TL; DR: This is a way to grant a temporary access to some GCP resources using Terraform’s time_static and google_project_iam_member resources.
resource "time_static" "iam_starts_at" {
# rfc3339 = timestamp()
# the current timestamp is the default value and will be saved in the state file
# so the through time won't change if this is applied again
}
resource "google_project_iam_member" "temporary_iam" {
project = var.project
# a sample role can be "roles/container.viewer"
role = var.role
# this should be the user's email address in the organization's domain
# such as "[email protected]"
member = "user:${var.user}"
condition {
# the duration can be something like "24h" as a default
title = "expires_after_${var.duration}"
description = "Expiring in ${var.duration} after ${time_static.iam_starts_at.rfc3339}"
# adds the expression so this grant will be invalidated after 1 day
# so it doesn't matter even if I forgot to revoke this grant
# the through time is calculated using current time and the duration
expression = format("request.time < timestamp(\"%s\")", timeadd(time_static.iam_starts_at.rfc3339, var.duration))
}
}🙂