Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add gcp module #1

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
+122 −50
Open

add gcp module #1

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e250568
add gcp module
dknell Nov 1, 2023
ef2d381
use repo url
dknell Nov 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
95 changes: 60 additions & 35 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,51 +1,76 @@
# Terraform Module Template
# Terraform Google Cloud IAM Module

**Next steps**
1. Update the top section of this file to tell people about this module.
2. Update `versions.tf` to include the required providers for the module.
3. Add resources and variables to solve the problem.
4. Add outputs for relevant details the consumer may want
5. Add example uses to the bottom of this file
6. Update the generated portion of this file using `terraform-docs .`
This Terraform module allows you to manage Google Cloud IAM roles and service accounts within a Google Cloud project and organization. It provides an easy way to create custom roles, service accounts, and manage IAM bindings.

## Usage

<!-- BEGIN_TF_DOCS -->
## Requirements
To use this module in your Terraform configuration, follow these steps:

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15 |
### Clone the Repository:

## Providers
Clone the repository to your local machine or reference it remotely if it's hosted elsewhere:

| Name | Version |
|------|---------|
| <a name="provider_null"></a> [null](#provider\_null) | n/a |
```
git clone <repository_url>
```

## Modules
### Initialize Terraform:

No modules.
Navigate to the directory containing your Terraform configuration and initialize Terraform:

## Resources
```
terraform init
```

| Name | Type |
|------|------|
| [null_resource.nope](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
### Include the Module:

## Inputs
In your Terraform configuration, include the module by specifying the source path. Replace <module_path> with the actual path to the module:

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_this"></a> [this](#input\_this) | Replace me with a real variable. | `str` | `"nope"` | no |
```hcl
module "drata_module" {
source = "./path/to/module" # Update with the actual path
project = "your_project_id"
org_id = "your_organization_id"
region = "us-central1" # Optional: Specify the desired region
}
```

## Outputs
### Apply the Configuration:

Apply your Terraform configuration to create the IAM roles, service accounts, and bindings:

```
terraform apply
```

### Access Outputs (Optional):

If you need to access the outputs from the module, you can do so in your Terraform configuration:

```hcl
output "drata_service_account_email" {
value = module.drata_module.service_account_email
}
```

| Name | Description |
|------|-------------|
| <a name="output_nope"></a> [nope](#output\_nope) | TODO: Remove this and add your own outputs |
| <a name="output_true"></a> [true](#output\_true) | n/a |
<!-- END_TF_DOCS -->
Then, run `terraform output` to see the output values.

## Examples
### Destroy Resources (Optional):

If you want to destroy the resources created by the module, use the following command:

```
terraform destroy
```

## Variables

* `project`: The Google Cloud project ID where resources will be created.
* `org_id`: The Google Cloud organization ID.
* `region` (optional): The Google Cloud region where resources will be created. Default value is `"us-central1"`.

## Outputs
* `service_account_email`: The email address of the created service account.

**TODO:** Add examples here
## Contributing
Feel free to contribute to this module by submitting issues or pull requests. We welcome any improvements or suggestions.
39 changes: 37 additions & 2 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,37 @@
# TODO: Remove this and add your own resources.
resource "null_resource" "nope" {}
resource "google_project_iam_custom_role" "drata_project_role" {
role_id = "DrataReadOnlyProjectRole"
title = "Drata Read-Only Project Role"
description = "Service Account for Drata Autopilot to get read access to all project resources"
permissions = ["storage.buckets.get", "storage.buckets.getIamPolicy"]
}

resource "google_service_account" "drata" {
project = var.project
account_id = "dratareadonly"
}

resource "google_project_iam_member" "drata_member_project_role" {
project = var.project
role = google_project_iam_custom_role.drata_project_role.name
member = "serviceAccount:${google_service_account.drata.email}"
}

resource "google_project_iam_member" "drata_viewer_role" {
project = var.project
role = "roles/viewer"
member = "serviceAccount:${google_service_account.drata.email}"
}

resource "google_organization_iam_custom_role" "drata_org_role" {
role_id = "DrataReadOnlyOrganizationalRole"
org_id = var.org_id
title = "Drata Read-Only Organizational Role"
description = "Service Account with read-only access for Drata Autopilot to get organizational IAM data."
permissions = ["resourcemanager.organizations.getIamPolicy", "storage.buckets.get", "storage.buckets.getIamPolicy"]
}

resource "google_organization_iam_member" "organization" {
org_id = var.org_id
role = google_organization_iam_custom_role.drata_org_role.name
member = "serviceAccount:${google_service_account.drata.email}"
}
10 changes: 3 additions & 7 deletions outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,4 @@
# TODO: Remove this and add your own outputs
output "nope" {
value = null_resource.nope.id
}

output "true" {
value = true
output "service_account_email" {
description = "The email address of the created service account."
value = google_service_account.drata.email
}
4 changes: 4 additions & 0 deletions provider.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
provider "google" {
project = var.project
region = var.region
}
19 changes: 14 additions & 5 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,15 @@
# TODO: Add your own input variables
variable "this" {
type = str
description = "Replace me with a real variable."
default = "nope"
variable "project" {
description = "The Google Cloud project ID where resources will be created."
type = string
}

variable "org_id" {
description = "The Google Cloud organization ID."
type = string
}

variable "region" {
description = "The Google Cloud region where resources will be created."
type = string
default = "us-central1"
}
5 changes: 4 additions & 1 deletion versions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ terraform {
required_version = ">= 0.15"

required_providers {
# TODO: define the providers required by this module
google = {
source = "hashicorp/google"
version = "5.4.0"
}
}
}