Skip to content
This repository has been archived by the owner on Jun 3, 2024. It is now read-only.
/ terraform-google-gcp-connector Public archive

The `gcp-connector` module provisions the Workload Identity Federation resources that allow the Sym Runtime to access Google Cloud Platform resources.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

symopsio/terraform-google-gcp-connector

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
.circleci
.circleci
 
 
.github
.github
 
 
.gitignore
.gitignore
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

Repository files navigation

gcp-connector

The gcp-connector module provisions the resources required for the Sym Runtime to access Google Cloud Platform resources via Workload Identity Federation

Pre-requisites

To apply this module, the Google Cloud Platform Provider must be configured with credentials that have the permissions to:

  • Enable APIs in the Project where the Workload Identity Pool will be created
  • Create Workload Identity Pools and Providers
  • Create and manage Service Accounts

Example Usage

module "gcp_connector" {
  source  = "symopsio/gcp-connector/google"
  version = "~> 1.0"

  environment              = "production"
  identity_pool_project_id = "my-project-id"
  gcp_org_id               = "123456789"

  # Enable the Admin SDK API if managing Google Group membership
  enable_google_group_management = true
  
  # A list of Google Secret Manager secrets to which the Sym Runtime may have read-only access
  accessible_secrets = [google_secret_manager_secret.okta_api_key]
}

Caveats

Google Group Management

If using this module to set up the infrastructure to allow Sym to manage Google Group membership, you must additionally grant the Sym Service Account some permissions in your Google Workspace account.

To do so, you must create a custom Admin Role in the Google Workspaces Admin Console and grant it to the Sym Service Account created by this module (the service_account output.)

For detailed instructions on how to create this role manually in the Admin Console, please see visit the main Sym docs.

Requirements

Name Version
terraform >= 0.13.7
google >= 5.7.0
sym >= 2.0

Providers

Name Version
google >= 5.7.0
sym >= 2.0

Modules

No modules.

Resources

Name Type
google_iam_workload_identity_pool.sym_integration resource
google_iam_workload_identity_pool_provider.sym_integration_aws_provider resource
google_project_service.admin_sdk_api resource
google_project_service.iam_api resource
google_project_service.resource_manager_api resource
google_project_service.secretmanager_api resource
google_project_service.service_account_credentials_api resource
google_project_service.sts_api resource
google_secret_manager_secret_iam_member.secret_reader resource
google_service_account.sym resource
google_service_account_iam_member.this resource
sym_integration.google_workload_identity_federation resource
google_organization.this data source
google_project.sym_integration data source

Inputs

Name Description Type Default Required
accessible_secrets A map of google_secret_manager_secret objects to grant the Sym Integration read-only access to. 
list(object({
    project   = string
    secret_id = string
    name      = string
  }))
 [] no
enable_google_group_management A boolean indicating whether to enable the Admin SDK API to allow the Sym Integration to manage Google Group membership. bool false no
environment An environment qualifier for the resources this module creates, e.g. staging, or prod. string n/a yes
gcp_org_id The Organization ID of your Google Cloud Organization any n/a yes
identity_pool_project_id The Project ID of the Google Cloud Project where the Workload Identity Federation resources will be created in. string n/a yes
sym_account_id The AWS account ID that can impersonate the created Google service account. Defaults to the Sym Production AWS account ID. string "803477428605" no
sym_runtime_arn The ARN of the Sym Runtime Role, which will be impersonating the created Google service account. Defaults to the Sym Production Runtime ARN. string "arn:aws:sts::803477428605:assumed-role/phoenix-prod-runtime/phoenix-prod-runtime" no

Outputs

Name Description
service_account The Google Cloud Platform service account created by this module. See: google_service_account
sym_integration The google Sym Integration created by this module. This Integration may be used to enable Google SDK methods in a Flow's implementation, or as part of a Google Access Strategy. See our main documentation for more information
workload_identity_pool The Workload Identity Pool created by this module. See: iam_workload_identity_pool
workload_identity_pool_provider The Workload Identity Pool Provider created by this module. The identity pool allows access only to the Sym AWS Runtime Role. See: iam_workload_identity_pool_provider

About

The `gcp-connector` module provisions the Workload Identity Federation resources that allow the Sym Runtime to access Google Cloud Platform resources.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 7

v1.1.0 Latest
Jan 11, 2024
+ 6 releases

Packages

No packages published

Languages