This module will address the customers who have targeted use cases for the compute service. This module will turn up the preventative controls to an eleven and will cause an outage if you don't understand the organization policy constraints or IAM deny.
The resources/services/activations/deletions that this module will create/trigger are:
- Create an Organizational constraint for COS Images only with an exception for 3rd party operating systems deployed under a specific folder id
- Create an Organizational constraint to Restrict Resource Service Usage to deny compute.googleapis.com
- Deploy a IAM Deny policy that only allows a list of service accounts to deploy compute instances
- No costs
- Clone repo
git clone https://github.com/jasonbisson/terraform-google-cos-only.git
- Rename and update required variables in terraform.tvfars.template
mv terraform.tfvars.template terraform.tfvars
#Update required variables
- Execute Terraform commands with existing identity (human or service account) to build Vertex Workbench Infrastructure
cd ~/terraform-google-cos-only/
terraform init
terraform plan
terraform apply
Functional examples are included in the examples directory.
Name | Description | Type | Default | Required |
---|---|---|---|---|
allow | (Only for list constraints) List of values which should be allowed | list(string) |
[ |
no |
allow_list_length | The number of elements in the allow list | number |
0 |
no |
constraint | The constraint to be applied | string |
null |
no |
cos_os_allowed_folder_id | The folder id is for projects where only the locked down Container Optimized operating system (aka GKE) can be deployed | string |
n/a | yes |
denied_permissions | List of permissions for the deny policy | list(string) |
n/a | yes |
deny | (Only for list constraints) List of values which should be denied | list(string) |
[ |
no |
deny_list_length | The number of elements in the deny list | number |
0 |
no |
enforce | If boolean constraint, whether the policy is enforced at the root; if list constraint, whether to deny all (true) or allow all | bool |
null |
no |
exception_principals | Service Agents where compute instances will not be denied | list(string) |
n/a | yes |
exclude_folders | Set of folders to exclude from the policy | set(string) |
[] |
no |
exclude_projects | Set of projects to exclude from the policy | set(string) |
[] |
no |
organization_id | The organization id for putting the policy | string |
null |
no |
policy_for | Resource hierarchy node to apply the policy to: can be one of organization , folder , or project . |
string |
null |
no |
policy_type | The constraint type to work with (either 'boolean' or 'list') | string |
"list" |
no |
project_id | The project id for putting the policy | string |
null |
no |
traditional_os_allowed_folder_id | The folder id is for projects where traditional operating systems can be deployed | string |
n/a | yes |
No outputs.
These sections describe requirements for using this module.
The following dependencies must be available:
- Terraform v0.13 or above
- Terraform Provider for GCP plugin v3.0 or above
The account used for the deployment will require the following roles:
- Organizational Policy admin roles/orgpolicy.policyAdmin
- IAM Deny admin roles/iam.denyAdmin
Since a project is created by the Project Factory module, you must activate the following APIs on the base project where the Service Account was created:
- cloudresourcemanager.googleapis.com
- iam.googleapis.com
Refer to the contribution guidelines for information on contributing to this module.
Please see our security disclosure process.# terraform-google-cos-only