feat(serviceAccount): GCP service account module [ENG-44162]

[tonygc]

This module automates the steps needed to create a service account on the customers GCP worskapce.

This devops PR explains what it does in a better way. #158.

Check this help article if needed https://help.drata.com/en/articles/4994112-gcp-connection-details.

The readme file looks like this

gcp-terraform-drata-setup

GCP terraform module to create the Drata Read Only service account.

Example Usage

The example below uses ref=main (which is appended in the URL), but it is recommended to use a specific tag version (i.e. ref=1.0.0) to avoid breaking changes. Go to the release page for a list of published versions. releases page for a list of published versions.

Replace YOUR_ORGANIZATION_DOMAIN with the organization domain. i.e. your_org.com.

module "service_account_creation" {
  source = "git::https://github.com/drata/gcp-terraform-drata-setup.git?ref=main"
  gcp_org_domain = "YOUR_ORGANIZATION_DOMAIN"
  # gcp_project_id = "YOUR_PROJECT_ID" # if it's unset, the project by default is used
  # drata_role_name = "YOUR_ROLE_NAME" # if it's unset, the default name is DrataReadOnly
}

output "drata_service_account_key" {
  value = module.service_account_creation.drata_service_account_key
  description = "Service Account Key"
  sensitive = true
}

After you apply this terraform, run the following command to retrieve the key file drata-gcp-private-key.json

terraform output -raw drata_service_account_key > drata-gcp-private-key.json

Setup

The following steps demonstrate how to connect GCP in Drata when using this terraform module.

1. Add the code above to your terraform project.
2. Make sure the service account to authenticate this script has the roles Organization Administrator, Service Account Admin, Service Account Key Admin and Service Usage Admin.
3. Replace main in ref=main with the latest version from the releases page.
4. Replace YOUR_ORGANIZATION_DOMAIN with the GCP organization domain.
5. Replace YOUR_PROJECT_ID if the desired project is not the default project in your organization.
6. Replace the given drata_role_name if you don't want the role added to be the default: DrataReadOnly.
7. Back in your terminal, run terraform init to download/update the module.
8. Run terraform apply and IMPORTANT review the plan output before typing yes.
9. If successful, run the command to generate the json key file
   • terraform output -raw drata_service_account_key > drata-gcp-private-key.json .
10. Verify the file has been generated.
11. Go to the GCP connection drawer and select Upload File to upload the drata-gcp-private-key.json file.
12. Select the Save & Test Connection button.

Requirements

Name	Version
terraform	>= 0.13.0
google	5.16.0

Providers

Name	Version
google	5.16.0

Modules

No modules.

Resources

Name	Type
google_organization_iam_custom_role.drata_org_role	resource
google_organization_iam_member.organization	resource
google_project_iam_custom_role.drata_project_role	resource
google_project_iam_member.drata_member_project_role	resource
google_project_iam_member.drata_viewer_role	resource
google_project_service.services	resource
google_service_account.drata	resource
google_service_account_key.drata_key	resource
google_organization.gcp_organization	data source
google_project.gcp_project	data source

Inputs

Name	Description	Type	Default	Required
drata_role_name	Role name.	string	"DrataReadOnly"	no
gcp_org_domain	GCP Organization domain.	string	n/a	yes
gcp_project_id	Project identifier of the gcp organization. If it is not provided, the provider project is used.	string	null	no
gcp_services	List of services to enable.	list(string)	[ "cloudresourcemanager.googleapis.com", "compute.googleapis.com", "admin.googleapis.com", "sqladmin.googleapis.com", "monitoring.googleapis.com" ]	no

Outputs

Name	Description
drata_service_account_key	Service Account Key