Fixes terraform-google-modules#11: Cloud Function for automatic folde…

…r inclusion

terraform-google-modules#11
terraform-google-modules#14

Added example with cloud function that automatically runs TF when
project is created/moved/deleted.

.gitignore

@@ -50,3 +50,8 @@ examples/simple_example_access_level/terraform.tfvars
 terraform.tfvars
 
 credentials.json
+
+examples/automatic_folder.zip
+
+node_modules
+yarn.lock

Makefile

@@ -89,7 +89,6 @@ version:
 docker_run:
 	docker run --rm -it \
 		-e PROJECT_ID \
-		-e BUCKET_NAME \
 		-e SERVICE_ACCOUNT_JSON \
 		-e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=${CREDENTIALS_PATH} \
 		-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
@@ -101,7 +100,6 @@ docker_run:
 docker_create:
 	docker run --rm -it \
 		-e PROJECT_ID \
-		-e BUCKET_NAME \
 		-e SERVICE_ACCOUNT_JSON \
 		-e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=${CREDENTIALS_PATH} \
 		-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
@@ -113,7 +111,6 @@ docker_create:
 docker_converge:
 	docker run --rm -it \
 		-e PROJECT_ID \
-		-e BUCKET_NAME \
 		-e SERVICE_ACCOUNT_JSON \
 		-e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=${CREDENTIALS_PATH} \
 		-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
@@ -125,7 +122,6 @@ docker_converge:
 docker_verify:
 	docker run --rm -it \
 		-e PROJECT_ID \
-		-e BUCKET_NAME \
 		-e SERVICE_ACCOUNT_JSON \
 		-e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=${CREDENTIALS_PATH} \
 		-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
@@ -137,7 +133,6 @@ docker_verify:
 docker_destroy:
 	docker run --rm -it \
 		-e PROJECT_ID \
-		-e BUCKET_NAME \
 		-e SERVICE_ACCOUNT_JSON \
 		-e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=${CREDENTIALS_PATH} \
 		-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
@@ -149,7 +144,6 @@ docker_destroy:
 test_integration_docker:
 	docker run --rm -it \
 		-e PROJECT_ID \
-		-e BUCKET_NAME \
 		-e SERVICE_ACCOUNT_JSON \
 		-e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=${CREDENTIALS_PATH} \
 		-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \

examples/automatic_folder/.gitignore

@@ -0,0 +1,4 @@
+/provider.tf
+/.terraform
+tfplan
+local.tfvars

examples/automatic_folder/README.md

@@ -0,0 +1,52 @@
+# Automatic folder securing Example
+
+This example illustrates how to use the `vpc-service-controls` module to configure an org policy, an access level and a regular perimeter with projects inside a folder.
+
+# Requirements
+
+1. Make sure you've gone through the root [Requirement Section](../../README.md#requirements) on any project in your organization.
+2. Updated `provider.tf.dist` with remote state configs. Copy `provider.tf.dist` to `provider.tf` changing variables for local running
+3. Create `local.tfvars` file with required inputs, like this:
+````hcl-terraform
+project_id          = "YOUR_PROJECT"
+parent_id           = "ORG_ID"
+folder_id           = "FOLDER_ID"
+policy_name         = "automatic_folder"
+members             = ["user:[email protected]"]
+region              = "us-east1"
+restricted_services = ["storage.googleapis.com"]
+````
+4. Please note, that whole example folder is uploaded as Cloud Function root. Don't store credentials in it!
+5. Add Cloud Function's SA to organization (Access Context Manager Admin), project IAM (Owner and Storage Object Admin) and watched folder (Logs Configuration Writer)
+6. You might need to apply TF changes twice due to ACM race condition
+
+
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| folder\_id | Folder ID to watch for projects. | string | n/a | yes |
+| members | An allowed list of members \(users, service accounts\). The signed-in identity originating the request must be a part of one of the provided members. If not specified, a request may come from any user \(logged in/not logged in, etc.\). Formats: user:\{emailid\}, serviceAccount:\{emailid\} | list(string) | n/a | yes |
+| parent\_id | The parent of this AccessPolicy in the Cloud Resource Hierarchy. As of now, only organization are accepted as parent \(ID\). | string | n/a | yes |
+| perimeter\_name | Name of perimeter. | string | `"regular_perimeter"` | no |
+| policy\_name | The policy's name. | string | n/a | yes |
+| project\_id | The ID of the project to which resources will be applied. | string | n/a | yes |
+| region | The region in which resources will be applied. | string | n/a | yes |
+| restricted\_services | List of services to restrict. | list(string) | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| policy\_name | Name of the parent policy |
+| protected\_project\_ids | Project ids of the projects INSIDE the regular service perimeter |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/automatic_folder/function.go

@@ -0,0 +1,113 @@
+package function
+
+// https://github.com/hashicorp/terraform/pull/22741
+import (
+	"context"
+	"github.com/otiai10/copy"
+	"io/ioutil"
+	"log"
+	"os"
+	"os/exec"
+	"path"
+)
+
+type PubSubMessage struct {
+	Data []byte `json:"data"`
+}
+
+func copy_terraform_code(dirSource string, dirTarget string) (err error) {
+	var objects []os.FileInfo
+	if objects, err = ioutil.ReadDir(dirSource); err != nil {
+		return err
+	}
+
+	for _, obj := range objects {
+		name := obj.Name()
+
+		switch name {
+		case ".":
+		case "..":
+		case "credentials.json":
+		case ".terraform":
+			continue;
+		case "provider.tf.dist":
+			name = "provider.tf"
+		}
+
+		if err = copy.Copy(path.Join(dirSource, name), path.Join(dirTarget, name)); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func init_folder(dirSource string) (dirTarget string, err error) {
+	if dirTarget, err = ioutil.TempDir("/tmp", "project"); err != nil {
+		log.Panic(err)
+	}
+
+	if err = copy_terraform_code(dirSource, dirTarget); err != nil {
+		log.Panic(err)
+	}
+
+	return dirTarget, err
+}
+
+func run_terraform(arg ...string) (err error) {
+	cmd := exec.Command(path.Join(os.Getenv("HOME"), "go", "bin", "terraform"), "init")
+	if err := cmd.Run(); err != nil {
+		log.Fatal(err)
+	}
+
+	log.Print(cmd.CombinedOutput())
+
+	return nil
+}
+
+func Handler(ctx context.Context, m PubSubMessage) (err error) {
+	var dirSource string
+	if dirSource, err = os.Getwd(); err != nil {
+		log.Panic(err)
+	}
+
+	var dirTarget string
+	if dirTarget, err = init_folder(dirSource); err != nil {
+		log.Panic(err)
+	}
+
+	defer func() {
+		err2 := os.RemoveAll(dirTarget)
+		if (err2 != nil) {
+			if (err == nil) {
+				log.Panic(err2)
+			}
+			log.Print(err2)
+		}
+	}()
+
+	var args []string
+	const TF_PLAN = "tfplan"
+
+	args = []string{"init", "-no-color", "-lock-timeout=300s"}
+	if err = run_terraform(args...); err != nil {
+		log.Panic(err)
+	}
+
+	args = []string{"plan", "-no-color", "-lock-timeout=300s", "-var-file=local.tfvars", "-out", TF_PLAN}
+	if err = run_terraform(args...); err != nil {
+		log.Panic(err)
+	}
+
+	args = []string{"plan", "-no-color", "-lock-timeout=300s", "-auto-approve", "-out", TF_PLAN}
+	if err = run_terraform(args...); err != nil {
+		log.Panic(err)
+	}
+
+	args = []string{"output", "-json"}
+	if err = run_terraform(args...); err != nil {
+		log.Panic(err)
+	}
+
+	return nil
+}

examples/automatic_folder/go.mod

@@ -0,0 +1,8 @@
+module function
+
+require (
+	github.com/hashicorp/terraform v0.12.9-0.20190909120458-5fb1e0867836 // indirect
+	github.com/otiai10/copy v1.0.1
+)
+
+go 1.11