Skip to content

GCP Terraform Onboarding (Automated)

This method allows you to onboard SailPoint Entro to GCP using Terraform for automated, repeatable configuration.

15KB
SailPoint Entro GCP Terraform onboarding.zip
archive

Overview

Download the provided Terraform files, update variables, and execute as instructed. This setup automates enabling services, service account creation, role assignment, and audit log configuration for SailPoint Entro's GCP integration.

At the end of the process, you will have a configuration you can paste into SailPoint Entro's onboarding form.

How it works

Alongside the code, 3 var files variations are supplied, to be used for following options -

  1. Enable Services Only - for creating the service account and key/WIF configuration yourself. This will save you the trouble of enabling all the required APIs for each project manually.
  2. Create a service account and enable services - creates a new service account that will be used for SailPoint Entro integration.
  3. Create WIF, Service account and enable services - in addition to creating a service account and enabling services - it creates a WIF configuration for SailPoint Entro's access (See more info under the WIF subsection)

Note

We recommend using the same var file when onboarding/refreshing projects, as usage of different var files could cause undesired results of tearing down resources.

When choosing to enable services, onboarding a new project to SailPoint Entro can be simply done by re-running the same terraform as previously used and the same var file. Terraform will pick up on the changes and update the service account SailPoint Entro uses.

  1. Prepare the project

    Select a project to create the service account in.

    Once selected, enable Cloud Resource Manager API, IAM API, Cloud Asset API, and Service Usage API in the project. These apis are required by Terraform to operate.

  2. Prepare Variables

    Inside the var file corresponding with the onboarding option you choose, fill in values as needed:

    selected var file.tfvars

    organization_domain  = "Your orgnization Domain"
    project              = "Your selected onboarding project ID"
    region               = "us-central1"
    zone                 = "us-central1-a"
    service_account_name = "Choose a name for your service account (all small letters)"
    

    Note

    Notice this step is different in WIF. In WIF, you need to supply an AWS account and role as well.

  3. Configure the onboarding project as your local project for Gcloud CLI

    run gcloud auth login --update-adc --project=<onboarding-project-name>

  4. Remote Terraform State (optional)

    If using GCP for remote Terraform state, you must configure it in backend.tf. We recommend using a remote state in order to keep a common source of truth of the Terraform state.

    Create a storage bucket in the same project (for example: onboarding-terraform-state-123) and configure your backend in **backend.tf** to point to that bucket so Terraform stores the state remotely under the specified key as a file.

  5. Initialize and Apply Terraform

    Run the following commands from the Terraform directory:

    Commands

    terraform init
    terraform apply -var-file tf-var-files/<your file name here>.tfvars
    

    Review the changes and click y if you want to apply. Terraform will align local and remote states and create/modify/destroy the resources defined in the configuration, using the variable values you provided.

  6. What configuration did you choose?

    If you chose Enable Services Only, you've just completed the API enablement step in the manual onboarding. If you want to continue with manual onboarding, you can stop here.

    To create everything using Terraform, complete the below steps. For WIF onboarding, proceed to the WIF manual for Terraform.

  7. Verify Resources

    After completion:

    • Confirm that the service account and roles were created in GCP.

    • Ensure audit logs are enabled for the selected services.

  8. Onboard to SailPoint Entro

    Proceed to GCP Service Accounts Page

    Select your newly created service account

    Click Add Key, create a new key, and copy the JSON file contents.

    Navigate to SailPoint Entro accounts page, click on GCP, and paste the new key into the onboarding form (notice the different options for json key and WIF)

    Note

    Note that this step differs in WIF. In WIF, the key is printed to your terminal and is ready to paste into the Enrto Onboarding.

  9. Enabling API's asynchronously

    Notice the variable named create_enforcer.

    If its value is set to true, a cron job will be created to run a cloud function to iterate over all projects every hour and ensure that the required APIs are enabled.

    In order to create the enforcer, you must have the hosting project connected to a billing account and Cloud Functions and Service Usage APIs enabled.

    Once you've set create_enforcer = true, you can set enforcer_only = true as well in order to enable APIs using the function only, as opposed to Terraform, which could be time-consuming on large environments.

    Note

    When setting use_billing_required_services=true, some projects might fail updating because billing is not set for them. You can set use_billing_required_services=false to verify the rest of the onboarding is successful before setting up billing required services.