From bcb007bffe96a91dc8d6069cf7c888f40d7c7b46 Mon Sep 17 00:00:00 2001 From: Arthur de Lapertosa Lisboa Date: Mon, 9 Sep 2024 16:44:10 -0300 Subject: [PATCH 1/5] feat: add org policies to confidential computing example --- examples/confidential_computing/README.md | 4 +- .../confidential_computing/org_policies.tf | 39 +++++++++++++++++++ .../confidential_compute_instance_test.go | 11 ++++++ test/setup/iam.tf | 6 +++ 4 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 examples/confidential_computing/org_policies.tf diff --git a/examples/confidential_computing/README.md b/examples/confidential_computing/README.md index ca5b2a77..e8c4d21b 100644 --- a/examples/confidential_computing/README.md +++ b/examples/confidential_computing/README.md @@ -2,7 +2,9 @@ This is an example of a vm creation with confidential computing, encrypted disk using a multiregion (US by default) Cloud HSM key -and a custom service account with cloud-platform scope. +and a custom service account with cloud-platform scope. It also +creates org policies enforcing the use of CMEK encrypted instances +and confidential computing to all newly created VMs within the project. ## Inputs diff --git a/examples/confidential_computing/org_policies.tf b/examples/confidential_computing/org_policies.tf new file mode 100644 index 00000000..e2bc3488 --- /dev/null +++ b/examples/confidential_computing/org_policies.tf @@ -0,0 +1,39 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "confidential-computing-org-policy" { + source = "terraform-google-modules/org-policy/google" + version = "~> 5.1" + + project_id = var.project_id + policy_for = "project" + constraint = "constraints/compute.restrictNonConfidentialComputing" + policy_type = "list" + deny = ["compute.googleapis.com"] + deny_list_length = 1 +} + +module "enforce-cmek-org-policy" { + source = "terraform-google-modules/org-policy/google" + version = "~> 5.1" + + project_id = var.project_id + policy_for = "project" + constraint = "constraints/gcp.restrictNonCmekServices" + policy_type = "list" + deny = ["compute.googleapis.com"] + deny_list_length = 1 +} diff --git a/test/integration/confidential_compute_instance/confidential_compute_instance_test.go b/test/integration/confidential_compute_instance/confidential_compute_instance_test.go index d36d255c..ed892272 100644 --- a/test/integration/confidential_compute_instance/confidential_compute_instance_test.go +++ b/test/integration/confidential_compute_instance/confidential_compute_instance_test.go @@ -49,6 +49,17 @@ func TestConfidentialInstanceTemplate(t *testing.T) { assert.Len(disks, 1) defaultSuffix := confCompInst.GetStringOutput("suffix") assert.Equal(fmt.Sprintf("projects/%s/locations/us/keyRings/key-ring-test-%s/cryptoKeys/key-test-%s/cryptoKeyVersions/1", projectId, defaultSuffix, defaultSuffix), disks[0].Get("diskEncryptionKey").Get("kmsKeyName").String()) + + org_policy_cmek_constraint := gcloud.Runf(t, "resource-manager org-policies list --project=%s --format=json --filter constraint='constraints/gcp.restrictNonCmekServices'", projectId).Array() + assert.Len(org_policy_cmek_constraint, 1) + cmek_denied_values_list := org_policy_cmek_constraint[0].Get("listPolicy.deniedValues").Array() + assert.Len(cmek_denied_values_list, 1) + assert.Equal("compute.googleapis.com", cmek_denied_values_list[0].String()) + org_policy_confidential_constraint := gcloud.Runf(t, "resource-manager org-policies list --project=%s --format=json --filter constraint='constraints/compute.restrictNonConfidentialComputing'", projectId).Array() + assert.Len(org_policy_confidential_constraint, 1) + cc_denied_values_list := org_policy_confidential_constraint[0].Get("listPolicy.deniedValues").Array() + assert.Len(cc_denied_values_list, 1) + assert.Equal("compute.googleapis.com", cc_denied_values_list[0].String()) }) confCompInst.Test() } diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 3b1ed4ca..e37f7575 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -38,6 +38,12 @@ resource "google_project_iam_member" "ci_vm_account" { member = "serviceAccount:${google_service_account.ci_vm_account.email}" } +resource "google_organization_iam_member" "ci_vm_account_organization" { + org_id = var.org_id + role = "roles/orgpolicy.policyAdmin" + member = "serviceAccount:${google_service_account.ci_vm_account.email}" +} + resource "google_service_account_key" "ci_vm_account" { service_account_id = google_service_account.ci_vm_account.id } From 4cd4aece54ee6b39e69ae656e2c3efc3ff21b327 Mon Sep 17 00:00:00 2001 From: Arthur de Lapertosa Lisboa Date: Tue, 10 Sep 2024 13:11:41 -0300 Subject: [PATCH 2/5] code review changes --- examples/confidential_computing/README.md | 1 + examples/confidential_computing/org_policies.tf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/confidential_computing/README.md b/examples/confidential_computing/README.md index e8c4d21b..b53efec7 100644 --- a/examples/confidential_computing/README.md +++ b/examples/confidential_computing/README.md @@ -5,6 +5,7 @@ encrypted disk using a multiregion (US by default) Cloud HSM key and a custom service account with cloud-platform scope. It also creates org policies enforcing the use of CMEK encrypted instances and confidential computing to all newly created VMs within the project. +Note: existing VM instances won't be affected by the new org policy. ## Inputs diff --git a/examples/confidential_computing/org_policies.tf b/examples/confidential_computing/org_policies.tf index e2bc3488..01267313 100644 --- a/examples/confidential_computing/org_policies.tf +++ b/examples/confidential_computing/org_policies.tf @@ -28,7 +28,7 @@ module "confidential-computing-org-policy" { module "enforce-cmek-org-policy" { source = "terraform-google-modules/org-policy/google" - version = "~> 5.1" + version = "~> 5.3" project_id = var.project_id policy_for = "project" From 49afcfc803a006a571afc884194b5365364e0505 Mon Sep 17 00:00:00 2001 From: Arthur de Lapertosa Lisboa Date: Fri, 13 Sep 2024 16:13:19 -0300 Subject: [PATCH 3/5] add gcp.restrictCmekCryptoKeyProjects org policy constraint --- examples/confidential_computing/org_policies.tf | 14 +++++++++++++- .../confidential_compute_instance_test.go | 7 ++++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/examples/confidential_computing/org_policies.tf b/examples/confidential_computing/org_policies.tf index 01267313..14104cd1 100644 --- a/examples/confidential_computing/org_policies.tf +++ b/examples/confidential_computing/org_policies.tf @@ -16,7 +16,7 @@ module "confidential-computing-org-policy" { source = "terraform-google-modules/org-policy/google" - version = "~> 5.1" + version = "~> 5.3" project_id = var.project_id policy_for = "project" @@ -37,3 +37,15 @@ module "enforce-cmek-org-policy" { deny = ["compute.googleapis.com"] deny_list_length = 1 } + +module "restrict-cmek-cryptokey-projects-policy" { + source = "terraform-google-modules/org-policy/google" + version = "~> 5.3" + + project_id = var.project_id + policy_for = "project" + constraint = "constraints/gcp.restrictCmekCryptoKeyProjects" + policy_type = "list" + allow = ["projects/${var.project_id}"] + allow_list_length = 1 +} diff --git a/test/integration/confidential_compute_instance/confidential_compute_instance_test.go b/test/integration/confidential_compute_instance/confidential_compute_instance_test.go index ed892272..8d7fd6cc 100644 --- a/test/integration/confidential_compute_instance/confidential_compute_instance_test.go +++ b/test/integration/confidential_compute_instance/confidential_compute_instance_test.go @@ -23,7 +23,7 @@ import ( "github.com/stretchr/testify/assert" ) -func TestConfidentialInstanceTemplate(t *testing.T) { +func TestConfidentialComputeInstance(t *testing.T) { const instanceNamePrefix = "confidential-encrypted-instance" confCompInst := tft.NewTFBlueprintTest(t) @@ -55,6 +55,11 @@ func TestConfidentialInstanceTemplate(t *testing.T) { cmek_denied_values_list := org_policy_cmek_constraint[0].Get("listPolicy.deniedValues").Array() assert.Len(cmek_denied_values_list, 1) assert.Equal("compute.googleapis.com", cmek_denied_values_list[0].String()) + org_policy_cmek_projects := gcloud.Runf(t, "resource-manager org-policies list --project=%s --format=json --filter constraint='constraints/gcp.restrictCmekCryptoKeyProjects'", projectId).Array() + assert.Len(org_policy_cmek_projects, 1) + cmek_allowed_projects := org_policy_cmek_projects[0].Get("listPolicy.allowedValues").Array() + assert.Len(cmek_allowed_projects, 1) + assert.Equal(fmt.Sprintf("projects/%s", projectId), cmek_allowed_projects[0].String()) org_policy_confidential_constraint := gcloud.Runf(t, "resource-manager org-policies list --project=%s --format=json --filter constraint='constraints/compute.restrictNonConfidentialComputing'", projectId).Array() assert.Len(org_policy_confidential_constraint, 1) cc_denied_values_list := org_policy_confidential_constraint[0].Get("listPolicy.deniedValues").Array() From 72c10686dabf8568a2ba09dfeb03f37d79d8e570 Mon Sep 17 00:00:00 2001 From: Arthur de Lapertosa Lisboa Date: Fri, 13 Sep 2024 16:22:44 -0300 Subject: [PATCH 4/5] Update README.md --- examples/confidential_computing/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/examples/confidential_computing/README.md b/examples/confidential_computing/README.md index b53efec7..629c748e 100644 --- a/examples/confidential_computing/README.md +++ b/examples/confidential_computing/README.md @@ -5,6 +5,8 @@ encrypted disk using a multiregion (US by default) Cloud HSM key and a custom service account with cloud-platform scope. It also creates org policies enforcing the use of CMEK encrypted instances and confidential computing to all newly created VMs within the project. +Also, an additional org policy constraint is created, which only allows +Cloud KMS keys (used for CMEK protection) that come from the provided input project. Note: existing VM instances won't be affected by the new org policy. From bbd5332838e58d49d07cb7cf1202462bad9c355a Mon Sep 17 00:00:00 2001 From: Arthur de Lapertosa Lisboa Date: Mon, 16 Sep 2024 16:37:23 -0300 Subject: [PATCH 5/5] code review changes --- examples/confidential_computing/org_policies.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/examples/confidential_computing/org_policies.tf b/examples/confidential_computing/org_policies.tf index 14104cd1..3c9ad5f4 100644 --- a/examples/confidential_computing/org_policies.tf +++ b/examples/confidential_computing/org_policies.tf @@ -42,10 +42,10 @@ module "restrict-cmek-cryptokey-projects-policy" { source = "terraform-google-modules/org-policy/google" version = "~> 5.3" - project_id = var.project_id - policy_for = "project" - constraint = "constraints/gcp.restrictCmekCryptoKeyProjects" - policy_type = "list" - allow = ["projects/${var.project_id}"] + project_id = var.project_id + policy_for = "project" + constraint = "constraints/gcp.restrictCmekCryptoKeyProjects" + policy_type = "list" + allow = ["projects/${var.project_id}"] allow_list_length = 1 }