Skip to content
This repository was archived by the owner on Sep 15, 2025. It is now read-only.

memes/terraform-google-f5-distributed-cloud-role

BranchesTags

Repository files navigation

F5 Distributed Cloud Role Terraform module

GitHub release Maintenance Contributor Covenant

NOTE: As of F5 Distributed Cloud SMS v2 availability, use of this module to create a custom role is deprecated. Instead, you should create Customer Edge nodes directly and register those with the console. See https://github.com/memes/terraform-google-volterra for examples..

This Terraform module is a helper to create a custom IAM role that has the permissions required for F5 Distributed Cloud to manage a Google Cloud environment. The role will be created in the specified project by default, but can be created as an Organization role if preferred, for reuse across projects.

Unless a specific identifier is provided in the id variable, a semi-random identifier will be generated of the form f5_xc_xxxx to avoid unique identifier collisions during the time after a custom role is deleted but before it is purged from the project or organization.

F5 has similar community supported modules available for AWS and Azure.

NOTE: This module is unsupported and not an official F5 product. If you require assistance please join our Slack GCP channel and ask!

Difference with F5 published role

F5 publishes a YAML declaration that encapsulates F5 recommended permissions in a fixed role; this Terraform module includes additional permissions that seem to be needed.

Added permissions for project-scoped role

  • compute.addresses.createInternal
  • compute.addresses.deleteInternal
  • compute.addresses.list
  • compute.addresses.useInternal

Added permissions for organization-scoped role

  • compute.addresses.createInternal
  • compute.addresses.deleteInternal
  • compute.addresses.list
  • compute.addresses.useInternal
  • resourcemanager.projects.list

Examples

Create the custom role at the project, and assign to an existing service account

See Simple project role example for more details.

module "role" {
  source    = "memes/f5-distributed-cloud-role/google"
  version   = "1.0.9"
  target_id = "my-project-id"
  members   = ["serviceAccount:f5-xc@my-project-id.iam.gserviceaccount.com"]
}

Create the custom role for entire org, but do not explicitly assign membership

See Simple org role example for more details.

module "org_role" {
  source      = "memes/f5-distributed-cloud-role/google"
  version     = "1.0.9"
  target_type = "org"
  target_id   = "my-org-id"
}

Create the custom role in the project with a fixed id, and assign to a service account

See Fixed id example for more details.

module "role" {
  source    = "memes/f5-distributed-cloud-role/google"
  version   = "1.0.9"
  id        = "my_custom_role"
  target_id = "my-project-id"
  title     = "An example F5 Distributed Cloud custom role"
  members   = ["serviceAccount:f5-xc@my-project-id.iam.gserviceaccount.com"]
}

F5 XC Cloud Credential

Deeper examples that show how to create a service account, add the custom role, and create a Cloud Credential that can be used for GPC VPC Sites in XC.

See Blindfold Cloud Credential and Plaintext Cloud Credential examples for full details.

Requirements

Name Version
terraform >= 1.3
google >= 4.38, < 7.0
random >= 3.4

Modules

Name Source Version
role terraform-google-modules/iam/google//modules/custom_role_iam 8.1.0

Resources

Name Type
random_id.role_id resource

Inputs

Name Description Type Default Required
target_id Sets the target for role creation; must be either an organization ID (target_type = 'org'),
or project ID (target_type = 'project').		 string n/a yes
description The optional description to assign to the custom IAM role. If left blank (default),
a suitable description will be created.		 string null no
id An identifier to use for the new role; default is an empty string which will
generate a unique identifier. If a value is provided, it must be unique at the
organization or project level depending on value of target_type respectively.
E.g. multiple projects can all have a 'f5_xc' role defined, but an organization
level role must be uniquely named.		 string null no
members An optional list of accounts that will be assigned the custom role. Default is
an empty list.		 list(string) [] no
random_id_prefix The prefix to use when generating random role identifier for the new role if
id field is blank. The default is 'f5_xc' which will generate a unique role
identifier of the form 'f5_xc_XXXX', where XXXX is a random hex string.		 string "f5_xc" no
target_type Determines if the F5 Distributed Cloud role is to be created for the whole
organization ('org') or at a 'project' level. Default is 'project'.		 string "project" no
title The human-readable title to assign to the custom IAM role. If left blank (default),
a suitable title will be created.		 string null no

Outputs

Name Description
qualified_role_id The qualified role-id for the custom CFE role.

About

Terraform module to create a Google Cloud IAM role suitable for use with F5 Distributed Cloud

Topics

google cloud terraform google-cloud distributed f5 terraform-module f5-distributed-cloud

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Contributing

Contributing
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 9

v1.0.9 Latest
Oct 29, 2024
+ 8 releases

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages