I have created a Google Cloud Compute Engine managed instance group (MIG) in Terraform using the google_compute_instance_template and google_compute_instance_group_manager resources and would like to set up access via the identity aware proxy (IAP).
When creating a standalone Compute Engine instance, you can use one of the three google_iap_tunnel_instance_iam_* resources to attach the roles/iap.tunnelResourceAccessor role to the instances, for example:
resource "google_iap_tunnel_instance_iam_member" "member" {
project = "my-project"
zone = "europe-west2-a"
instance = "my-instance"
role = "roles/iap.tunnelResourceAccessor"
member = "user:[email protected]"
}
However, with a MIG, we don't have Terraform references to the actual instances (and even if we did, they're dynamic anyway), so it seems we can't use the google_iap_tunnel_instance_iam_* resources.
I can't find a Terraform-native way of doing this, without granting roles/iap.tunnelResourceAccessor to the members at the project level. However, this is not always desirable, and sometimes instance level bindings are required.
Is this currently possible with MIGs?
In situations like these, you can often use IAM conditions: The idea is to grant a role on the project level, but to constrain it to a subset of resources. Unfortunately, IAM conditions are currently not supported for IAP-TCP, so that approach won't work here.
Assuming you use OS Login, the following might be a viable workaround though:
roles/iap.tunnelResourceAccessoron the project (applying to all instances)roles/compute.osLoginon the project, with a condition that constrains the role to instances that match your MIG's naming scheme: