Fixes #59. Adds optional behavior to update GCP org policies (#76)

* Fixes #59. Explicitly handle org policies during boostrap. * Add omited terraform resource. * Document org policy tfvars behavior * Remove duplicative tfvars attribute. * Remove accidental tfvars hardcoding.
googleforgames · Mar 3, 2023 · 36fd189 · 36fd189
1 parent fd2e7e7
commit 36fd189
Show file tree

Hide file tree

Showing 5 changed files with 94 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -18,16 +18,17 @@ You can also click on the following icon to open this repository in a 'batteries
 
 ### Google Cloud Auth
 
-Once you have Google Cloud CLI installed, you will need to authenticate against Google Cloud:
+Once you have Google Cloud CLI installed, you will need to set your [GCP Project ID](https://support.google.com/googleapi/answer/7014113?hl=en#:~:text=The%20project%20ID%20is%20a,ID%20or%20create%20your%20own.):
 
 ```shell
-gcloud auth application-default login
+export PROJECT_ID=<PROJECT_ID>
+gcloud config set project ${PROJECT_ID}
 ```
 
-and then set your Google Cloud Project to name/PROJECT_ID:
-
+and then authenticate to generate [Application Default Credentials (ADC)](https://cloud.google.com/docs/authentication/application-default-credentials) that can be leveraged by Terraform
 ```shell
-gcloud config set project <PROJECT_ID>
+gcloud auth application-default login
+gcloud auth application-default set-quota-project ${PROJECT_ID}
 ```
 
 Clone this directory locally and, we'll also set an environment variable to it's root directory, for easy navigation:
@@ -57,8 +58,8 @@ cd $GAME_DEMO_HOME/infrastructure
 terraform init
 cp terraform.tfvars.sample terraform.tfvars
 
-### Edit terraform.tfvars, especially <PROJECT_ID>
-```
+# Edit terraform.tfvars as needed, especially <PROJECT_ID>.
+# Setting `apply_org_policies = true` will also apply any neccessary GCP Org Policies as part of the provioning process.
 
 ### Provision the infrastructure.
 
@@ -93,7 +94,7 @@ Navigate to the [agones-deploy-pipeline](https://console.cloud.google.com/deploy
 
 ```shell
 # Replace RELEASE_NAME with the unique build name
-$ gcloud deploy releases promote --release=RELEASE_NAME --delivery-pipeline=agones-deploy-pipeline --region=us-central1`
+gcloud deploy releases promote --release=RELEASE_NAME --delivery-pipeline=agones-deploy-pipeline --region=us-central1`
 ```
 
 Continue the promotion until Agones has been deployed to all clusters. 

diff --git a/infrastructure/org-policies.tf b/infrastructure/org-policies.tf
@@ -0,0 +1,69 @@
+# Optionally apply these Org Policies, as specified in terraform.tfvars file
+
+module "gcp_org_policy_v2_requireShieldedVm" {
+  source           = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
+  version          = "~> 5.2.0"
+
+  count          = var.apply_org_policies == true ? 1 : 0
+  policy_root    = "project"
+  policy_root_id = var.project
+  rules = [{
+    enforcement = false
+    allow       = []
+    deny        = []
+    conditions  = []
+  }]
+  constraint  = "compute.requireShieldedVm"
+  policy_type = "boolean"
+}
+
+module "gcp_org_policy_v2_disableServiceAccountKeyCreation" {
+  source           = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
+  version          = "~> 5.2.0"
+
+  count          = var.apply_org_policies == true ? 1 : 0
+  policy_root    = "project"
+  policy_root_id = var.project
+  rules = [{
+    enforcement = false
+    allow       = []
+    deny        = []
+    conditions  = []
+  }]
+  constraint  = "iam.disableServiceAccountKeyCreation"
+  policy_type = "boolean"
+}
+
+module "gcp_org_policy_v2_vmCanIpForward" {
+  source           = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
+  version          = "~> 5.2.0"
+
+  count          = var.apply_org_policies == true ? 1 : 0
+  policy_root    = "project"
+  policy_root_id = var.project
+  rules = [{
+    enforcement = false
+    allow       = []
+    deny        = []
+    conditions  = []
+  }]
+  constraint  = "compute.vmCanIpForward"
+  policy_type = "list"
+}
+
+module "gcp_org_policy_v2_vmExternalIpAccess" {
+  source           = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
+  version          = "~> 5.2.0"
+
+  count          = var.apply_org_policies == true ? 1 : 0
+  policy_root    = "project"
+  policy_root_id = var.project
+  rules = [{
+    enforcement = false
+    allow       = []
+    deny        = []
+    conditions  = []
+  }]
+  constraint  = "compute.vmExternalIpAccess"
+  policy_type = "list"
+}
diff --git a/infrastructure/providers.tf b/infrastructure/providers.tf
@@ -14,6 +14,7 @@
 
 provider "google" {
   project = var.project
+  user_project_override = true
 }
 
 data "google_client_config" "provider" {}
diff --git a/infrastructure/terraform.tfvars.sample b/infrastructure/terraform.tfvars.sample
@@ -12,10 +12,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+
 # Project Specific Variables
+
 project            = "PROJECT_ID"
 resource_env_label = "demo-global-game"
 
+apply_org_policies = false
+
 # Cloud Deploy Configuration
 platform_directory = "../platform" # Relative to Terraform directory
 services_directory = "../services" # Relative to Terraform directory
@@ -75,6 +79,7 @@ game_gke_autopilot_clusters = {
   }
 }
 
+
 # GCP APIs to Enable
 gcp_project_services = [
   "clouddeploy.googleapis.com",
@@ -87,12 +92,13 @@ gcp_project_services = [
   "secretmanager.googleapis.com",
   "servicenetworking.googleapis.com",
   "servicecontrol.googleapis.com",
+  "run.googleapis.com",
+  "orgpolicy.googleapis.com"、
   "redis.googleapis.com",
   "run.googleapis.com",
   "iap.googleapis.com"
 ]
 
-
 # Spanner DB Config Values
 spanner_config = {
   db_name       = "global-game-spanner-db"
@@ -128,16 +134,14 @@ app_service_account_config = {
   description = "Global Multiplayer Game service account"
 }
 
-
 # Agones GKE Service Account Name
 k8s_service_account_id = "k8s-service-account"
 
-
 # Agones Allocation Endpoint Config Values
 allocation_endpoint = {
   name             = "agones-allocation-endpoint"
   proxy_image      = "us-docker.pkg.dev/agones-images/examples/allocation-endpoint-proxy:0.3"
   weight           = 100
   namespace        = "default"
   agones_namespace = "agones-system"
-}
+}
diff --git a/infrastructure/variables.tf b/infrastructure/variables.tf
@@ -12,6 +12,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+### Organziation Variables ###
+
+variable "apply_org_policies" {
+  type        = bool
+  description = "Boolean used to determine whether GCP Org Policies are applied"
+}
+
 ### Project Variables ###
 
 variable "project" {