Merge pull request #4 from BishopFox/CMS-199-automate-additional-steps

CMS-199 automate additional steps
BishopFox · Feb 22, 2024 · 25ae029 · 25ae029
2 parents d1ff2d9 + f5c6bd2
commit 25ae029
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 17 deletions.
diff --git a/README.md b/README.md
@@ -43,23 +43,7 @@ _Custom Role_ permissions:
 • storage.buckets.list
 ```
 
-The customer also needs to provide Bishop Fox with the WIF credentials file that is exported using the following command:
-
-```bash
-gcloud iam workload-identity-pools create-cred-config \
-projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID \
-    --service-account=SERVICE_ACCOUNT_EMAIL \
-    --aws \
-    --enable-imdsv2 \
-    --output-file=FILEPATH.json
-
-Replace the following values:
-• PROJECT_NUMBER: The project number of the project that contains the workload identity pool
-• POOL_ID: The ID of the workload identity pool, ex. bfidentitypool
-• PROVIDER_ID: The ID of the workload identity pool provider, ex. bfawsprovider
-• SERVICE_ACCOUNT_EMAIL: The email address of the service account
-• FILEPATH: The file to save configuration to
-```
+The customer also needs to provide Bishop Fox with the WIF credentials file that is exported to gcp-wif-config.json during the terraform run.
 
 Lastly, Bishop Fox requires the customer GCP Organization ID which can be retrieved using the following command:
 

diff --git a/main.tf b/main.tf
@@ -53,6 +53,13 @@ resource "google_service_account_iam_policy" "bishopfox" {
   depends_on         = [google_service_account.bishopfox]
 }
 
+resource "null_resource" "bishopfox" {
+  provisioner "local-exec" {
+    command = "gcloud iam workload-identity-pools create-cred-config projects/${var.projectNumber}/locations/global/workloadIdentityPools/${var.poolID}/providers/${var.providerID} --service-account=${google_service_account.bishopfox.email} --aws --enable-imdsv2 --output-file=gcp-wif-config.json --quiet"
+  }
+  depends_on = [google_iam_workload_identity_pool_provider.bishopfox]
+}
+
 
 
 

diff --git a/outputs.tf b/outputs.tf
@@ -16,3 +16,8 @@ output "service_account" {
   sensitive   = false
 }
 
+# output value of exportet WIF credential config file
+output "gcp_wif_config" {
+  value = file("gcp-wif-config.json")
+}
+