Last active
September 14, 2023 11:28
-
-
Save lox/80a1572fe4b1cb2f9ed348635fe9b45a to your computer and use it in GitHub Desktop.
Drata Integration for GCP in Terraform
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://help.drata.com/en/articles/4994112-gcp-connection-details | |
| # Create a new project for Drata Integration | |
| resource "google_project" "drata" { | |
| name = var.project_name | |
| project_id = var.project_id | |
| org_id = var.org_id | |
| billing_account = var.billing_account_id | |
| auto_create_network = false | |
| } | |
| resource "google_project_service" "project_services" { | |
| project = google_project.drata.project_id | |
| for_each = toset([ | |
| "compute.googleapis.com", | |
| "cloudresourcemanager.googleapis.com", | |
| "admin.googleapis.com", | |
| "sqladmin.googleapis.com", | |
| "monitoring.googleapis.com" | |
| ]) | |
| service = each.key | |
| } | |
| # Create a custom Project Role for Drata within the new project | |
| resource "google_project_iam_custom_role" "drata_project_role" { | |
| role_id = "DrataReadOnlyProjectRole" | |
| project = google_project.drata_project.project_id | |
| title = "Drata Read-Only Project Role" | |
| description = "Service Account for Drata Autopilot to get read access to all project resources" | |
| permissions = ["storage.buckets.get", "storage.buckets.getIamPolicy"] | |
| } | |
| # Create a service account in the Drata project | |
| resource "google_service_account" "drata_service_account" { | |
| account_id = "drata-service-account" | |
| display_name = "Service Account with read-only access for Drata Autopilot" | |
| project = google_project.drata_project.project_id | |
| } | |
| # Assign the 'Viewer' role to the service account | |
| resource "google_project_iam_member" "drata_viewer_role" { | |
| project = google_project.drata_project.project_id | |
| role = "roles/viewer" | |
| member = "serviceAccount:${google_service_account.drata_service_account.email}" | |
| } | |
| # Assign the custom Project Role to the service account | |
| resource "google_project_iam_member" "drata_custom_role" { | |
| project = google_project.drata_project.project_id | |
| role = google_project_iam_custom_role.drata_project_role.id | |
| member = "serviceAccount:${google_service_account.drata_service_account.email}" | |
| } | |
| # Generate a JSON key for the service account and save it locally | |
| resource "google_service_account_key" "drata_service_account_key" { | |
| service_account_id = google_service_account.drata_service_account.name | |
| public_key_type = "TYPE_JSON" | |
| } | |
| # Create a custom Organization Role for Drata | |
| resource "google_organization_iam_custom_role" "drata_org_role" { | |
| role_id = "DrataReadOnlyOrganizationalRole" // Role ID as specified | |
| org_id = var.org_id | |
| title = "Drata Read-Only Organizational Role" | |
| description = "Service Account with read-only access for Drata Autopilot to get organizational IAM data" | |
| permissions = [ | |
| "resourcemanager.organizations.getIamPolicy", | |
| "storage.buckets.get", | |
| "storage.buckets.getIamPolicy" | |
| ] | |
| } | |
| # Assign the custom Organization Role to the service account | |
| resource "google_organization_iam_member" "drata_org_iam_member" { | |
| org_id = var.org_id | |
| role = google_organization_iam_custom_role.drata_org_role.id | |
| member = "serviceAccount:${google_service_account.drata_service_account.email}" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment