-
Notifications
You must be signed in to change notification settings - Fork 1
/
main.tf
70 lines (56 loc) · 2.52 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
resource "google_iam_workload_identity_pool" "bishopfox" {
description = "managed by terraform"
disabled = false
display_name = var.displayName
project = var.projectID
workload_identity_pool_id = var.poolID
timeouts {
create = null
delete = null
update = null
}
}
resource "google_iam_workload_identity_pool_provider" "bishopfox" {
attribute_condition = null
attribute_mapping = {
"attribute.account" = "assertion.account"
"attribute.aws_role" = "assertion.arn.extract('assumed-role/{role}/')"
"google.subject" = "assertion.arn"
}
description = "managed by terraform"
disabled = false
display_name = null
project = var.projectID
workload_identity_pool_id = var.poolID
workload_identity_pool_provider_id = var.providerID
aws {
account_id = var.AWS_accountID
}
timeouts {
create = null
delete = null
update = null
}
depends_on = [google_iam_workload_identity_pool.bishopfox]
}
resource "google_service_account" "bishopfox" {
account_id = var.serviceAccountID
description = "managed by terraform"
disabled = false
display_name = var.serviceAccountDisplayName
project = var.projectID
timeouts {
create = null
}
}
resource "google_service_account_iam_policy" "bishopfox" {
policy_data = "{\"bindings\":[{\"members\":[\"principalSet://iam.googleapis.com/projects/${var.projectNumber}/locations/global/workloadIdentityPools/${var.poolID}/*\",\"principalSet://iam.googleapis.com/projects/${var.projectNumber}/locations/global/workloadIdentityPools/${var.poolID}/attribute.aws_role/${var.AWS_iamRole1}\",\"principalSet://iam.googleapis.com/projects/${var.projectNumber}/locations/global/workloadIdentityPools/${var.poolID}/attribute.aws_role/${var.AWS_iamRole2}\"],\"role\":\"roles/iam.workloadIdentityUser\"}]}"
service_account_id = google_service_account.bishopfox.id
depends_on = [google_service_account.bishopfox]
}
resource "null_resource" "bishopfox" {
provisioner "local-exec" {
command = "gcloud iam workload-identity-pools create-cred-config projects/${var.projectNumber}/locations/global/workloadIdentityPools/${var.poolID}/providers/${var.providerID} --service-account=${google_service_account.bishopfox.email} --aws --enable-imdsv2 --output-file=gcp-wif-config.json --quiet"
}
depends_on = [google_iam_workload_identity_pool_provider.bishopfox]
}