Can I create GCP API keys using Terraform?

Question

I'd like to create Google Cloud API keys using Terraform.

Is this possible?

Answer 1

Not yet, but Google seems to be working on exposing an API for API key management. Latest cloud sdk (tested with 287.0.0) has alpha support, like this:

$ gcloud alpha services api-keys
ERROR: (gcloud.alpha.services.api-keys) Command name argument expected.

Available commands for gcloud alpha services api-keys:

      clone                   *(ALPHA)*  Create a new API key with the same
                              metadata as input key.
      create                  *(ALPHA)*  Create an API key.
      delete                  *(ALPHA)*  Delete an API key.
      describe                *(ALPHA)*  Describe an API key's metadata.
      get-key-string          *(ALPHA)*  Get key string of an API key.
      list                    *(ALPHA)*  Lists API keys.
      lookup                  *(ALPHA)*  Look up resource name of a key string.
      undelete                *(ALPHA)*  Undelete an API key.
      update                  *(ALPHA)*  Update an API key's metadata.

When listing project API keys with the --log-http you can see the API endpoint used:

$ gcloud alpha services api-keys list --project $PROJECT --log-http
...
==== request start ====
uri: https://apikeys.googleapis.com/v2alpha1/projects/$PROJECT/keys?alt=json
...

Even though cloud sdk is using v2alpha1, there is a v2beta1 available. Verified like this:

$ curl -s -H"Authorization: Bearer $(gcloud auth print-access-token)" \
   https://apikeys.googleapis.com/v2beta1/projects/$PROJECT/keys
{
  "keys": [
    {
      "name": "projects/REDACTED/keys/REDACTED",
      "displayName": "REDACTED",
      "createTime": "2019-04-15T10:39:53.558Z",
      "updateTime": "2019-04-15T10:40:06.616639Z",
      "restrictions": {
        "androidKeyRestrictions": {},
        "apiTargets": [
          {
            "service": "geocoding_backend"
          }
        ]
      },
      "state": "ACTIVE"
    }
  ]
}

Since the terraform google provider is usually pretty quick to add new features I can only assume support is coming soon. You may want to create a Github Issue to show your interest. Or watch the beta provider's change log.

Answer 2

Google Cloud provider (version >= 4.14.0) for Terraform now supports creating API Keys.

Updating the answer with an example (as suggested by @noamt, thanks).

The key, in this case, restrict the possible APIs that can use to some GMaps ones:

resource "google_apikeys_key" "maps" {
  name         = "maps-api-key"
  display_name = "Nice name displayed in the UI"

  restrictions {
        # Example of whitelisting Maps Javascript API and Places API only
        api_targets {
            service = "maps-backend.googleapis.com"
        }
        api_targets {
            service = "places-backend.googleapis.com"
        }
  }
}