gcloud beta terraform vet quickstart
Stay organized with collections
Save and categorize content based on your preferences.
This quickstart shows you how to apply a constraint that enforces a domain restriction. You'll test that constraint and intentionally throw an error. Then you'll modify the constraint so that your domain passes.
Before you begin
- You need a Google Cloud project.
You need the following Identity and Access Management (IAM) permissions for that project:
resourcemanager.projects.getIamPolicy– This permission can be granted with the Security Reviewer role for the organization.resourcemanager.projects.get– This permission can be granted with the Project Viewer role for the organization.
To get you started quickly, these instructions use a Cloud Shell that's pre-installed with Terraform, and with a cloned Policy Library repository. The instructions assume you already have a Google Cloud account.
Quickstart
Go to the Cloud Shell and clone the policy library.
Copy the sample IAM domain restriction constraint into the
policies/constraintsdirectory.cpsamples/iam_service_accounts_only.yamlpolicies/constraintsExamine the constraint you copied by printing it to the terminal.
catpolicies/constraints/iam_service_accounts_only.yamlThe output looks like this:
# This constraint checks that all IAM policy members are in the # "gserviceaccount.com" domain. apiVersion:constraints.gatekeeper.sh/v1alpha1 kind:GCPIAMAllowedPolicyMemberDomainsConstraintV2 metadata: name:service_accounts_only annotations: description:ChecksthatmembersthathavebeengrantedIAMrolesbelongtoallowlisted domains. spec: severity:high match: target: # {"$ref":"#/definitions/io.k8s.cli.setters.target"} -"organizations/**" parameters: domains: -gserviceaccount.comNotice
gserviceaccount.comat the bottom. This specifies that only members from thegserviceaccount.comdomain can be present in an IAM policy.To verify that the policy works as expected, create the following Terraform
main.tffile in the current directory. You can use nano, vim, or the Cloud Shell Editor to createpolicy-library/main.tf.terraform{ required_providers{ google={ source="hashicorp/google" version="~> 3.84" } } } resource"google_project_iam_binding""sample_iam_binding"{ project="PROJECT_ID" role="roles/viewer" members=[ "user:EMAIL_ADDRESS" ] }Replace the following:
PROJECT_ID: your project ID.EMAIL_ADDRESS: a sample email address. This can be any valid email address. For example,user@example.com.
Initialize Terraform and generate a Terraform plan using the following:
terraforminitExport the Terraform plan, if asked, click Authorize when prompted:
terraformplan-out=test.tfplanConvert the Terraform plan to JSON:
terraformshow-json./test.tfplan > ./tfplan.jsonInstall the terraform-tools component:
sudoapt-getinstallgoogle-cloud-sdk-terraform-toolsEnter the following command to validate that your Terraform plan complies with your policies:
gcloudbetaterraformvettfplan.json--policy-library=.--format=jsonSince the email address you provided in the IAM policy binding does not belong to a service account, the plan violates the constraint you set up.
[ { "constraint":"GCPIAMAllowedPolicyMemberDomainsConstraintV2.service_accounts_only", "constraint_config":{ "api_version":"constraints.gatekeeper.sh/v1alpha1", "kind":"GCPIAMAllowedPolicyMemberDomainsConstraintV2", "metadata":{ "annotations":{ "description":"Checks that members that have been granted IAM roles belong to allowlisted domains.", "validation.gcp.forsetisecurity.org/originalName":"service_accounts_only", "validation.gcp.forsetisecurity.org/yamlpath":"policies/constraints/iam_service_accounts_only.yaml" }, "name":"service-accounts-only" }, "spec":{ "match":{ "target":[ "organizations/**" ] }, "parameters":{ "domains":[ "gserviceaccount.com" ] }, "severity":"high" } }, "message":"IAM policy for //cloudresourcemanager.googleapis.com/projects/PROJECT_ID contains member from unexpected domain: user:user@example.com", "metadata":{ "ancestry_path":"organizations/ORG_ID/projects/PROJECT_ID", "constraint":{ "annotations":{ "description":"Checks that members that have been granted IAM roles belong to allowlisted domains.", "validation.gcp.forsetisecurity.org/originalName":"service_accounts_only", "validation.gcp.forsetisecurity.org/yamlpath":"policies/constraints/iam_service_accounts_only.yaml" }, "labels":{}, "parameters":{ "domains":[ "gserviceaccount.com" ] } }, "details":{ "member":"user:user@example.com", "resource":"//cloudresourcemanager.googleapis.com/projects/PROJECT_ID" } }, "resource":"//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "severity":"high" } ]
To allow another domain (your email), edit
policy-library/policies/constraints/iam_service_accounts_only.yamland append your email domain to the domains allowlist. In the following example, we've addedexample.com, but you'd enter the domain for your own email address:apiVersion:constraints.gatekeeper.sh/v1alpha1 kind:GCPIAMAllowedPolicyMemberDomainsConstraintV1 metadata: name:service_accounts_only spec: severity:high match: target:["organizations/**"] parameters: domains: -gserviceaccount.com -example.comNow validate your Terraform plan again, and this should result in no violations found:
gcloudbetaterraformvettfplan.json--policy-library=.--format=jsonExpected output:
[]
Troubleshooting
If you receive the following error, "Error 403: The caller does not have permission, forbidden", then you either didn't replace PROJECT_ID in policy-library/main.tf with the name of your project, or you don't have the necessary permissions on the project you specified.
After editing the project name and/or permissions (resourcemanager.projects.getIamPolicy and resourcemanager.projects.get), go back and export the Terraform plan again, and then convert the Terraform plan to JSON.