» Google Provider Configuration Reference

The google and google-beta provider blocks are used to configure the credentials you use to authenticate with GCP, as well as a default project and location (zone and/or region) for your resources.

» Example Usage - Basic provider blocks

provider "google" {
  credentials = "${file("account.json")}"
  project     = "my-project-id"
  region      = "us-central1"
  zone        = "us-central1-c"
}
provider "google-beta" {
  credentials = "${file("account.json")}"
  project     = "my-project-id"
  region      = "us-central1"
  zone        = "us-central1-c"
}

» Example Usage - Using beta features with google-beta

To use Google Cloud Platform features that are in beta, you need to both:

  • Explicitly define a google-beta provider block

  • explicitly set the provider for your resource to google-beta.

See Provider Versions for a full reference on how to use features from different GCP API versions in the Google provider.

resource "google_compute_instance" "ga-instance" {
  provider = "google"

  # ...
}

resource "google_compute_instance" "beta-instance" {
  provider = "google-beta"

  # ...
}

provider "google-beta" {}

» Configuration Reference

The following attributes can be used to configure the provider. The quick reference should be sufficient for most use cases, but see the full reference if you're interested in more details. Both google and google-beta share the same configuration.

» Quick Reference

  • credentials - (Optional) Either the path to or the contents of a service account key file in JSON format. You can manage key files using the Cloud Console.

  • project - (Optional) The default project to manage resources in. If another project is specified on a resource, it will take precedence.

  • region - (Optional) The default region to manage resources in. If another region is specified on a regional resource, it will take precedence.

  • zone - (Optional) The default zone to manage resources in. Generally, this zone should be within the default region you specified. If another zone is specified on a zonal resource, it will take precedence.


  • scopes - (Optional) The list of OAuth 2.0 scopes requested when generating an access token using the service account key specified in credentials.

  • access_token - (Optional) A temporary OAuth 2.0 access token obtained from the Google Authorization server, i.e. the Authorization: Bearer token used to authenticate HTTP requests to GCP APIs. This is an alternative to credentials, and ignores the scopes field. If both are specified, access_token will be used over the credentials field.

  • user_project_override - (Optional) Defaults to false. If true, uses the resource project for preconditions, quota, and billing, instead of the project the credentials belong to. Not all resources support this- see the documentation for each resource to learn whether it does.

  • {{service}}_custom_endpoint - (Optional) The endpoint for a service's APIs, such as compute_custom_endpoint. Defaults to the production GCP endpoint for the service. This can be used to configure the Google provider to communicate with GCP-like APIs such as the Cloud Functions emulator. Values are expected to include the version of the service, such as https://www.googleapis.com/compute/v1/.

  • batching - (Optional) This block controls batching GCP calls for groups of specific resource types. Structure is documented below. ~>NOTE: Batching is not implemented for the majority or resources/request types and is bounded by the core -parallelism flag. Adding or changing this config likely won't affect a Terraform run at all unless the user is creating enough of a particular type of resource to run into quota issues.

  • request_timeout - (Optional) A duration string controlling the amount of time the provider should wait for a single HTTP request. This will not adjust the amount of time the provider will wait for a logical operation - use the resource timeout blocks for that.

The batching fields supports:

  • send_after - (Optional) A duration string representing the amount of time after which a request should be sent. Defaults to 10s.

  • enable_batching - (Optional) Defaults to true. If false, disables batching so requests that have batching capabilities are instead is sent one by one.

» Full Reference

  • credentials - (Optional) Either the path to or the contents of a service account key file in JSON format. You can manage key files using the Cloud Console. Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire. Alternatively, this can be specified using the GOOGLE_CREDENTIALS environment variable or any of the following ordered by precedence.

    • GOOGLE_CREDENTIALS
    • GOOGLE_CLOUD_KEYFILE_JSON
    • GCLOUD_KEYFILE_JSON

    Using Terraform-specific service accounts to authenticate with GCP is the recommended practice when using Terraform. If no Terraform-specific credentials are specified, the provider will fall back to using Google Application Default Credentials. To use them, you can enter the path of your service account key file in the GOOGLE_APPLICATION_CREDENTIALS environment variable, or configure authentication through one of the following;

  • If you're running Terraform from a GCE instance, default credentials are automatically available. See Creating and Enabling Service Accounts for Instances for more details.

  • On your computer, you can make your Google identity available by running gcloud auth application-default login. This approach isn't recommended- some APIs are not compatible with credentials obtained through gcloud.


  • project - (Optional) The default project to manage resources in. If another project is specified on a resource, it will take precedence. This can also be specified using the GOOGLE_PROJECT environment variable, or any of the following ordered by precedence.

    • GOOGLE_PROJECT
    • GOOGLE_CLOUD_PROJECT
    • GCLOUD_PROJECT
    • CLOUDSDK_CORE_PROJECT

  • region - (Optional) The default region to manage resources in. If another region is specified on a regional resource, it will take precedence. Alternatively, this can be specified using the GOOGLE_REGION environment variable or any of the following ordered by precedence.

    • GOOGLE_REGION
    • GCLOUD_REGION
    • CLOUDSDK_COMPUTE_REGION

  • zone - (Optional) The default zone to manage resources in. Generally, this zone should be within the default region you specified. If another zone is specified on a zonal resource, it will take precedence. Alternatively, this can be specified using the GOOGLE_ZONE environment variable or any of the following ordered by precedence.

    • GOOGLE_ZONE
    • GCLOUD_ZONE
    • CLOUDSDK_COMPUTE_ZONE

  • access_token - (Optional) A temporary OAuth 2.0 access token obtained from the Google Authorization server, i.e. the Authorization: Bearer token used to authenticate HTTP requests to GCP APIs. If both are specified, access_token will be used over the credentials field. This is an alternative to credentials, and ignores the scopes field. Alternatively, this can be specified using the GOOGLE_OAUTH_ACCESS_TOKEN environment variable.



  • {{service}}_custom_endpoint - (Optional) The endpoint for a service's APIs, such as compute_custom_endpoint. Defaults to the production GCP endpoint for the service. This can be used to configure the Google provider to communicate with GCP-like APIs such as the Cloud Functions emulator. Values are expected to include the version of the service, such as https://www.googleapis.com/compute/v1/.

A full list of configurable keys, their default value (in the google provider followed by google-beta if they differ), and an environment variable that can be used for configuration are below:

The following keys are available exclusively in the google-beta provider:


  • batching - (Optional) Controls batching for specific GCP request types where users have encountered quota or speed issues using count with resources that affect the same GCP resource (e.g. google_project_service). It is not used for every resource/request type and can only group parallel similar calls for nodes at a similar traversal time in the graph during terraform apply (e.g. resources created using count that affect a single project). Thus, it is also bounded by the terraform -parallelism flag, as reducing the number of parallel calls will reduce the number of simultaneous requests being added to a batcher.

So far, batching is implemented for:

  • enabling project services using google_project_service.

The batching block supports the following fields.

  • send_after - (Optional) A duration string representing the amount of time after which a request should be sent. Defaults to 10s. Should be a non-negative integer or float string with a unit suffix, such as "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

  • disable_batching - (Optional) Defaults to false. If true, disables global batching and each request is sent normally.


  • request_timeout - (Optional) A duration string controlling the amount of time the provider should wait for a single HTTP request. This will not adjust the amount of time the provider will wait for a logical operation - use the resource timeout blocks for that. This will adjust only the amount of time that a single synchronous request will wait for a response. The default is 30 seconds, and that should be a suitable value in most cases. Many GCP APIs will cancel a request if no response is forthcoming within 30 seconds in any event. In limited cases, such as DNS record set creation, there is a synchronous request to create the resource. This may help in those cases.

  • user_project_override - (Optional) Defaults to false. If true, uses the resource project for preconditions, quota, and billing, instead of the project the credentials belong to. Not all resources support this- see the documentation for each resource to learn whether it does.

When set to false, the project the credentials belong to will be billed for the request, and quota / API enablement checks will be done against that project. For service account credentials, this is the project the service account was created in. For credentials that come from the gcloud tool, this is a project owned by Google. In order to properly use credentials that come from gcloud with Terraform, it is recommended to set this property to true.

When set to true, the caller must have serviceusage.services.use permission on the resource project.