Manage infrastructure with Workload Identity Federation and Terraform Cloud

Introduction Terraform Cloud (TFC) can help manage infrastructure as code (IaC) development for large enterprises. As the number of Google Cloud projects grows, managing access controls for Terraform Cloud projects and workspaces can become complex. Don't worry, we have a solution that is designed to be more secure than using Google Cloud service account keys, and also scales well for hundreds or even thousands of Google Cloud projects, TFC workspaces, and TFC projects using Workload Identity Federation . An enterprise scenario Consider a fictitious financial services firm example.

com that offers banking, lending, insurance and brokerage service to customers. Their Google Cloud resource hierarchy is shown below: Business Units > Environment Folders > Application Projects. As IaC codebases grow to manage the infrastructure for the entire organization, it can be difficult to control access for a large number of deployment pipelines. The following solution guidance addresses three key challenges: How do I ensure dev IaC code only creates or deletes resources only in the dev environment, not production? How do I prevent Banking IaC code from accidentally creating or deleting Brokerage business unit resources?

How many TFC projects, workspaces, Google Cloud Workload identity pools and service accounts for Terraform are optimal for my enterprise use cases? Solution architecture At a high level, Terraform Cloud workspaces integrate with Workload Identity Federation to authenticate with Google Cloud, then impersonate Google Cloud service accounts to manage resources in application projects more securely. TFC workspaces are granted permission to impersonate the right service account. The following diagram shows the components and how they interact. This solution requires the following setup in Terraform Cloud and Google Cloud.