Finalize onprem-sa-ket-mgmt example
This commit is contained in:
parent
4fd1ccb982
commit
50b88fe288
|
@ -23,7 +23,7 @@ Currently available examples:
|
||||||
- **foundations** - [single level hierarchy](./foundations/environments/) (environments), [multiple level hierarchy](./foundations/business-units/) (business units + environments)
|
- **foundations** - [single level hierarchy](./foundations/environments/) (environments), [multiple level hierarchy](./foundations/business-units/) (business units + environments)
|
||||||
- **networking** - [hub and spoke via peering](./networking/hub-and-spoke-peering/), [hub and spoke via VPN](./networking/hub-and-spoke-vpn/), [DNS and Google Private Access for on-premises](./networking/onprem-google-access-dns/), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [ILB as next hop](./networking/ilb-next-hop), [PSC for on-premises Cloud Function invocation](./networking/private-cloud-function-from-onprem/), [decentralized firewall](./networking/decentralized-firewall)
|
- **networking** - [hub and spoke via peering](./networking/hub-and-spoke-peering/), [hub and spoke via VPN](./networking/hub-and-spoke-vpn/), [DNS and Google Private Access for on-premises](./networking/onprem-google-access-dns/), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [ILB as next hop](./networking/ilb-next-hop), [PSC for on-premises Cloud Function invocation](./networking/private-cloud-function-from-onprem/), [decentralized firewall](./networking/decentralized-firewall)
|
||||||
- **data solutions** - [GCE/GCS CMEK via centralized Cloud KMS](./data-solutions/cmek-via-centralized-kms/), [Cloud Storage to Bigquery with Cloud Dataflow](./data-solutions/gcs-to-bq-with-dataflow/)
|
- **data solutions** - [GCE/GCS CMEK via centralized Cloud KMS](./data-solutions/cmek-via-centralized-kms/), [Cloud Storage to Bigquery with Cloud Dataflow](./data-solutions/gcs-to-bq-with-dataflow/)
|
||||||
- **cloud operations** - [Resource tracking and remediation via Cloud Asset feeds](.//cloud-operations/asset-inventory-feed-remediation), [Granular Cloud DNS IAM via Service Directory](./cloud-operations/dns-fine-grained-iam), [Granular Cloud DNS IAM for Shared VPC](./cloud-operations/dns-shared-vpc), [Compute Engine quota monitoring](./cloud-operations/quota-monitoring), [Scheduled Cloud Asset Inventory Export to Bigquery](./cloud-operations/scheduled-asset-inventory-export-bq), [Packer image builder](./cloud-operations/packer-image-builder)
|
- **cloud operations** - [Resource tracking and remediation via Cloud Asset feeds](.//cloud-operations/asset-inventory-feed-remediation), [Granular Cloud DNS IAM via Service Directory](./cloud-operations/dns-fine-grained-iam), [Granular Cloud DNS IAM for Shared VPC](./cloud-operations/dns-shared-vpc), [Compute Engine quota monitoring](./cloud-operations/quota-monitoring), [Scheduled Cloud Asset Inventory Export to Bigquery](./cloud-operations/scheduled-asset-inventory-export-bq), [Packer image builder](./cloud-operations/packer-image-builder), [On-prem SA key management](./cloud-operations/onprem-sa-key-management)
|
||||||
- **third party solutions** - [OpenShift cluster on Shared VPC](./third-party-solutions/openshift)
|
- **third party solutions** - [OpenShift cluster on Shared VPC](./third-party-solutions/openshift)
|
||||||
- **factories** - [Example environments](./factories/example-environments), [Hierarchical Firewall Policies](./factories/firewall-hierarchical-policies), [VPC Firewall Rules](./factories/firewall-vpc-rules), [Subnets](./factories/subnets)
|
- **factories** - [Example environments](./factories/example-environments), [Hierarchical Firewall Policies](./factories/firewall-hierarchical-policies), [VPC Firewall Rules](./factories/firewall-vpc-rules), [Subnets](./factories/subnets)
|
||||||
|
|
||||||
|
|
|
@ -45,3 +45,10 @@ The example's feed tracks changes to Google Compute instances, and the Cloud Fun
|
||||||
<a href="./packer-image-builder" title="Packer image builder"><img src="./packer-image-builder/diagram.png" align="left" width="280px"></a> This [example](./packer-image-builder) shows how to deploy infrastructure for a Compute Engine image builder based on [Hashicorp's Packer tool](https://www.packer.io).
|
<a href="./packer-image-builder" title="Packer image builder"><img src="./packer-image-builder/diagram.png" align="left" width="280px"></a> This [example](./packer-image-builder) shows how to deploy infrastructure for a Compute Engine image builder based on [Hashicorp's Packer tool](https://www.packer.io).
|
||||||
|
|
||||||
<br clear="left">
|
<br clear="left">
|
||||||
|
|
||||||
|
## On-prem Service Account key management
|
||||||
|
|
||||||
|
|
||||||
|
This [example](./onprem-sa-key-management) shows how to manage IAM Service Account Keys by generating a key pair and uploading the public part of the key to GCP.
|
||||||
|
|
||||||
|
<br clear="left">
|
|
@ -1,41 +1,65 @@
|
||||||
# Generationg and uploading public keys for a service accounts
|
# Managing on-prem service account keys by uploading public keys
|
||||||
|
|
||||||
This example shows how to manage IAM Service Account Keys by generating a key pair and uploading public keys to GCP.
|
When managing GCP Service Accounts with terraform, it's often a question on **how to avoid Service Account Key in the terraform state?**
|
||||||
|
|
||||||
|
This example shows how to manage IAM Service Account Keys by generating a key pair and uploading the public part of the key to GCP, it has the following benefits:
|
||||||
|
|
||||||
|
- no [passing keys between users](https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys#pass-between-users) or systems
|
||||||
|
- no SA key stored in the terraform state (only public part of the key in the state)
|
||||||
|
- let keys [expire automatically](https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys#key-expiryhaving)
|
||||||
|
|
||||||
By generating a key inside a `box` where the key is intended to be used we AVOID:
|
|
||||||
- [passing keys between users](https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys#pass-between-users) or systems
|
|
||||||
- having SA key stored in the terraform state (only public part in the state)
|
|
||||||
- having SA key with no expiration period
|
|
||||||
|
|
||||||
TODO (averbukh)
|
|
||||||
## Running the example
|
## Running the example
|
||||||
# cleaning up example keys
|
|
||||||
- rm -f /public-keys/data-uploader/
|
|
||||||
- rm -f /public-keys/prisma-security/
|
|
||||||
|
|
||||||
# generate your keys
|
Clone this repository or [open it in cloud shell](https://ssh.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fcloud-foundation-fabric&cloudshell_print=cloud-shell-readme.txt&cloudshell_working_dir=cloud-operations%2Fonprem-sa-key-management&cloudshell_open_in_editor=cloudshell_open%2Fcloud-foundation-fabric%2Fcloud-operations%2Fonprem-sa-key-management%2Fvariables.tf), then go through the following steps to create resources:
|
||||||
- mkdir keys && cd keys
|
|
||||||
- openssl req -x509 -nodes -newkey rsa:2048 -days 3650 \
|
Cleaning up example keys
|
||||||
|
```bash
|
||||||
|
rm -f /public-keys/data-uploader/
|
||||||
|
rm -f /public-keys/prisma-security/
|
||||||
|
```
|
||||||
|
|
||||||
|
Generate keys for service accounts
|
||||||
|
```bash
|
||||||
|
mkdir keys && cd keys
|
||||||
|
openssl req -x509 -nodes -newkey rsa:2048 -days 30 \
|
||||||
-keyout data_uploader_private_key.pem \
|
-keyout data_uploader_private_key.pem \
|
||||||
-out ../public-keys/data-uploader/public_key.pem \
|
-out ../public-keys/data-uploader/public_key.pem \
|
||||||
-subj "/CN=unused"
|
-subj "/CN=unused"
|
||||||
- openssl req -x509 -nodes -newkey rsa:2048 -days 3650 \
|
openssl req -x509 -nodes -newkey rsa:2048 -days 30 \
|
||||||
-keyout prisma_security_private_key.pem \
|
-keyout prisma_security_private_key.pem \
|
||||||
-out ../public-keys/prisma-security/public_key.pem \
|
-out ../public-keys/prisma-security/public_key.pem \
|
||||||
-subj "/CN=unused"
|
-subj "/CN=unused"
|
||||||
|
```
|
||||||
|
|
||||||
- cd ..
|
Deploy service accounts and keys
|
||||||
- terraform init
|
```bash
|
||||||
- terraform apply -var project_id=$GOOGLE_CLOUD_PROJECT
|
cd ..
|
||||||
|
terraform init
|
||||||
|
terraform apply -var project_id=$GOOGLE_CLOUD_PROJECT
|
||||||
|
|
||||||
- terraform show -json | jq '.values.outputs."data-uploader-credentials".value."public_key.pem" | fromjson' > data-uploader.json
|
```
|
||||||
- terraform show -json | jq '.values.outputs."prisma-security-credentials".value."public_key.pem" | fromjson' > prisma-security.json
|
|
||||||
|
|
||||||
- contents=$(jq --arg key "$(cat keys/data_uploader_private_key.pem)" '.private_key=$key' data-uploader.json) && echo "$contents" > data-uploader.json
|
Extract JSON credentials templates from terraform output and put the private part of the keys into templates
|
||||||
- contents=$(jq --arg key "$(cat keys/prisma_security_private_key.pem)" '.private_key=$key' prisma-security.json) && echo "$contents" > prisma-security.json
|
```bash
|
||||||
|
terraform show -json | jq '.values.outputs."data-uploader-credentials".value."public_key.pem" | fromjson' > data-uploader.json
|
||||||
|
terraform show -json | jq '.values.outputs."prisma-security-credentials".value."public_key.pem" | fromjson' > prisma-security.json
|
||||||
|
|
||||||
- gcloud auth activate-service-account --key-file prisma-security.json
|
contents=$(jq --arg key "$(cat keys/data_uploader_private_key.pem)" '.private_key=$key' data-uploader.json) && echo "$contents" > data-uploader.json
|
||||||
- gcloud auth activate-service-account --key-file data-uploader.json
|
contents=$(jq --arg key "$(cat keys/prisma_security_private_key.pem)" '.private_key=$key' prisma-security.json) && echo "$contents" > prisma-security.json
|
||||||
|
```
|
||||||
|
|
||||||
|
## Testing the example
|
||||||
|
Validate that service accounts json credentials are valid
|
||||||
|
```bash
|
||||||
|
gcloud auth activate-service-account --key-file prisma-security.json
|
||||||
|
gcloud auth activate-service-account --key-file data-uploader.json
|
||||||
|
```
|
||||||
|
|
||||||
|
## Cleaning up
|
||||||
|
```bash
|
||||||
|
terraform destroy -var project_id=$GOOGLE_CLOUD_PROJECT
|
||||||
|
```
|
||||||
|
|
||||||
<!-- BEGIN TFDOC -->
|
<!-- BEGIN TFDOC -->
|
||||||
## Variables
|
## Variables
|
||||||
|
|
|
@ -1,5 +1,46 @@
|
||||||
|
|
||||||
|
|
||||||
################################# Quickstart #################################
|
################################# Quickstart #################################
|
||||||
TODO(averbukh)
|
|
||||||
Refer to the README.md file for more info and testing flow.
|
# cleaning up example keys
|
||||||
|
|
||||||
|
- rm -f /public-keys/data-uploader/
|
||||||
|
- rm -f /public-keys/prisma-security/
|
||||||
|
|
||||||
|
# generate keys for service accounts
|
||||||
|
|
||||||
|
- mkdir keys && cd keys
|
||||||
|
- openssl req -x509 -nodes -newkey rsa:2048 -days 30 \
|
||||||
|
-keyout data_uploader_private_key.pem \
|
||||||
|
-out ../public-keys/data-uploader/public_key.pem \
|
||||||
|
-subj "/CN=unused"
|
||||||
|
- openssl req -x509 -nodes -newkey rsa:2048 -days 30 \
|
||||||
|
-keyout prisma_security_private_key.pem \
|
||||||
|
-out ../public-keys/prisma-security/public_key.pem \
|
||||||
|
-subj "/CN=unused"
|
||||||
|
|
||||||
|
# deploy service accounts and keys
|
||||||
|
|
||||||
|
- cd ..
|
||||||
|
- terraform init
|
||||||
|
- terraform apply -var project_id=$GOOGLE_CLOUD_PROJECT
|
||||||
|
|
||||||
|
|
||||||
|
# extract JSON credentials templates from terraform output and put the private part of the keys into templates
|
||||||
|
|
||||||
|
- terraform show -json | jq '.values.outputs."data-uploader-credentials".value."public_key.pem" | fromjson' > data-uploader.json
|
||||||
|
- terraform show -json | jq '.values.outputs."prisma-security-credentials".value."public_key.pem" | fromjson' > prisma-security.json
|
||||||
|
|
||||||
|
- contents=$(jq --arg key "$(cat keys/data_uploader_private_key.pem)" '.private_key=$key' data-uploader.json) && echo "$contents" > data-uploader.json
|
||||||
|
- contents=$(jq --arg key "$(cat keys/prisma_security_private_key.pem)" '.private_key=$key' prisma-security.json) && echo "$contents" > prisma-security.json
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# validate that service accounts json credentials are valid
|
||||||
|
|
||||||
|
- gcloud auth activate-service-account --key-file prisma-security.json
|
||||||
|
- gcloud auth activate-service-account --key-file data-uploader.json
|
||||||
|
|
||||||
|
|
||||||
|
# cleaning up
|
||||||
|
- terraform destroy -var project_id=$GOOGLE_CLOUD_PROJECT
|
||||||
|
|
|
@ -14,7 +14,6 @@
|
||||||
* limitations under the License.
|
* limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|
||||||
module "project" {
|
module "project" {
|
||||||
source = "../../modules/project"
|
source = "../../modules/project"
|
||||||
name = var.project_id
|
name = var.project_id
|
||||||
|
|
Loading…
Reference in New Issue