GCP terraform module to create the Drata Read Only service account.

Make sure the service account that will run this terraform script has the following roles granted.

• Organization Administrator
• Organization Policy Administrator
• Organization Role Administrator
• Service Account Admin
• Service Account Key Admin
• Service Usage Admin

The example below uses ref=main (which is appended in the URL), but it is recommended to use a specific tag version (i.e. ref=1.0.0) to avoid breaking changes. Go to the release page for a list of published versions. releases page for a list of published versions.

Replace YOUR_ORGANIZATION_DOMAIN with the organization domain. i.e. your_org.com.

module "service_account_creation" {
  source = "git::https://github.com/drata/gcp-terraform-drata-setup.git?ref=main"
  gcp_org_domain = "YOUR_ORGANIZATION_DOMAIN"
  # gcp_project_id = "YOUR_PROJECT_ID" # if it's unset, the project by default is used
  # drata_role_name = "YOUR_ROLE_NAME" # if it's unset, the default name is DrataReadOnly
  # connect_multiple_projects = false # if it's unset, the default value is true
}

output "drata_service_account_key" {
  value = module.service_account_creation.drata_service_account_key
  description = "Service Account Key"
  sensitive = true
}

After you apply this terraform, run the following command to retrieve the key file drata-gcp-private-key.json

terraform output -raw drata_service_account_key > drata-gcp-private-key.json

1. Fixing FAILED_PRECONDITION: Key creation is not allowed on this service account (type: constraints/iam.disableServiceAccountKeyCreation) issue.
   • Go to the IAM Organization Policies page.
   • Make sure the project where the service account will be stored is selected top left in the console.
   • Type Disable service account key creation on the 🔽 Filter bar and select the policy.
   • Click over 📝 MANAGE POLICY button.
   • Go to Policy source and select the Override parent's policy option.
   • Scroll down a little and open up the Enforced rule.
   • Make sure the Enforcement section is Off.
   • Click SET POLICY to save changes.
   • Run this script again.

The following steps demonstrate how to connect GCP in Drata when using this terraform module.

1. Add the code above to your terraform project.
2. Make sure the service account to authenticate this script has the roles Organization Administrator, Service Account Admin, Service Account Key Admin and Service Usage Admin.
3. Replace main in ref=main with the latest version from the releases page.
4. Replace YOUR_ORGANIZATION_DOMAIN with the GCP organization domain.
5. Replace YOUR_PROJECT_ID if the desired project is not the default project in your organization.
6. Replace the given drata_role_name if you don't want the role added to be the default: DrataReadOnly.
7. If you don't wish to connect multiple projects to Drata the connect_multiple_projects variable must be false otherwise true or unset.
8. Back in your terminal, run terraform init to download/update the module.
9. Run terraform apply and IMPORTANT review the plan output before typing yes.
10. If successful, run the command to generate the json key file
    • terraform output -raw drata_service_account_key > drata-gcp-private-key.json .
11. Verify the file has been generated.
12. Go to the GCP connection drawer and select Upload File to upload the drata-gcp-private-key.json file.
13. Select the Save & Test Connection button.

No modules.

[
  "cloudresourcemanager.googleapis.com",
  "compute.googleapis.com",
  "admin.googleapis.com",
  "sqladmin.googleapis.com",
  "monitoring.googleapis.com",
  "cloudasset.googleapis.com"
]