This article is more like quick HOWTO/QuickNote page to start using Terraform with GCP, grant required permission, connect Terraform to GSuite and create users and projects using Terraform.
Connect Terraform to GCP:
1. Download and install Google Cloud SDK: https://cloud.google.com/sdk/install
2. Initialize SDK gcloud init
This process will launch browser-based authorization flow https://cloud.google.com/sdk/docs/initializing
3. Use browser to create project, service account and download credentials: https://cloud.google.com/sdk/docs/authorizing Note: You need to have GCP billing account and payment method configured first. You can use cli as well:
gcloud projects list
gcloud beta billing accounts list
gcloud beta billing projects link infosec-gcp --billing-account 01122-74525-1222
gcloud config list
gcloud iam service-accounts create infosec-terraform --display-name "Infosec Terraform admin account"
gcloud iam service-accounts keys create ~/.config/gcloud/infosec-terraform-admin.json --iam-account infosec-terraform@infosec-gcp.iam.gserviceaccount.com
4. Give appropriate permissions to the Terraform:
get you organization id
gcloud organizations list
Enable iam api (yes you need to enable each api set you are planning to use with GCP, they are disabled by default) you can check what services are enabled using gcloud services list --available
gcloud services enable iam.googleapis.com
Check existing IAM policies in you org:
gcloud organizations get-iam-policy ORGANIZATION_ID
Grant all required permissions(example):
gcloud organizations add-iam-policy-binding ORGANIZATION_ID --member serviceAccount:infosec-terraform@infosec-gcp.iam.gserviceaccount.com --role roles/resourcemanager.projectCreator
gcloud organizations add-iam-policy-binding ORGANIZATION_ID --member serviceAccount:infosec-terraform@infosec-gcp.iam.gserviceaccount.com --role roles/billing.user
gcloud organizations add-iam-policy-binding ORGANIZATION_ID --member serviceAccount:infosec-terraform@infosec-gcp.iam.gserviceaccount.com --role roles/owner
5. Start using terraform from my example to create project and grant access to it.
The only missing part is actually users.
Connecting Terraform to GSuite:
Why do we need GSuite at all? GCP does not provide you any built-in identity and rely on the user identities from Gmail, GSuite or Google Cloud Identity (+ service accounts)
As AWS user I do really love to have user/groups management and infra/project creation using the same automation tool. Unfortunately, user/GSuite functionality is not provided by GCP Terraform provider. Luckily, there is pretty nice open-sourced Terraform provider for GSuite writtend by DeviaVir: https://github.com/DeviaVir/terraform-provider-gsuite
At the moment when I tested it, some group membership functionality was still lacking idempotency, but using the way from my example everything started to work like a charm.
So the code finally:
https://github.com/IhorKravchuk/it-security/tree/master/GCP
PS.
Way more details and examples are in the articles below :
https://medium.com/@josephbleroy/using-terraform-with-google-cloud-platform-part-1-n-6b5e4074c059
https://cloud.google.com/community/tutorials/managing-gcp-projects-with-terraform
https://cloud.google.com/community/tutorials/getting-started-on-gcp-with-terraform
Connect Terraform to GCP:
1. Download and install Google Cloud SDK: https://cloud.google.com/sdk/install
2. Initialize SDK gcloud init
This process will launch browser-based authorization flow https://cloud.google.com/sdk/docs/initializing
3. Use browser to create project, service account and download credentials: https://cloud.google.com/sdk/docs/authorizing Note: You need to have GCP billing account and payment method configured first. You can use cli as well:
gcloud projects list
gcloud beta billing accounts list
gcloud beta billing projects link infosec-gcp --billing-account 01122-74525-1222
gcloud config list
gcloud iam service-accounts create infosec-terraform --display-name "Infosec Terraform admin account"
gcloud iam service-accounts keys create ~/.config/gcloud/infosec-terraform-admin.json --iam-account infosec-terraform@infosec-gcp.iam.gserviceaccount.com
4. Give appropriate permissions to the Terraform:
get you organization id
gcloud organizations list
Enable iam api (yes you need to enable each api set you are planning to use with GCP, they are disabled by default) you can check what services are enabled using gcloud services list --available
gcloud services enable iam.googleapis.com
Check existing IAM policies in you org:
gcloud organizations get-iam-policy ORGANIZATION_ID
Grant all required permissions(example):
gcloud organizations add-iam-policy-binding ORGANIZATION_ID --member serviceAccount:infosec-terraform@infosec-gcp.iam.gserviceaccount.com --role roles/resourcemanager.projectCreator
gcloud organizations add-iam-policy-binding ORGANIZATION_ID --member serviceAccount:infosec-terraform@infosec-gcp.iam.gserviceaccount.com --role roles/billing.user
gcloud organizations add-iam-policy-binding ORGANIZATION_ID --member serviceAccount:infosec-terraform@infosec-gcp.iam.gserviceaccount.com --role roles/owner
5. Start using terraform from my example to create project and grant access to it.
The only missing part is actually users.
Connecting Terraform to GSuite:
Why do we need GSuite at all? GCP does not provide you any built-in identity and rely on the user identities from Gmail, GSuite or Google Cloud Identity (+ service accounts)
As AWS user I do really love to have user/groups management and infra/project creation using the same automation tool. Unfortunately, user/GSuite functionality is not provided by GCP Terraform provider. Luckily, there is pretty nice open-sourced Terraform provider for GSuite writtend by DeviaVir: https://github.com/DeviaVir/terraform-provider-gsuite
At the moment when I tested it, some group membership functionality was still lacking idempotency, but using the way from my example everything started to work like a charm.
So the code finally:
https://github.com/IhorKravchuk/it-security/tree/master/GCP
PS.
Way more details and examples are in the articles below :
https://medium.com/@josephbleroy/using-terraform-with-google-cloud-platform-part-1-n-6b5e4074c059
https://cloud.google.com/community/tutorials/managing-gcp-projects-with-terraform
https://cloud.google.com/community/tutorials/getting-started-on-gcp-with-terraform
I really loved reading your blog. It was very well authored and easy to understand. Unlike other blogs I have read which are really not that good.Thanks alot! buy ig likes with paypal
ReplyDeleteVery interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article. This article inspired me to read more. keep it up.
ReplyDeleteCorrelation vs Covariance
Simple linear regression
data science interview questions
Wow! This could be one particular of the most useful blogs We have ever arrive across on this subject. Basically Magnificent. I am also a specialist in this topic therefore I can understand your effort
ReplyDeleteCloud Business Management Software Suite
sentry mba Androrat Download. The best android RAT (remote-administration tool) introduced with a wide range of functions. It includes Androrat APK & Androrat Binder.
ReplyDeleteAs always your articles do inspire me. Every single detail you have posted was great. ExcelR PMP Certification
ReplyDeleteNetwork Timelapse with BlastRadius & Terraform
ReplyDeleteNetwork Time Lapse
BlastRadius
Terraform
modular terraform
hashicorp