Can you create user on GCP with terraform?

Question

Hey I'm trying to create new users in IAM on GCP and automate it with terraform, I know you can do so on AWS with the aws_iam_user is there an equivalent on GCP ? I see the google_project_iam_member but it doesn't create a new user but expects one to be there already.

PS error message looks like this

Error: Request "Create IAM Members roles/storage.objectViewer 
user:tom@example.com for \"project \\\"<my-project-id>\\\"\"" returned 
error: Error applying IAM policy for project "<my-project-id>": Error 
setting IAM policy for project "<my-project-id>": googleapi: Error 400: 
User tom@example.com does not exist., badRequest

and the code is simply

provider "google" {
  credentials = file(var.credentials)
  project = var.project_name
  region  = var.region
}

resource "google_project_iam_member" "member" {
  project = var.project_id
  role    = "roles/storage.objectViewer"
  member  = "user:tom@example.com"
}

Answer 1

You need another provider for admin.google.com tasks: https://registry.terraform.io/providers/hashicorp/googleworkspace/latest/docs

GCP IAM relies on users being provided via Workspace (most general) or provisioned via it's Managed Active Directory service (which is actually part of GCP, and a managed service within your GCP project[s]). Workspace is technically not part of GCP, but closely related: it provides an identity provider service for GCP. The Workspace account can be from any (billing) accounts using Workspace (such as gmail.com).

Answer 2

Well this is awkward or maybe not and just my mis-interpretation. You don't really create user - the user is just an Google account user - with it's own password, associated phone etc. - you cannot create new user on gcp (google) - you can merely allow existing user to have some role on your GCP project/organization.

PS: kudos to @Hitobat for suggestion