This article is more like quick HOWTO/QuickNote page to start using Terraform with GCP, grant required permission, connect Terraform to GSuite and create users and projects using Terraform.
Connect Terraform to GCP:
1. Download and install Google Cloud SDK: https://cloud.google.com/sdk/install
2. Initialize SDK gcloud init
This process will launch browser-based authorization flow https://cloud.google.com/sdk/docs/initializing
3. Use browser to create project, service account and download credentials: https://cloud.google.com/sdk/docs/authorizing Note: You need to have GCP billing account and payment method configured first. You can use cli as well:
gcloud projects list
gcloud beta billing accounts list
gcloud beta billing projects link infosec-gcp --billing-account 01122-74525-1222
gcloud config list
gcloud iam service-accounts create infosec-terraform --display-name "Infosec Terraform admin account"
gcloud iam service-accounts keys create ~/.config/gcloud/infosec-terraform-admin.json --iam-account infosec-terraform@infosec-gcp.iam.gserviceaccount.com
4. Give appropriate permissions to the Terraform:
get you organization id
gcloud organizations list
Enable iam api (yes you need to enable each api set you are planning to use with GCP, they are disabled by default) you can check what services are enabled using gcloud services list --available
gcloud services enable iam.googleapis.com
Check existing IAM policies in you org:
gcloud organizations get-iam-policy ORGANIZATION_ID
Grant all required permissions(example):
gcloud organizations add-iam-policy-binding ORGANIZATION_ID --member serviceAccount:infosec-terraform@infosec-gcp.iam.gserviceaccount.com --role roles/resourcemanager.projectCreator
gcloud organizations add-iam-policy-binding ORGANIZATION_ID --member serviceAccount:infosec-terraform@infosec-gcp.iam.gserviceaccount.com --role roles/billing.user
gcloud organizations add-iam-policy-binding ORGANIZATION_ID --member serviceAccount:infosec-terraform@infosec-gcp.iam.gserviceaccount.com --role roles/owner
5. Start using terraform from my example to create project and grant access to it.
The only missing part is actually users.
Connecting Terraform to GSuite:
Why do we need GSuite at all? GCP does not provide you any built-in identity and rely on the user identities from Gmail, GSuite or Google Cloud Identity (+ service accounts)
As AWS user I do really love to have user/groups management and infra/project creation using the same automation tool. Unfortunately, user/GSuite functionality is not provided by GCP Terraform provider. Luckily, there is pretty nice open-sourced Terraform provider for GSuite writtend by DeviaVir: https://github.com/DeviaVir/terraform-provider-gsuite
At the moment when I tested it, some group membership functionality was still lacking idempotency, but using the way from my example everything started to work like a charm.
So the code finally:
https://github.com/IhorKravchuk/it-security/tree/master/GCP
PS.
Way more details and examples are in the articles below :
https://medium.com/@josephbleroy/using-terraform-with-google-cloud-platform-part-1-n-6b5e4074c059
https://cloud.google.com/community/tutorials/managing-gcp-projects-with-terraform
https://cloud.google.com/community/tutorials/getting-started-on-gcp-with-terraform
Connect Terraform to GCP:
1. Download and install Google Cloud SDK: https://cloud.google.com/sdk/install
2. Initialize SDK gcloud init
This process will launch browser-based authorization flow https://cloud.google.com/sdk/docs/initializing
3. Use browser to create project, service account and download credentials: https://cloud.google.com/sdk/docs/authorizing Note: You need to have GCP billing account and payment method configured first. You can use cli as well:
gcloud projects list
gcloud beta billing accounts list
gcloud beta billing projects link infosec-gcp --billing-account 01122-74525-1222
gcloud config list
gcloud iam service-accounts create infosec-terraform --display-name "Infosec Terraform admin account"
gcloud iam service-accounts keys create ~/.config/gcloud/infosec-terraform-admin.json --iam-account infosec-terraform@infosec-gcp.iam.gserviceaccount.com
4. Give appropriate permissions to the Terraform:
get you organization id
gcloud organizations list
Enable iam api (yes you need to enable each api set you are planning to use with GCP, they are disabled by default) you can check what services are enabled using gcloud services list --available
gcloud services enable iam.googleapis.com
Check existing IAM policies in you org:
gcloud organizations get-iam-policy ORGANIZATION_ID
Grant all required permissions(example):
gcloud organizations add-iam-policy-binding ORGANIZATION_ID --member serviceAccount:infosec-terraform@infosec-gcp.iam.gserviceaccount.com --role roles/resourcemanager.projectCreator
gcloud organizations add-iam-policy-binding ORGANIZATION_ID --member serviceAccount:infosec-terraform@infosec-gcp.iam.gserviceaccount.com --role roles/billing.user
gcloud organizations add-iam-policy-binding ORGANIZATION_ID --member serviceAccount:infosec-terraform@infosec-gcp.iam.gserviceaccount.com --role roles/owner
5. Start using terraform from my example to create project and grant access to it.
The only missing part is actually users.
Connecting Terraform to GSuite:
Why do we need GSuite at all? GCP does not provide you any built-in identity and rely on the user identities from Gmail, GSuite or Google Cloud Identity (+ service accounts)
As AWS user I do really love to have user/groups management and infra/project creation using the same automation tool. Unfortunately, user/GSuite functionality is not provided by GCP Terraform provider. Luckily, there is pretty nice open-sourced Terraform provider for GSuite writtend by DeviaVir: https://github.com/DeviaVir/terraform-provider-gsuite
At the moment when I tested it, some group membership functionality was still lacking idempotency, but using the way from my example everything started to work like a charm.
So the code finally:
https://github.com/IhorKravchuk/it-security/tree/master/GCP
PS.
Way more details and examples are in the articles below :
https://medium.com/@josephbleroy/using-terraform-with-google-cloud-platform-part-1-n-6b5e4074c059
https://cloud.google.com/community/tutorials/managing-gcp-projects-with-terraform
https://cloud.google.com/community/tutorials/getting-started-on-gcp-with-terraform
Innovative post! Thank you for posting the useful content and do well...
ReplyDeleteMVC Training in Chennai
Inplant Training in Chennai
Inplant Course in Chennai
Honestly speaking this blog is absolutely amazing in learning the subject that is building up the knowledge of every individual and enlarging to develop the skills which can be applied in to practical one. Finally, thanking the blogger to launch more further too.
ReplyDeleteData Analytics online course
Thanks for posting the best information and the blog is very helpful.data science interview questions and answers
ReplyDeleteBeing a travel blogger and lover, it was appealing and helpful for me. It is a strong article to portray this topic limits the readers to widen their horizon of accepted wisdom and power as they go through the article.
ReplyDeleteData Science training in Mumbai
Data Science course in Mumbai
SAP training in Mumbai
Very nice blogs!!! i have to learning for lot of information for this site…Sharing for wonderful information. Thanks for sharing this valuable information to our vision. You have posted a trust worthy blog keep sharing,
ReplyDeleteData Science Training in Hyderabad
Data Science Course in Hyderabad
Mua vé máy bay tại Aivivu, tham khảo
ReplyDeletevé máy bay đi Mỹ
giá vé máy bay pacific airlines đi hồ chí minh
vé bay hồ chí minh đi hà nội
đi máy bay ra đà lạt
có vé máy bay từ mỹ về việt nam chưa
taxi sân bay đi nội bài
combo quy nhơn flc
ReplyDeleteI was just examining through the web looking for certain information and ran over your blog.It shows how well you understand this subject. Bookmarked this page, will return for extra. data science course in vadodara
Wonderful blog found to be very impressive to come across such an awesome blog. I should really appreciate the blogger for the efforts they have put in to develop such an amazing content for all the curious readers who are very keen of being updated across every corner. Ultimately, this is an awesome experience for the readers. Anyways, thanks a lot and keep sharing the content in future too.
ReplyDeleteData Science Course in Bhilai
Impressive blog to be honest definitely this post will inspire many more upcoming aspirants. Eventually, this makes the participants to experience and innovate themselves through knowledge wise by visiting this kind of a blog. Once again excellent job keep inspiring with your cool stuff.
ReplyDeleteData Science Training in Bhilai
Extremely overall quite fascinating post. I was searching for this sort of data and delighted in perusing this one. Continue posting. A debt of gratitude is in order for sharing. data scientist course in delhi
ReplyDelete