, ProjectSettings can be imported using one of the formats above. For example:

$ terraform import google_project_access_approval_settings.default projects/{{project_id}}/accessApprovalSettings
$ terraform import google_project_access_approval_settings.default {{project_id}}