Access GCR images from different GCP projects

The manual way:

https://medium.com/google-cloud/using-single-docker-repository-with-multiple-gke-projects-1672689f780c

For each GCP project that will need to access the GCR images, you give storage.objectViewer permission to its service account in the GCP project where the GCR images will be accessed. 

The way through Terraform code:

resource "google_project_iam_member" "my-project-storage-access" {

  project = "gcp-project-of-gcr-images"

  role = "roles/storage.objectViewer"

  member = "serviceAccount:${google_service_account.my-cluster.email}"

}  

 For each GCP project that will need to access the GCR images, you use the above terraform code to give the service account the storage.objectViewer permission to that GCP project where the GCR images will be accessed. 

How to import IAM role to terraform state?

This sounds like a silly question.  Why IAM role is different?  We all know how to import resources to terraform state, right?

Actually, there are two tricks to this:

1. You have to know the resource id for each IAM role.

2. You have to use double quotes for it.

Let me give you more details on these.

Resource ID format for IAM role contains three components: project name, role, and member.

But the 'terraform import' has only two parameters.  How can you pass 3 components?

Actually, the first parameter is always the resource name so you have only one parameter to use to pass the above three components.  

That is the reason why double quotes are needed. Put all 3 components between double quotes and separate them by space.

Here is an example:

terraform import google_project_iam_memeber.my-cluster-autoscaling-metrics-writer "my-gcp-project roles/autoscaling.metricsWriter serviceAccount:my-cluster@my-gcp-project.iam.gserviceaccount.com"