main.tf:
provider "google" {
project = "PROJECT_ID"
}
data "google_project" "project" {}
resource "google_compute_instance" "test-ce" {
name = "test-ce"
machine_type = "e2-micro"
zone = "europe-central2-a"
boot_disk {
initialize_params {
image = "debian-12"
}
}
network_interface {
subnetwork = google_compute_subnetwork.test-ce.self_link
access_config {
}
}
service_account {
email = google_service_account.test-ce-instance.email
scopes = ["cloud-platform"]
}
metadata = {
enable-oslogin = true
}
}
resource "google_compute_network" "test-ce" {
name = "test-ce"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "test-ce" {
name = "test-ce"
ip_cidr_range = "10.0.0.0/20"
region = "europe-central2"
network = google_compute_network.test-ce.self_link
}
resource "google_compute_firewall" "test-ce-ssh" {
name = "test-ce-ssh"
network = google_compute_network.test-ce.self_link
source_ranges = ["SOURCE_IP"]
# source_ranges = ["35.235.240.0/20"] # IAP
allow {
protocol = "tcp"
ports = [22]
}
}
resource "google_service_account_iam_member" "test-ce-token-creator" {
service_account_id = google_service_account.test-ce.id
role = "roles/iam.serviceAccountTokenCreator"
member = "user:EMAIL"
}
resource "google_service_account" "test-ce-instance" {
account_id = "test-ce-instance"
}
resource "google_service_account" "test-ce" {
account_id = "test-ce"
}
# resource "google_project_iam_member" "test-ce-login" {
# project = data.google_project.project.project_id
# role = "roles/compute.osLogin"
# member = "serviceAccount:${google_service_account.test-ce.email}"
# }
resource "google_project_iam_member" "test-ce-login" {
project = data.google_project.project.project_id
role = "roles/compute.osAdminLogin"
member = "serviceAccount:${google_service_account.test-ce.email}"
}
resource "google_service_account_iam_member" "test-ce-service-account-user" {
service_account_id = google_service_account.test-ce-instance.id
role = "roles/iam.serviceAccountUser"
member = "serviceAccount:${google_service_account.test-ce.email}"
}
# IAP
# resource "google_project_iam_member" "test-ce-resource-accessor" {
# project = data.google_project.project.project_id
# role = "roles/iap.tunnelResourceAccessor"
# member = "serviceAccount:${google_service_account.test-ce.email}"
# }// replace PROJECT_ID, SOURCE_IP, EMAIL
$ docker run --rm -itv "$PWD:/app" -w /app google/cloud-sdk:457.0.0-alpine
/app # gcloud auth login --update-adc
/app # apk add terraform
/app # terraform init
/app # terraform apply
/app # gcloud compute ssh test-ce --command 'sudo echo test' \
--impersonate-service-account test-ce@PROJECT_ID.iam.gserviceaccount.com \
--zone europe-central2-a --project PROJECT_ID
/app # gcloud compute ssh test-ce --command 'sudo -v' \
--impersonate-service-account test-ce@PROJECT_ID.iam.gserviceaccount.com \
--zone europe-central2-a --project PROJECT_ID
/app # gcloud compute ssh test-ce --command 'echo test' \
--impersonate-service-account test-ce@PROJECT_ID.iam.gserviceaccount.com \
--zone europe-central2-a --project PROJECT_ID
/app # gcloud compute ssh test-ce --command 'echo test' \
--tunnel-through-iap \
--impersonate-service-account test-ce@PROJECT_ID.iam.gserviceaccount.com \
--zone europe-central2-a --project PROJECT_ID
Assign OS Login IAM roles
Grant roles for IAP TCP forwarding
Service Account Token Creator role