This repo provides terraform code for customers looking to implement Google Cloud connector support for the Bishop Fox Cosmos platform.
There is a dependency on Workload Identity Federation (WIF) being enabled inside the designated project and values.tfvars or env variables must be filled out with values for the following variables related to said project:
- projectID
- projectNumber
Run the following command in order to retrive the current project number:
gcloud projects describe $(gcloud config get-value core/project) --format=value\(projectNumber\)Bishop Fox will provide the customer with the following variable values:
- AWS_accountID
- AWS_iamRole1
- AWS_iamRole2
Once the Workload Identity Pool, Workload Identity Pool AWS provider and [Connected] Service Account are provisioned you can add the service account as a principal with a Custom Role to IAM permissions of one or more GCP projects, at the folder-level or at the organization-level.
Custom Role permissions:
• compute.forwardingRules.get
• compute.forwardingRules.list
• compute.globalForwardingRules.get
• compute.globalForwardingRules.list
• compute.instances.get
• compute.instances.list
• compute.projects.get
• compute.regions.get
• compute.regions.list
• compute.zones.get
• compute.zones.list
• resourcemanager.projects.get
• resourcemanager.projects.list
• serviceusage.services.get
• serviceusage.services.list
• storage.buckets.getIamPolicy
• storage.buckets.listThe customer also needs to provide Bishop Fox with the WIF credentials file that is exported to gcp-wif-config.json during the terraform run.
Lastly, Bishop Fox requires the customer GCP Organization ID which can be retrieved using the following command:
gcloud organizations listFor more information about Workload Identity Federation best practices and requirements please see: https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds