Google CloudGoogle Cloud Rungoogle_cloud_run_service_iam_policyPro

How to Import an Google Cloud Run Service IAM Policy into Terraform

To import an existing Google Cloud Run Service IAM Policy into Terraform, scan it with Terraback and run terraback gcp import --method bulk. Terraback writes the matching google_cloud_run_service_iam_policy resource block and the Terraform 1.5+ import block for you, so you do not have to run terraform import by hand. The import ID is the full service path projects/{project}/locations/{location}/services/{service}.

Import Google Cloud Run Service IAM Policy with Terraback (recommended)

Terraback reverse-engineers your live infrastructure: it reads the Google Cloud Run resource with read-only credentials, generates the HCL, and produces the exact import block. Two commands take you from a live Google Cloud Run Service IAM Policy to managed Terraform.

1

Scan your Google Cloud account

terraback scan all gcp --project my-gcp-project
2

Generate import blocks and import into state

terraback gcp import --method bulk

The Terraform import block

Terraback emits a Terraform 1.5+ import block like the one below. Because the block lives in your configuration, the import is reviewable in a pull request and repeatable across environments.

import {
  to = google_cloud_run_service_iam_policy.main
  id = "projects/my-project/locations/us-central1/services/my-service"
}

Example google_cloud_run_service_iam_policy configuration

Here is a realistic Google Cloud Run Service IAM Policy block. Terraback generates a fuller version from your actual resource attributes; this is a minimal, valid starting point.

resource "google_cloud_run_service_iam_policy" "main" {
  location    = google_cloud_run_service.main.location
  project     = google_cloud_run_service.main.project
  service     = google_cloud_run_service.main.name
  policy_data = data.google_iam_policy.invoker.policy_data
}

Gotchas when importing a Google Cloud Run Service IAM Policy

  • An iam_policy is fully authoritative: it replaces the entire IAM policy on the service, so any binding not present in policy_data is removed on apply.
  • Prefer google_cloud_run_service_iam_binding or _iam_member if other tools or teams also manage bindings on the same service.
  • Granting allUsers the roles/run.invoker role makes the service publicly reachable; review policy_data before applying.
  • policy_data is normally sourced from a google_iam_policy data source; hand-writing the JSON is error-prone.

Doing it manually with terraform import

The native approach is to write the google_cloud_run_service_iam_policy block by hand, then run terraform import google_cloud_run_service_iam_policy.example <import-id> for every resource, one at a time. That works for a handful of resources, but it does not scale: you author all the HCL yourself and repeat the command for each item. Terraback generates the HCL and the import blocks for your whole account in one pass.

Import your whole Google Cloud account in minutes

Terraback scans 80+ Google Cloud resource types and emits clean Terraform plus import blocks, running locally with read-only credentials. $499 once, no SaaS.