| subcategory | description |
|---|---|
BigQuery |
Gives dataset access for a single entity. |
Gives dataset access for a single entity. This resource is intended to be used in cases where
it is not possible to compile a full list of access blocks to include in a
google_bigquery_dataset resource, to enable them to be added separately.
~> Note: If this resource is used alongside a google_bigquery_dataset resource, the
dataset resource must either have no defined access blocks or a lifecycle block with
ignore_changes = [access] so they don't fight over which accesses should be on the dataset.
Additionally, both resource cannot be modified in the same apply.
To get more information about DatasetAccess, see:
- API documentation
- How-to Guides
~> Warning: You must specify the role field using the legacy format OWNER instead of roles/bigquery.dataOwner.
The API does accept both formats but it will always return the legacy format which results in Terraform
showing permanent diff on each plan and apply operation.
resource "google_bigquery_dataset_access" "access" {
dataset_id = google_bigquery_dataset.dataset.dataset_id
role = "OWNER"
user_by_email = google_service_account.bqowner.email
}
resource "google_bigquery_dataset" "dataset" {
dataset_id = "example_dataset"
}
resource "google_service_account" "bqowner" {
account_id = "bqowner"
}resource "google_bigquery_dataset_access" "access" {
dataset_id = google_bigquery_dataset.private.dataset_id
view {
project_id = google_bigquery_table.public.project
dataset_id = google_bigquery_dataset.public.dataset_id
table_id = google_bigquery_table.public.table_id
}
}
resource "google_bigquery_dataset" "private" {
dataset_id = "example_dataset"
}
resource "google_bigquery_dataset" "public" {
dataset_id = "example_dataset2"
}
resource "google_bigquery_table" "public" {
deletion_protection = false
dataset_id = google_bigquery_dataset.public.dataset_id
table_id = "example_table"
view {
query = "SELECT state FROM [lookerdata:cdc.project_tycho_reports]"
use_legacy_sql = false
}
}resource "google_bigquery_dataset_access" "access" {
dataset_id = google_bigquery_dataset.private.dataset_id
dataset {
dataset{
project_id = google_bigquery_dataset.public.project
dataset_id = google_bigquery_dataset.public.dataset_id
}
target_types = ["VIEWS"]
}
}
resource "google_bigquery_dataset" "private" {
dataset_id = "private"
}
resource "google_bigquery_dataset" "public" {
dataset_id = "public"
}resource "google_bigquery_dataset" "public" {
dataset_id = "public_dataset"
description = "This dataset is public"
}
resource "google_bigquery_routine" "public" {
dataset_id = google_bigquery_dataset.public.dataset_id
routine_id = "public_routine"
routine_type = "TABLE_VALUED_FUNCTION"
language = "SQL"
definition_body = <<-EOS
SELECT 1 + value AS value
EOS
arguments {
name = "value"
argument_kind = "FIXED_TYPE"
data_type = jsonencode({ "typeKind" = "INT64" })
}
return_table_type = jsonencode({ "columns" = [
{ "name" = "value", "type" = { "typeKind" = "INT64" } },
] })
}
resource "google_bigquery_dataset" "private" {
dataset_id = "private_dataset"
description = "This dataset is private"
}
resource "google_bigquery_dataset_access" "authorized_routine" {
dataset_id = google_bigquery_dataset.private.dataset_id
routine {
project_id = google_bigquery_routine.public.project
dataset_id = google_bigquery_routine.public.dataset_id
routine_id = google_bigquery_routine.public.routine_id
}
}The following arguments are supported:
dataset_id- (Required) A unique ID for this dataset, without the project name. The ID must contain only letters (a-z, A-Z), numbers (0-9), or underscores (_). The maximum length is 1,024 characters.
-
role- (Optional) Describes the rights granted to the user specified by the other member of the access object. Basic, predefined, and custom roles are supported. Predefined roles that have equivalent basic roles are swapped by the API to their basic counterparts, and will show a diff post-create. See official docs. -
user_by_email- (Optional) An email address of a user to grant access to. For example: [email protected] -
group_by_email- (Optional) An email address of a Google Group to grant access to. -
domain- (Optional) A domain to grant access to. Any users signed in with the domain specified will be granted the specified access -
special_group- (Optional) A special group to grant access to. Possible values include:projectOwners: Owners of the enclosing project.projectReaders: Readers of the enclosing project.projectWriters: Writers of the enclosing project.allAuthenticatedUsers: All authenticated BigQuery users.
-
iam_member- (Optional) Some other type of member that appears in the IAM Policy but isn't a user, group, domain, or special group. For example:allUsers -
view- (Optional) A view from a different dataset to grant access to. Queries executed against that view will have read access to tables in this dataset. The role field is not required when this field is set. If that view is updated by any user, access to the view needs to be granted again via an update operation. Structure is documented below. -
dataset- (Optional) Grants all resources of particular types in a particular dataset read access to the current dataset. Structure is documented below. -
routine- (Optional) A routine from a different dataset to grant access to. Queries executed against that routine will have read access to tables in this dataset. The role field is not required when this field is set. If that routine is updated by any user, access to the routine needs to be granted again via an update operation. Structure is documented below. -
condition- (Optional) Condition for the binding. If CEL expression in this field is true, this access binding will be considered. Structure is documented below. -
project- (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
-
dataset_id- (Required) The ID of the dataset containing this table. -
project_id- (Required) The ID of the project containing this table. -
table_id- (Required) The ID of the table. The ID must contain only letters (a-z, A-Z), numbers (0-9), or underscores (_). The maximum length is 1,024 characters.
-
dataset- (Required) The dataset this entry applies to Structure is documented below. -
target_types- (Required) Which resources in the dataset this entry applies to. Currently, only views are supported, but additional target types may be added in the future. Possible values: VIEWS
-
dataset_id- (Required) The ID of the dataset containing this table. -
project_id- (Required) The ID of the project containing this table.
-
dataset_id- (Required) The ID of the dataset containing this table. -
project_id- (Required) The ID of the project containing this table. -
routine_id- (Required) The ID of the routine. The ID must contain only letters (a-z, A-Z), numbers (0-9), or underscores (_). The maximum length is 256 characters.
-
expression- (Required) Textual representation of an expression in Common Expression Language syntax. -
title- (Optional) Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. -
description- (Optional) Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. -
location- (Optional) String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
In addition to the arguments listed above, the following computed attributes are exported:
id- an identifier for the resource with formatprojects/{{project}}/datasets/{{dataset_id}}
This resource provides the following Timeouts configuration options:
create- Default is 20 minutes.delete- Default is 20 minutes.
This resource does not support import.
This resource supports User Project Overrides.