Skip to content

Commit 22dd671

Browse files
aidyaidy
committed
Add example usage for GCP WIF
1 parent 48cb468 commit 22dd671

File tree

2 files changed

+195
-0
lines changed

2 files changed

+195
-0
lines changed

docs/resources/cloudprovider_gcp.md

Lines changed: 114 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,114 @@
1+
---
2+
# generated by https://github.com/hashicorp/terraform-plugin-docs
3+
page_title: "tlspc_cloudprovider_gcp Resource - tlspc"
4+
subcategory: ""
5+
description: |-
6+
7+
---
8+
9+
# tlspc_cloudprovider_gcp (Resource)
10+
11+
12+
13+
## Example Usage
14+
15+
```terraform
16+
provider "google" {
17+
project = "$PROJECT_NAME"
18+
region = "europe-west1"
19+
}
20+
21+
resource "google_project_iam_custom_role" "tlspc" {
22+
role_id = "tlspc_wif"
23+
title = "TLSPC Integration"
24+
description = "Permissions granted to TLSPC"
25+
permissions = [
26+
"certificatemanager.certs.create",
27+
"certificatemanager.certs.get",
28+
"certificatemanager.certs.list",
29+
"certificatemanager.certs.update",
30+
"certificatemanager.locations.list",
31+
"certificatemanager.operations.get",
32+
"resourcemanager.projects.get"
33+
]
34+
}
35+
36+
resource "google_service_account" "tlspc" {
37+
account_id = "venafi-tlspc-wif"
38+
display_name = "Venafi TLSPC Workload Identity"
39+
}
40+
41+
resource "google_project_iam_member" "tlspc_wif" {
42+
project = "$PROJECT_NAME"
43+
role = resource.google_project_iam_custom_role.tlspc.id
44+
member = resource.google_service_account.tlspc.member
45+
}
46+
47+
resource "google_iam_workload_identity_pool" "tlspc" {
48+
workload_identity_pool_id = "venafi-workload-pool"
49+
display_name = "Venafi TLSPC Pool"
50+
description = "Venafi Workload Identity Pool"
51+
}
52+
53+
resource "google_project_service" "enable_cloud_resource_manager_api" {
54+
service = "cloudresourcemanager.googleapis.com"
55+
}
56+
57+
data "google_project" "project" {
58+
}
59+
60+
resource "google_project_iam_member" "tlspc_wi_user" {
61+
project = "$PROJECT_NAME"
62+
role = "roles/iam.workloadIdentityUser"
63+
member = "principal://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${resource.google_iam_workload_identity_pool.tlspc.workload_identity_pool_id}/subject/venafi_control_plane"
64+
}
65+
66+
data "tlspc_user" "owner" {
67+
email = "admin@admin.com"
68+
}
69+
70+
resource "tlspc_team" "team" {
71+
name = "TF WIF"
72+
role = "PLATFORM_ADMIN"
73+
owners = [data.tlspc_user.owner.id]
74+
}
75+
76+
resource "google_iam_workload_identity_pool_provider" "tlspc" {
77+
workload_identity_pool_id = resource.google_iam_workload_identity_pool.tlspc.workload_identity_pool_id
78+
workload_identity_pool_provider_id = resource.tlspc_cloudprovider_gcp.gcp-cloudprovider.workload_identity_pool_provider_id
79+
display_name = "Venafi TLSPC"
80+
description = "Venafi WIF Pool Provider"
81+
attribute_mapping = {
82+
"google.subject" = "assertion.sub"
83+
}
84+
oidc {
85+
issuer_uri = resource.tlspc_cloudprovider_gcp.gcp-cloudprovider.issuer_url
86+
}
87+
}
88+
89+
resource "tlspc_cloudprovider_gcp" "gcp-cloudprovider" {
90+
name = "terraform-wif"
91+
team = resource.tlspc_team.team.id
92+
service_account_email = resource.google_service_account.tlspc.email
93+
project_number = data.google_project.project.number
94+
workload_identity_pool_id = resource.google_iam_workload_identity_pool.tlspc.workload_identity_pool_id
95+
workload_identity_pool_provider_id = "venafi-provider"
96+
}
97+
```
98+
99+
<!-- schema generated by tfplugindocs -->
100+
## Schema
101+
102+
### Required
103+
104+
- `name` (String)
105+
- `project_number` (Number)
106+
- `service_account_email` (String)
107+
- `team` (String)
108+
- `workload_identity_pool_id` (String)
109+
- `workload_identity_pool_provider_id` (String)
110+
111+
### Read-Only
112+
113+
- `id` (String) The ID of this resource.
114+
- `issuer_url` (String)

examples/resources/tlspc_cloudprovider_gcp/resource.tf

Lines changed: 81 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,81 @@
1+
provider "google" {
2+
project = "$PROJECT_NAME"
3+
region = "europe-west1"
4+
}
5+
6+
resource "google_project_iam_custom_role" "tlspc" {
7+
role_id = "tlspc_wif"
8+
title = "TLSPC Integration"
9+
description = "Permissions granted to TLSPC"
10+
permissions = [
11+
"certificatemanager.certs.create",
12+
"certificatemanager.certs.get",
13+
"certificatemanager.certs.list",
14+
"certificatemanager.certs.update",
15+
"certificatemanager.locations.list",
16+
"certificatemanager.operations.get",
17+
"resourcemanager.projects.get"
18+
]
19+
}
20+
21+
resource "google_service_account" "tlspc" {
22+
account_id = "venafi-tlspc-wif"
23+
display_name = "Venafi TLSPC Workload Identity"
24+
}
25+
26+
resource "google_project_iam_member" "tlspc_wif" {
27+
project = "$PROJECT_NAME"
28+
role = resource.google_project_iam_custom_role.tlspc.id
29+
member = resource.google_service_account.tlspc.member
30+
}
31+
32+
resource "google_iam_workload_identity_pool" "tlspc" {
33+
workload_identity_pool_id = "venafi-workload-pool"
34+
display_name = "Venafi TLSPC Pool"
35+
description = "Venafi Workload Identity Pool"
36+
}
37+
38+
resource "google_project_service" "enable_cloud_resource_manager_api" {
39+
service = "cloudresourcemanager.googleapis.com"
40+
}
41+
42+
data "google_project" "project" {
43+
}
44+
45+
resource "google_project_iam_member" "tlspc_wi_user" {
46+
project = "$PROJECT_NAME"
47+
role = "roles/iam.workloadIdentityUser"
48+
member = "principal://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${resource.google_iam_workload_identity_pool.tlspc.workload_identity_pool_id}/subject/venafi_control_plane"
49+
}
50+
51+
data "tlspc_user" "owner" {
52+
email = "admin@admin.com"
53+
}
54+
55+
resource "tlspc_team" "team" {
56+
name = "TF WIF"
57+
role = "PLATFORM_ADMIN"
58+
owners = [data.tlspc_user.owner.id]
59+
}
60+
61+
resource "google_iam_workload_identity_pool_provider" "tlspc" {
62+
workload_identity_pool_id = resource.google_iam_workload_identity_pool.tlspc.workload_identity_pool_id
63+
workload_identity_pool_provider_id = resource.tlspc_cloudprovider_gcp.gcp-cloudprovider.workload_identity_pool_provider_id
64+
display_name = "Venafi TLSPC"
65+
description = "Venafi WIF Pool Provider"
66+
attribute_mapping = {
67+
"google.subject" = "assertion.sub"
68+
}
69+
oidc {
70+
issuer_uri = resource.tlspc_cloudprovider_gcp.gcp-cloudprovider.issuer_url
71+
}
72+
}
73+
74+
resource "tlspc_cloudprovider_gcp" "gcp-cloudprovider" {
75+
name = "terraform-wif"
76+
team = resource.tlspc_team.team.id
77+
service_account_email = resource.google_service_account.tlspc.email
78+
project_number = data.google_project.project.number
79+
workload_identity_pool_id = resource.google_iam_workload_identity_pool.tlspc.workload_identity_pool_id
80+
workload_identity_pool_provider_id = "venafi-provider"
81+
}

0 commit comments

Comments
 (0)