You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 27, 2024. It is now read-only.
i just started using terraform-validator for scanning my tf plan files.
While trying to secure the network for compute engine, it is not throwing any error even though teh network in not the one mentioned in the allowed section.
I am running these commands:
terraform init
terraform plan -out tfplan.plan
terraform show -json tfplan.plan > tfplan.json
./terraform-validator-linux-amd64 validate ./tfplan.json --policy-path POLICY_PATH
(i tested using terraform 0.13 as well as 0.12)
while scanning the plan, it is not throwing that no violations found. But is should throw an error for network name.
Also, for other constraints also, it is not throwing violation error.
Hi team,
i just started using terraform-validator for scanning my tf plan files.
While trying to secure the network for compute engine, it is not throwing any error even though teh network in not the one mentioned in the allowed section.
Here are the tf scripts:
main.tf
Creating the compute instance resource
resource "google_compute_instance" "compute-service" {
name = var.instance_name
project = var.project_name
machine_type = var.instance_machine_type
zone = var.instance_zone
tags = var.instance_tags
can_ip_forward = var.can_ip_forward
service_account {
scopes = var.scope
# no-scope
}
Boot disk configuration
boot_disk {
kms_key_self_link = "${google_kms_crypto_key.gkck.self_link}"
initialize_params {
image = var.instance_boot_image
}
}
sheilding the vm
shielded_instance_config {
enable_secure_boot = var.enable_secure_boot
enable_vtpm = var.enable_vtpm
enable_integrity_monitoring = var.enable_integrity_monitoring
}
network interface configuration
network_interface {
network = var.instance_network
subnetwork = var.instance_subnetwork
subnetwork_project = var.project_name
}
configuration using metadata
metadata = {
block-project-ssh-keys = var.block-project-ssh-keys
enable-oslogin = var.enable-oslogin
serial-port-enable = var.serial_port_enable
}
}
Creating kms key ring
resource "google_kms_key_ring" "gkkr" {
name = var.kms_key_ring_name
location = var.kms_key_ring_location
}
Creating kms crypto key
resource "google_kms_crypto_key" "gkck" {
name = var.kms_crypto_key_name
key_ring = "${google_kms_key_ring.gkkr.self_link}"
rotation_period = var.kms_crypto_key_rotation
}
Creating IAM role and member
resource "google_project_iam_member" "grant-google-compute-service-encrypt-decrypt" {
role = var.role_to_compute
member = var.member_to_compute
}
variables.tf
variable "project_name" {
description = "The ID of the Google Cloud project"
type = string
}
#############--------------- Instance---------###############
variable "instance_name" {
description = "Name of VM"
type = string
}
variable "instance_zone" {
description = "GC zone"
type = string
}
variable "instance_tags" {
description = "tags to be given to VM"
type = list(string)
#type = "list"
}
variable "instance_machine_type" {
description = "List of VM sizes: https://github.com/Eimert/terraform-google-compute-engine-instance#machine_type"
type = string
}
variable "scope" {
description = "grant specific API's access to VM"
type = list(string)
}
variable "instance_boot_image" {
description = "List of VM sizes: https://github.com/Eimert/terraform-google-compute-engine-instance#machine_type"
type = string
}
variable "enable_secure_boot" {
description = "enabling the secure boot of VM"
type = bool
}
variable "enable_vtpm" {
description = "enabling the vtpm in VM"
type = bool
}
variable "enable_integrity_monitoring" {
description = "enable_integrity_monitoring in VM"
type = bool
}
variable "instance_network" {
description = "network where VM belong"
type = string
}
variable "instance_subnetwork" {
description = "Subnetwork where VM belong"
type = string
}
variable "can_ip_forward" {
description = "restriction on ip forwarding"
type = bool
}
variable "block-project-ssh-keys" {
description = "block-project-ssh-keys in VM"
type = bool
}
variable "enable-oslogin" {
description = "enable-oslogin in VM"
type = bool
}
variable "serial_port_enable" {
description = "serial-port-enabling or not in VM"
type = bool
}
#######----google_kms_key_ring---#########
variable "kms_key_ring_name" {
description = "Name of the kms key ring"
type = string
}
variable "kms_key_ring_location" {
description = "location of the kms key ring"
type = string
}
#####------kms_crypto_key----#############
variable "kms_crypto_key_name" {
description = "Name of the kms_crypto_key"
type = string
}
variable "kms_crypto_key_rotation" {
description = "rotation of the kms_crypto_key"
type = string
}
###----- IAM role to compute service------#####
variable "role_to_compute" {
description = "IAM role to compute serivce"
type = string
}
variable "member_to_compute" {
description = "IAM member to compute service"
type = string
}
tfvars
project_name = "PROJECT_NAME"
instance_name = "abc-instance"
instance_zone = "us-central1-a"
instance_tags = ["node-server1"]
instance_machine_type = "n1-standard-1"
scope = ["bigquery"]
enable_secure_boot = "true"
enable_vtpm = "true"
enable_integrity_monitoring = "true"
instance_boot_image = "ubuntu-1804-bionic-v20200317"
instance_network = "myvpc1"
instance_subnetwork = "myvpc1"
can_ip_forward = "true"
block-project-ssh-keys = "true"
enable-oslogin = "true"
serial_port_enable = "false"
kms_key_ring_name = "gci-key"
kms_key_ring_location = "us-central1"
kms_crypto_key_name = "gce-key"
kms_crypto_key_rotation = "86401s"
role_to_compute = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member_to_compute = "serviceAccount:[email protected]"
constraints file (compute_allowed_network.yaml)
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPComputeAllowedNetworksConstraintV2
metadata:
name: allowed-networks
spec:
severity: high
match:
gcp:
target: ["organizations/*"]
parameters:
allowed:
- https://www.googleapis.com/compute/v1/projects/project_name/global/networks/default
Issue:
I am running these commands:
terraform init
terraform plan -out tfplan.plan
terraform show -json tfplan.plan > tfplan.json
./terraform-validator-linux-amd64 validate ./tfplan.json --policy-path POLICY_PATH
(i tested using terraform 0.13 as well as 0.12)
while scanning the plan, it is not throwing that no violations found. But is should throw an error for network name.
Also, for other constraints also, it is not throwing violation error.
Templates used:
compute_allowed_networks.yaml
compute_zone.yaml
compute_disk_resource_policies.yaml
compute_forbid_ip_forward.yaml
Out of these, only IP forward voilation is coming wherea all 4 should come
The text was updated successfully, but these errors were encountered: