Skip to content

drata/gcp-terraform-drata-setup

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

gcp-terraform-drata-setup

GCP terraform module to create the Drata Read Only service account.

Pre requirements

Make sure the service account that will run this terraform script has the following roles granted.

  • Organization Administrator
  • Organization Policy Administrator
  • Organization Role Administrator
  • Service Account Admin
  • Service Account Key Admin
  • Service Usage Admin

Example Usage

The example below uses ref=main (which is appended in the URL), but it is recommended to use a specific tag version (i.e. ref=1.0.0) to avoid breaking changes. Go to the release page for a list of published versions. releases page for a list of published versions.

Replace YOUR_ORGANIZATION_DOMAIN with the organization domain. i.e. your_org.com.

module "service_account_creation" {
  source = "git::https://github.com/drata/gcp-terraform-drata-setup.git?ref=main"
  gcp_org_domain = "YOUR_ORGANIZATION_DOMAIN"
  # gcp_project_id = "YOUR_PROJECT_ID" # if it's unset, the project by default is used
  # drata_role_name = "YOUR_ROLE_NAME" # if it's unset, the default name is DrataReadOnly
  # connect_multiple_projects = false # if it's unset, the default value is true
}

output "drata_service_account_key" {
  value = module.service_account_creation.drata_service_account_key
  description = "Service Account Key"
  sensitive = true
}

After you apply this terraform, run the following command to retrieve the key file drata-gcp-private-key.json

terraform output -raw drata_service_account_key > drata-gcp-private-key.json

Troubleshooting

  1. Fixing FAILED_PRECONDITION: Key creation is not allowed on this service account (type: constraints/iam.disableServiceAccountKeyCreation) issue.
    • Go to the IAM Organization Policies page.
    • Make sure the project where the service account will be stored is selected top left in the console.
    • Type Disable service account key creation on the 🔽 Filter bar and select the policy.
    • Click over 📝 MANAGE POLICY button.
    • Go to Policy source and select the Override parent's policy option.
    • Scroll down a little and open up the Enforced rule.
    • Make sure the Enforcement section is Off.
    • Click SET POLICY to save changes.
    • Run this script again.

Setup

The following steps demonstrate how to connect GCP in Drata when using this terraform module.

  1. Add the code above to your terraform project.
  2. Make sure the service account to authenticate this script has the roles Organization Administrator, Service Account Admin, Service Account Key Admin and Service Usage Admin.
  3. Replace main in ref=main with the latest version from the releases page.
  4. Replace YOUR_ORGANIZATION_DOMAIN with the GCP organization domain.
  5. Replace YOUR_PROJECT_ID if the desired project is not the default project in your organization.
  6. Replace the given drata_role_name if you don't want the role added to be the default: DrataReadOnly.
  7. If you don't wish to connect multiple projects to Drata the connect_multiple_projects variable must be false otherwise true or unset.
  8. Back in your terminal, run terraform init to download/update the module.
  9. Run terraform apply and IMPORTANT review the plan output before typing yes.
  10. If successful, run the command to generate the json key file
    • terraform output -raw drata_service_account_key > drata-gcp-private-key.json .
  11. Verify the file has been generated.
  12. Go to the GCP connection drawer and select Upload File to upload the drata-gcp-private-key.json file.
  13. Select the Save & Test Connection button.

Requirements

Name Version
terraform >= 0.13.0
google 5.16.0

Providers

Name Version
google 5.16.0

Modules

No modules.

Resources

Name Type
google_organization_iam_custom_role.drata_org_role resource
google_organization_iam_member.drata_organization_viewer_role resource
google_organization_iam_member.organization resource
google_project_iam_custom_role.drata_project_role resource
google_project_iam_member.drata_member_project_role resource
google_project_iam_member.drata_project_viewer_role resource
google_project_service.services resource
google_service_account.drata resource
google_service_account_key.drata_key resource
google_organization.gcp_organization data source
google_project.gcp_project data source

Inputs

Name Description Type Default Required
connect_multiple_projects Tells the service account whether it can see all the projects or not. bool true no
drata_role_name Role name. string "DrataReadOnly" no
gcp_org_domain GCP Organization domain. string n/a yes
gcp_project_id Project identifier of the gcp organization. If it is not provided, the provider project is used. string null no
gcp_services List of services to enable. list(string)
[
"cloudresourcemanager.googleapis.com",
"compute.googleapis.com",
"admin.googleapis.com",
"sqladmin.googleapis.com",
"monitoring.googleapis.com",
"cloudasset.googleapis.com"
]
no

Outputs

Name Description
drata_service_account_key Service Account Key