IaC Bazaar
Google CloudLive-tested

Cloud Workflows (least-privilege identity)

A Cloud Workflows workflow that runs as a dedicated least-privilege service account instead of the broad Compute Engine default, with inline YAML, deletion protection, and call logging.

terraformGoogle Cloud#gcp
gcp-workflowsterraform v1.7

Verification

Live-tested

Really deployed, verified, idempotent and destroyed in a cloud sandbox.

Conformance

  • Static validation (fmt · validate · tflint)
  • Security scan (Checkov)
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live-tested — applied, verified, destroyed

Last verified 2026-06-30 · how we verify

Documentation

gcp-workflows

A Cloud Workflows workflow with its execution identity done right: instead of falling back to the broadly-privileged Compute Engine default service account, this module provisions a dedicated, role-free service account for the workflow (or uses one you pass in), so you grant it only the roles its steps actually need. The workflow body is inline YAML. Works with Terraform and OpenTofu (>= 1.6), Google provider >= 7.0, < 8.0.

Secure defaults:

  • A dedicated least-privilege service account (the broad Compute Engine default SA is avoided).
  • deletion_protection on, so the workflow can't be destroyed by accident.
  • Call logging at errors-only (raise to LOG_ALL_CALLS while debugging).

Requirements

RequirementVersion
Terraform / OpenTofu>= 1.6
hashicorp/google>= 7.0, < 8.0

The Workflows API (workflows.googleapis.com) must be enabled; the IAM API (iam.googleapis.com) is needed when the module creates the service account (the default).

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).

Usage code & full reference unlock after purchase

The complete copy-paste usage, the full input/output reference, and operational notes ship with your licence — shown here and bundled in the download.

  • Usage
  • Inputs
  • Outputs