A Terraform Provider for Google Drive
The Terraform provider for Google Drive can be used to manage Google Drive objects like files and folders, Shared Drives and Labels.
It can also be used to manage permissions to any of these objects, as well as import and export files to and from Google Drive.
Using Terraform and a source code management solution to manage your Google Drive environment can help you estabilsh secure processes that require approval from multiple people before changes are deployed to production. You can also build your own modules to estabilsh standards across your orgnization like naming conventions, default permissions or Label assignments.
- Manage Shared Drives and organize them into organizational units
- Manage Google Drive files (including file uploads, downloads and exports)
- Manage Google Drive permissions
- Manage Google Drive Labels, fields, assignments to files and permissions
To install this provider, copy and paste this code into your Terraform configuration. Then, run terraform init
.
terraform {
required_providers {
gdrive = {
source = "hanneshayashi/gdrive"
version = "~> 1.0"
}
}
}
Please see the Upgrade Guide and make sure you have a backup of your state file before upgrading.
- Create GCP Project (or use an existing one)
- Enable the following APIs:
- Drive API
- Drive Labels API
- Cloud Identity API
- Create a Service Account + Enable Domain Wide Delegation
- See Perform Google Workspace Domain-Wide Delegation of Authority
- You don't need the Service Account Key if you want to use Application Default Credential
- Enter the Client ID of the Service Account with the following scopes in your Admin Console:
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/drive.labels
https://www.googleapis.com/auth/drive.admin.labels
https://www.googleapis.com/auth/cloud-identity.orgunits
You can authenticate in one of two ways:
-
Use Application Default Credentials (recommended): Activate the IAM Service Account Credentials API in the project where the Service Account is located
a) Use a Google Compute Engine instance or any service that supports attaching a Service Account in GCP
or
b) Use
gcloud auth application-default login --impersonate-service-account
on your local workstation
In both cases, the account needs the Service Account Token Creator role for the Service Account you set up for DWD (even if your GCP service is using the same account).
You can then configure the provider like so:
provider "gdrive" {
service_account = "[email protected]" # This is the email address of your Service Account. You can leave this empty on GCP, if you want to use the service's account
subject = "[email protected]" # This is the user you want to impersonate with Domain Wide Delegation
}
- Create a Service Account Key and configure the provider like so:
provider "gdrive" {
service_account_key = "/path/to/sa.json" # This is the path to your Service Account Key file or its content in JSON format
subject = "[email protected]" # This is the user you want to impersonate with Domain Wide Delegation
}
You can also set the SERVICE_ACCOUNT_KEY
environment variable to store either the path to the Key file or the JSON contents directly.
This provider uses GSM for authentication and API access. You can take a look at the GSM Setup Guide, if you need help.