From fd45c8ac92fcfaaaadc2550c8fb7cf78dd459f6b Mon Sep 17 00:00:00 2001
From: Andrzej Komarnicki <akomarnicki@bishopfox.com>
Date: Thu, 22 Feb 2024 09:48:12 -0500
Subject: [PATCH 1/2] added create-cred-config

---
 README.md           | 18 +-----------------
 gcp-wif-config.json | 14 ++++++++++++++
 main.tf             | 11 +++++++++++
 outputs.tf          |  5 +++++
 variables.tf        |  4 ++--
 5 files changed, 33 insertions(+), 19 deletions(-)
 create mode 100644 gcp-wif-config.json

diff --git a/README.md b/README.md
index 6e7b4d8..12741cd 100644
--- a/README.md
+++ b/README.md
@@ -43,23 +43,7 @@ _Custom Role_ permissions:
 • storage.buckets.list
 ```
 
-The customer also needs to provide Bishop Fox with the WIF credentials file that is exported using the following command:
-
-```bash
-gcloud iam workload-identity-pools create-cred-config \
-projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID \
-    --service-account=SERVICE_ACCOUNT_EMAIL \
-    --aws \
-    --enable-imdsv2 \
-    --output-file=FILEPATH.json
-
-Replace the following values:
-• PROJECT_NUMBER: The project number of the project that contains the workload identity pool
-• POOL_ID: The ID of the workload identity pool, ex. bfidentitypool
-• PROVIDER_ID: The ID of the workload identity pool provider, ex. bfawsprovider
-• SERVICE_ACCOUNT_EMAIL: The email address of the service account
-• FILEPATH: The file to save configuration to
-```
+The customer also needs to provide Bishop Fox with the WIF credentials file that is exported to gcp-wif-config.json during the terraform run.
 
 Lastly, Bishop Fox requires the customer GCP Organization ID which can be retrieved using the following command:
 
diff --git a/gcp-wif-config.json b/gcp-wif-config.json
new file mode 100644
index 0000000..c2d3f61
--- /dev/null
+++ b/gcp-wif-config.json
@@ -0,0 +1,14 @@
+{
+  "type": "external_account",
+  "audience": "//iam.googleapis.com/projects/626342842847/locations/global/workloadIdentityPools/bfidentitypool-updated1/providers/bfawsprovider",
+  "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
+  "token_url": "https://sts.googleapis.com/v1/token",
+  "credential_source": {
+    "environment_id": "aws1",
+    "region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
+    "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
+    "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15",
+    "imdsv2_session_token_url": "http://169.254.169.254/latest/api/token"
+  },
+  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/bfserviceaccount@workload-identityfed-389218.iam.gserviceaccount.com:generateAccessToken"
+}
\ No newline at end of file
diff --git a/main.tf b/main.tf
index 4743d44..3ed4a98 100644
--- a/main.tf
+++ b/main.tf
@@ -54,6 +54,17 @@ resource "google_service_account_iam_policy" "bishopfox" {
 }
 
 
+resource "null_resource" "bishopfox" {
+  provisioner "local-exec" {
+    command = "gcloud iam workload-identity-pools create-cred-config projects/${var.projectNumber}/locations/global/workloadIdentityPools/${var.poolID}/providers/${var.providerID} --service-account=${google_service_account.bishopfox.email} --aws --enable-imdsv2 --output-file=gcp-wif-config.json --quiet"
+  }
+  depends_on = [google_iam_workload_identity_pool_provider.bishopfox]
+}
+
+
+
+
+
 
 
 
diff --git a/outputs.tf b/outputs.tf
index 8e78384..c6d46d5 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -16,3 +16,8 @@ output "service_account" {
   sensitive   = false
 }
 
+# output value of exportet WIF credential config file
+output "gcp_wif_config" {
+  value = file("gcp-wif-config.json")
+}
+
diff --git a/variables.tf b/variables.tf
index 377b51c..13cb1aa 100644
--- a/variables.tf
+++ b/variables.tf
@@ -11,13 +11,13 @@ variable "projectNumber" {
 variable "poolID" {
   description = "This is the ID of the Workload Identity Federation identity pool"
   type        = string
-  default     = "bfidentitypool"
+  default     = "bfidentitypool-updated1"
 }
 
 variable "displayName" {
   description = "This is the display name of the Workload Identity Federation pool"
   type        = string
-  default     = "bishopfoxidentitypool"
+  default     = "bishopfoxidentitypool-updated1"
 }
 
 variable "providerID" {

From f5c6bd2b34d28ac16def8761047593b664255d1e Mon Sep 17 00:00:00 2001
From: Andrzej Komarnicki <akomarnicki@bishopfox.com>
Date: Thu, 22 Feb 2024 10:18:11 -0500
Subject: [PATCH 2/2] cleanup

---
 gcp-wif-config.json | 14 --------------
 main.tf             |  4 ----
 variables.tf        |  4 ++--
 3 files changed, 2 insertions(+), 20 deletions(-)
 delete mode 100644 gcp-wif-config.json

diff --git a/gcp-wif-config.json b/gcp-wif-config.json
deleted file mode 100644
index c2d3f61..0000000
--- a/gcp-wif-config.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-  "type": "external_account",
-  "audience": "//iam.googleapis.com/projects/626342842847/locations/global/workloadIdentityPools/bfidentitypool-updated1/providers/bfawsprovider",
-  "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
-  "token_url": "https://sts.googleapis.com/v1/token",
-  "credential_source": {
-    "environment_id": "aws1",
-    "region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
-    "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
-    "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15",
-    "imdsv2_session_token_url": "http://169.254.169.254/latest/api/token"
-  },
-  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/bfserviceaccount@workload-identityfed-389218.iam.gserviceaccount.com:generateAccessToken"
-}
\ No newline at end of file
diff --git a/main.tf b/main.tf
index 3ed4a98..4c94a47 100644
--- a/main.tf
+++ b/main.tf
@@ -53,7 +53,6 @@ resource "google_service_account_iam_policy" "bishopfox" {
   depends_on         = [google_service_account.bishopfox]
 }
 
-
 resource "null_resource" "bishopfox" {
   provisioner "local-exec" {
     command = "gcloud iam workload-identity-pools create-cred-config projects/${var.projectNumber}/locations/global/workloadIdentityPools/${var.poolID}/providers/${var.providerID} --service-account=${google_service_account.bishopfox.email} --aws --enable-imdsv2 --output-file=gcp-wif-config.json --quiet"
@@ -69,6 +68,3 @@ resource "null_resource" "bishopfox" {
 
 
 
-
-
-
diff --git a/variables.tf b/variables.tf
index 13cb1aa..377b51c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -11,13 +11,13 @@ variable "projectNumber" {
 variable "poolID" {
   description = "This is the ID of the Workload Identity Federation identity pool"
   type        = string
-  default     = "bfidentitypool-updated1"
+  default     = "bfidentitypool"
 }
 
 variable "displayName" {
   description = "This is the display name of the Workload Identity Federation pool"
   type        = string
-  default     = "bishopfoxidentitypool-updated1"
+  default     = "bishopfoxidentitypool"
 }
 
 variable "providerID" {