README.md

Configure Chainguard service access.

Terraform module to connect Chainguard to your Google Cloud Platform project.

This module is needed to leverage certain service integrations from Chainguard.

Usage

This module binds a Chainguard IAM group to a GCP project.

data "google_project" "project" {
  project_id = var.project_id # You can omit this to use provider-defaults
}

module "chainguard-account-association" {
  source = "chainguard-dev/chainguard-account-association/gcp"

  group_ids  = [var.group_id]
  project_id = data.google_project.project.project_id
}

resource "chainguard_account_associations" "example" {
  name  = "example"
  group = var.group_id

  google {
    project_id     = data.google_project.project.project_id
    project_number = data.google_project.project.number
  }
}

How does it work?

Chainguard has an OIDC identity provider. This module configures your GCP project to recognize that OIDC identity provider and allows certain tokens to bind to certain IAM roles.

Requirements

No requirements.

Providers

Name	Version
google	n/a
google-beta	n/a

Modules

No modules.

Resources

Name	Type
google-beta_google_iam_workload_identity_pool.chainguard_pool	resource
google-beta_google_iam_workload_identity_pool_provider.chainguard_provider	resource
google_project_iam_member.catalog-syncer-push	resource
google_project_service.iamcredentials-api	resource
google_service_account.catalog-syncer	resource
google_service_account.chainguard_canary	resource
google_service_account_iam_binding.allow_canary_impersonation	resource
google_service_account_iam_binding.catalog-syncer-impersonation	resource

Inputs

Name	Description	Type	Default	Required
environment	Domain name of your Chainguard environment	string	"enforce.dev"	no
group_ids	Chainguard IAM group IDs to bind your GCP project to.	list(string)	n/a	yes
project_id	GCP Project ID	string	n/a	yes

Outputs

Name	Description
provider_id	GCP identity provider pool configured for Chainguard.