From e250568cc28666a8b1b0264c44e2bd88bcd86d06 Mon Sep 17 00:00:00 2001 From: Dave Knell Date: Wed, 1 Nov 2023 13:09:35 -0400 Subject: [PATCH 1/2] add gcp module --- README.md | 95 +++++++++++++++++++++++++++++++++------------------- main.tf | 39 +++++++++++++++++++-- outputs.tf | 10 ++---- provider.tf | 4 +++ variables.tf | 19 ++++++++--- versions.tf | 5 ++- 6 files changed, 122 insertions(+), 50 deletions(-) create mode 100644 provider.tf diff --git a/README.md b/README.md index d7958d3..dfdfe02 100644 --- a/README.md +++ b/README.md @@ -1,51 +1,76 @@ -# Terraform Module Template +# Terraform Google Cloud IAM Module -**Next steps** -1. Update the top section of this file to tell people about this module. -2. Update `versions.tf` to include the required providers for the module. -3. Add resources and variables to solve the problem. -4. Add outputs for relevant details the consumer may want -5. Add example uses to the bottom of this file -6. Update the generated portion of this file using `terraform-docs .` +This Terraform module allows you to manage Google Cloud IAM roles and service accounts within a Google Cloud project and organization. It provides an easy way to create custom roles, service accounts, and manage IAM bindings. +## Usage - -## Requirements +To use this module in your Terraform configuration, follow these steps: -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 0.15 | +### Clone the Repository: -## Providers +Clone the repository to your local machine or reference it remotely if it's hosted elsewhere: -| Name | Version | -|------|---------| -| [null](#provider\_null) | n/a | +``` +git clone +``` -## Modules +### Initialize Terraform: -No modules. +Navigate to the directory containing your Terraform configuration and initialize Terraform: -## Resources +``` +terraform init +``` -| Name | Type | -|------|------| -| [null_resource.nope](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +### Include the Module: -## Inputs +In your Terraform configuration, include the module by specifying the source path. Replace with the actual path to the module: -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [this](#input\_this) | Replace me with a real variable. | `str` | `"nope"` | no | +```hcl +module "drata_module" { + source = "./path/to/module" # Update with the actual path + project = "your_project_id" + org_id = "your_organization_id" + region = "us-central1" # Optional: Specify the desired region +} +``` -## Outputs +### Apply the Configuration: + +Apply your Terraform configuration to create the IAM roles, service accounts, and bindings: + +``` +terraform apply +``` + +### Access Outputs (Optional): + +If you need to access the outputs from the module, you can do so in your Terraform configuration: + +```hcl +output "drata_service_account_email" { + value = module.drata_module.service_account_email +} +``` -| Name | Description | -|------|-------------| -| [nope](#output\_nope) | TODO: Remove this and add your own outputs | -| [true](#output\_true) | n/a | - +Then, run `terraform output` to see the output values. -## Examples +### Destroy Resources (Optional): + +If you want to destroy the resources created by the module, use the following command: + +``` +terraform destroy +``` + +## Variables + +* `project`: The Google Cloud project ID where resources will be created. +* `org_id`: The Google Cloud organization ID. +* `region` (optional): The Google Cloud region where resources will be created. Default value is `"us-central1"`. + +## Outputs +* `service_account_email`: The email address of the created service account. -**TODO:** Add examples here +## Contributing +Feel free to contribute to this module by submitting issues or pull requests. We welcome any improvements or suggestions. diff --git a/main.tf b/main.tf index c9d879a..cc6705d 100644 --- a/main.tf +++ b/main.tf @@ -1,2 +1,37 @@ -# TODO: Remove this and add your own resources. -resource "null_resource" "nope" {} +resource "google_project_iam_custom_role" "drata_project_role" { + role_id = "DrataReadOnlyProjectRole" + title = "Drata Read-Only Project Role" + description = "Service Account for Drata Autopilot to get read access to all project resources" + permissions = ["storage.buckets.get", "storage.buckets.getIamPolicy"] +} + +resource "google_service_account" "drata" { + project = var.project + account_id = "dratareadonly" +} + +resource "google_project_iam_member" "drata_member_project_role" { + project = var.project + role = google_project_iam_custom_role.drata_project_role.name + member = "serviceAccount:${google_service_account.drata.email}" +} + +resource "google_project_iam_member" "drata_viewer_role" { + project = var.project + role = "roles/viewer" + member = "serviceAccount:${google_service_account.drata.email}" +} + +resource "google_organization_iam_custom_role" "drata_org_role" { + role_id = "DrataReadOnlyOrganizationalRole" + org_id = var.org_id + title = "Drata Read-Only Organizational Role" + description = "Service Account with read-only access for Drata Autopilot to get organizational IAM data." + permissions = ["resourcemanager.organizations.getIamPolicy", "storage.buckets.get", "storage.buckets.getIamPolicy"] +} + +resource "google_organization_iam_member" "organization" { + org_id = var.org_id + role = google_organization_iam_custom_role.drata_org_role.name + member = "serviceAccount:${google_service_account.drata.email}" +} diff --git a/outputs.tf b/outputs.tf index 5890ffa..eca322d 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,8 +1,4 @@ -# TODO: Remove this and add your own outputs -output "nope" { - value = null_resource.nope.id -} - -output "true" { - value = true +output "service_account_email" { + description = "The email address of the created service account." + value = google_service_account.drata.email } diff --git a/provider.tf b/provider.tf new file mode 100644 index 0000000..08cca77 --- /dev/null +++ b/provider.tf @@ -0,0 +1,4 @@ +provider "google" { + project = var.project + region = var.region +} diff --git a/variables.tf b/variables.tf index 4a18fac..439ab73 100644 --- a/variables.tf +++ b/variables.tf @@ -1,6 +1,15 @@ -# TODO: Add your own input variables -variable "this" { - type = str - description = "Replace me with a real variable." - default = "nope" +variable "project" { + description = "The Google Cloud project ID where resources will be created." + type = string +} + +variable "org_id" { + description = "The Google Cloud organization ID." + type = string +} + +variable "region" { + description = "The Google Cloud region where resources will be created." + type = string + default = "us-central1" } diff --git a/versions.tf b/versions.tf index 7e90134..a823cf2 100644 --- a/versions.tf +++ b/versions.tf @@ -2,6 +2,9 @@ terraform { required_version = ">= 0.15" required_providers { - # TODO: define the providers required by this module + google = { + source = "hashicorp/google" + version = "5.4.0" + } } } From ef2d381669888d46243fa5d35d7fc1a3f12a89e2 Mon Sep 17 00:00:00 2001 From: Dave Knell Date: Wed, 1 Nov 2023 13:15:27 -0400 Subject: [PATCH 2/2] use repo url --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index dfdfe02..c588fbc 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ To use this module in your Terraform configuration, follow these steps: Clone the repository to your local machine or reference it remotely if it's hosted elsewhere: ``` -git clone +git clone https://github.com/drata/terraform-gcp-drata-autopilot-role ``` ### Initialize Terraform: