feat(serviceAccount): GCP service account shell script [ENG-44162] (#1)

* pushing shell script and readme [ENG-44162]

* chore(documentation): update README.md

* correct readme file  [ENG-44162]

* delete tf files [ENG-44162]

* chore(documentation): update README.md

* get rid of for user access review from readme [ENG-44162]

* chore(documentation): update README.md

* revert readme changes [ENG-44162]

* delete github actions [ENG-44162]

* little changes on readme [ENG-44162]

* remove codeowners [ENG-44162]

* add drata_role_name variable [ENG-44162]

* readme file changes [ENG-44162]

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Author: tonygc

.github/workflows/documentation-generator.yml

@@ -1,37 +0,0 @@
-# Local .terraform directories
-**/.terraform/*
-
-# lockfile
-.terraform.lock.hcl
-
-# .tfstate files
-*.tfstate
-*.tfstate.*
-
-# Crash log files
-crash.log
-crash.*.log
-
-# Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version 
-# control as they are data points which are potentially sensitive and subject 
-# to change depending on the environment.
-*.tfvars
-*.tfvars.json
-
-# Ignore override files as they are usually used to override resources locally and so
-# are not checked in
-override.tf
-override.tf.json
-*_override.tf
-*_override.tf.json
-
-# Include override files you do wish to add to version control using negated pattern
-# !example_override.tf
-
-# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
-# example: *tfplan*
-
-# Ignore CLI configuration files
-.terraformrc
-terraform.rc

.github/workflows/linter.yml

@@ -1,49 +1,18 @@
-# Terraform Module Template
+# gcp-shell-drata-setup
 
-**Next steps**
-1. Update the top section of this file to tell people about this module.
-2. Update `versions.tf` to include the required providers for the module.
-3. Add resources and variables to solve the problem.
-4. Add outputs for relevant details the consumer may want
-5. Add example uses to the bottom of this file
-6. Update the generated portion of this file using `terraform-docs .`
+Shell script to create the Drata Read Only service account.
 
+## Usage
 
-<!-- BEGIN_TF_DOCS -->
-## Requirements
+The following steps demonstrate how to connect GCP in Drata when using this script.
 
-| Name | Version |
-|------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15 |
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| <a name="provider_null"></a> [null](#provider\_null) | n/a |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [null_resource.nope](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
-
-## Inputs
-
-No inputs.
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| <a name="output_nope"></a> [nope](#output\_nope) | TODO: Remove this and add your own outputs |
-| <a name="output_true"></a> [true](#output\_true) | n/a |
-<!-- END_TF_DOCS -->
-
-## Examples
-
-**TODO:** Add examples here
+1. Navigate to the Cloud Shell terminal in your GCP account using the following link: [https://console.cloud.google.com/welcome?cloudshell=true](https://console.cloud.google.com/welcome?cloudshell=true).
+2. Click the `Open editor` button at the top of the terminal to navigate to your editor.
+3. Create a file with `.sh` extension in the root directory i.e. `drata.sh`.
+4. Copy the content of the `gcp-drata-script.sh` from this project and paste it in the newly created file.
+5. Click the `Open terminal` button at the top of  the editor to navigate back to your terminal, run the following commands.
+   1. `chmod +x drata.sh` to give it execution permissions.
+   2. `./drata.sh` to run the script.
+6. After the process finishes, navigate back to your editor and download the `drata-key-file.json` file.
+7. In the Drata app, go to the GCP connection drawer and select Upload File to upload the `drata-key-file.json` file.
+8. Select the `Save & Test Connection` button.

.gitignore

@@ -0,0 +1,173 @@
+# Script to create the drata custom roles and service account
+# The project to store the resources is the default per account
+
+set -e
+
+# Logging utilities
+prefix="[ Drata ]"
+
+# Resource names
+drata_role_name="DrataReadOnly"
+serviceAccountId="${drata_role_name,,}"
+projectRole="${drata_role_name}ProjectRole"
+organizationRole="${drata_role_name}OrganizationalRole"
+
+# check google cloud shell
+if ! command -v gcloud &>/dev/null; then
+  printf "${prefix} [ERROR] Please run this script within a Google Cloud Console Shell,\n consult https://cloud.google.com/shell/docs/run-gcloud-commands for help\n"
+  exit
+fi
+
+printf "${prefix} Getting project info...🔎 \n\n"
+
+# get account's default project
+projectId=$(
+    gcloud config get-value project
+)
+if [ -z "${projectId}" ]
+then
+    printf "${prefix} The default project is unset, please check the configuration...❌ \n\n"
+    exit;
+fi
+
+# validate if the projectId is valid
+# get project name
+projectName=$(
+  gcloud projects list --format="value(name)" --filter="id=$projectId"
+)
+
+# if, by mistake, the user set himself an invalid project, it won't be found
+if [ -z "${projectName}" ]
+then
+    printf "${prefix} Project '${projectId}' is not found, please check the configuration...❌ \n\n"
+    exit;
+fi
+
+printf "\n${prefix} Enabling services...🛜 \n"
+gcloud services enable compute.googleapis.com cloudresourcemanager.googleapis.com admin.googleapis.com \
+sqladmin.googleapis.com monitoring.googleapis.com --no-user-output-enabled 
+printf "${prefix} Necessary services enabled 🚀 \n\n"
+
+serviceAccountEmail="${serviceAccountId}@${projectId}.iam.gserviceaccount.com";
+# get ancestors of the project
+projectAncestorsInfo=$(gcloud projects get-ancestors $projectId --format='value[terminator="~",separator=","](type,id)')
+# convert projectAncestorsInfo to array below
+IFS='~'; read -r -a ancestorsArray <<< "$projectAncestorsInfo"
+
+# iterate ancestors to get the organization
+for ancestor in ${ancestorsArray[@]}; do
+  IFS=','; read -r -a ancestorValues <<< "$ancestor";
+  type=${ancestorValues[0]};
+  if [ $type == "organization" ]; then
+    organizationId=${ancestorValues[1]};
+  fi
+done
+
+organizationName='No organization';
+if [ -n "$organizationId" ]; then
+  # get organization's name
+  organizationName=$(
+    gcloud organizations list --format="value(displayName)" --filter="name=organizations/$organizationId"
+  )
+fi
+
+printf "${prefix} Creating resources at ${organizationName}/${projectName}...🚀 \n"
+
+# *****************************
+# START CREATING RESOURCES ==>
+# *****************************
+
+# ===========================
+# Custom Project Role
+# ===========================
+printf "\n${prefix} Checking custom role...\n";
+# Verify if the role exists already
+projectRoleInfo=$(
+    gcloud iam roles list --show-deleted --project=$projectId --filter="name=projects/${projectId}/roles/${projectRole}" --format="value[separator=','](name,deleted)"
+);
+if [ -z "${projectRoleInfo}" ]
+then
+    gcloud iam roles create $projectRole --project=$projectId --title="Drata Read-Only Project Role" --description="Service Account for Drata Autopilot to get read access to all project resources" --stage="GA"  --no-user-output-enabled;
+else
+    # check if the role is on deleted state
+    IFS=','; read -r -a projectRoleArray <<< "$projectRoleInfo"
+    isRoleDeleted=${projectRoleArray[1]};
+    if [ -n "${isRoleDeleted}" ]
+    then
+        printf "${prefix} The role was deleted before, undeleting '${projectRole}' custom role to be available now...\n";
+        gcloud iam roles undelete $projectRole --project=$projectId --no-user-output-enabled
+    fi
+fi
+printf "${prefix} '${projectRole}' custom role has been created 🚀\n";
+
+# Update permissions and stage
+gcloud iam roles update $projectRole --project=$projectId --permissions="\
+storage.buckets.get,\
+storage.buckets.getIamPolicy" --no-user-output-enabled --stage=GA 
+
+# ===========================
+# Custom Organization Role
+# ===========================
+printf "\n${prefix} Checking organization role...\n";
+# Verify if the role exists previously
+organizationRoleInfo=$(
+  gcloud iam roles list --show-deleted --organization=$organizationId --filter="name=organizations/${organizationId}/roles/${organizationRole}" --format="value[separator=','](name,deleted)"
+);
+if [ -z "${organizationRoleInfo}" ]
+then
+    gcloud iam roles create $organizationRole --organization=$organizationId --title="Drata Read-Only Organizational Role" --description="Service Account with read-only access for Drata Autopilot to get organizational IAM data." --stage="GA" --no-user-output-enabled
+else
+    # check if the role is on deleted state
+    IFS=','; read -r -a organizationRoleArray <<< "$organizationRoleInfo"
+    isRoleDeleted=${organizationRoleArray[1]};
+    if [ -n "${isRoleDeleted}" ]
+    then
+        printf "${prefix} The role was deleted before, undeleting '${organizationRole}' custom role to be available now...\n";
+        gcloud iam roles undelete $organizationRole --organization=$organizationId --no-user-output-enabled
+    fi
+fi
+printf "${prefix} '${organizationRole}' organization role has been created 🚀\n";
+
+# Update permissions and stage
+gcloud iam roles update $organizationRole --organization=$organizationId --permissions="\
+resourcemanager.organizations.getIamPolicy,\
+storage.buckets.get,\
+storage.buckets.getIamPolicy" --no-user-output-enabled
+
+# ===========================
+# Service Account
+# ===========================
+printf "\n${prefix} Checking service account...\n";
+# Check if the service account already exists
+serviceAccountInfo=$(
+  gcloud iam service-accounts list --filter="email=${serviceAccountEmail}" --format="value[separator=','](email,projectId)"
+)
+if [ -z "$serviceAccountInfo" ]
+then
+  gcloud iam service-accounts create ${serviceAccountId} --project="$projectId" --display-name="${serviceAccountId}" --description="Service Account with read-only access for Drata Autopilot" --no-user-output-enabled;
+else
+  gcloud iam service-accounts update ${serviceAccountEmail} --project="$projectId" --display-name="${serviceAccountId}" --description="Service Account with read-only access for Drata Autopilot" --no-user-output-enabled;
+fi
+printf "${prefix} '${serviceAccountId}' service account has been created 🚀\n";
+# Create json key file
+printf "\n${prefix} Generating json key file...\n";
+(gcloud iam service-accounts keys create ./drata-key-file.json --iam-account=${serviceAccountEmail} --project="$projectId" --no-user-output-enabled &&
+printf "${prefix} Key file has been generated 🚀\n\n";)\
+|| printf "${prefix} Expected error, Please delete a key from the service account and run this script again. A max of 10 keys is supported per service account ❌\n\n"
+
+# ===========================
+# Assignments
+# ===========================   
+# Assing project custom role
+printf "${prefix} Assigning project custom role to service account...\n";
+gcloud projects add-iam-policy-binding $projectId --member="serviceAccount:${serviceAccountEmail}" --role="projects/${projectId}/roles/${projectRole}" --no-user-output-enabled
+# Assing organization custom role
+printf "\n${prefix} Assigning organization custom role to service account...\n";
+gcloud organizations add-iam-policy-binding $organizationId --member="serviceAccount:${serviceAccountEmail}" --role="organizations/${organizationId}/roles/${organizationRole}" --no-user-output-enabled
+# Assing viewer/role
+printf "\n${prefix} Assigning viewer/role to service account...\n";
+gcloud projects add-iam-policy-binding $projectId --member="serviceAccount:${serviceAccountEmail}" --role="roles/viewer" --no-user-output-enabled
+
+# ===========================
+printf "\n${prefix} Done! Service Account '${serviceAccountId}' has been granted ✅\n"
+# ===========================