Skip to content
/ gcp-terraform-cloud-connector Public

This repo provides a terraform module for customers looking to implement Google Cloud connector support for Bishop Fox Cosmos

License

Apache-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

BishopFox/gcp-terraform-cloud-connector

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

main.tf

main.tf

 
 

outputs.tf

outputs.tf

 
 

variables.tf

variables.tf

 
 

Repository files navigation

customer-workload-identity-federation

This repo provides terraform code for customers looking to implement Google Cloud connector support for the Bishop Fox Cosmos platform.

For the most up to date instructions for how to setup a GCP Cloud Connector, please see this documentation in the Cosmos Platform. A PDF of these instructions is exportable at the top of this page for team members who do not have access to the Cosmos Platform. If you need additional support please reach out to your Customer Success Manager.

Legacy Repository Documentation

There is a dependency on Workload Identity Federation (WIF) being enabled inside the designated project and values.tfvars or env variables must be filled out with values for the following variables related to said project:

  • projectID
  • projectNumber

Run the following command in order to retrieve the current project number:

gcloud projects describe $(gcloud config get-value core/project) --format=value\(projectNumber\)

Bishop Fox will provide the customer with the following variable values:

  • AWS_accountID
  • AWS_iamRole1
  • AWS_iamRole2

Once the Workload Identity Pool, Workload Identity Pool AWS provider and [Connected] Service Account are provisioned you can add the service account as a principal with a Custom Role to IAM permissions of one or more GCP projects, at the folder-level or at the organization-level.

Custom Role permissions:

• compute.forwardingRules.get
• compute.forwardingRules.list
• compute.globalForwardingRules.get
• compute.globalForwardingRules.list
• compute.instances.get
• compute.instances.list
• compute.projects.get
• compute.regions.get
• compute.regions.list
• compute.zones.get
• compute.zones.list
• resourcemanager.projects.get
• resourcemanager.projects.list
• serviceusage.services.get
• serviceusage.services.list
• storage.buckets.getIamPolicy
• storage.buckets.list

The customer also needs to provide Bishop Fox with the WIF credentials file that is exported to gcp-wif-config.json during the terraform run.

Lastly, Bishop Fox requires the customer GCP Organization ID which can be retrieved using the following command:

gcloud organizations list

For more information about Workload Identity Federation best practices and requirements please see documenation here

About

This repo provides a terraform module for customers looking to implement Google Cloud connector support for Bishop Fox Cosmos

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 2

Release 1.1.0 Latest
Feb 22, 2024
+ 1 release

Packages

No packages published

Contributors 2

Languages