zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Finalize onprem-sa-ket-mgmt example

This commit is contained in:
averbukh 2021-12-13 22:36:42 +01:00
parent 4fd1ccb982
commit 50b88fe288
6 changed files with 100 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -23,7 +23,7 @@ Currently available examples:
- **foundations** - [single level hierarchy](./foundations/environments/) (environments), [multiple level hierarchy](./foundations/business-units/) (business units + environments) - **foundations** - [single level hierarchy](./foundations/environments/) (environments), [multiple level hierarchy](./foundations/business-units/) (business units + environments)
- **networking** - [hub and spoke via peering](./networking/hub-and-spoke-peering/), [hub and spoke via VPN](./networking/hub-and-spoke-vpn/), [DNS and Google Private Access for on-premises](./networking/onprem-google-access-dns/), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [ILB as next hop](./networking/ilb-next-hop), [PSC for on-premises Cloud Function invocation](./networking/private-cloud-function-from-onprem/), [decentralized firewall](./networking/decentralized-firewall) - **networking** - [hub and spoke via peering](./networking/hub-and-spoke-peering/), [hub and spoke via VPN](./networking/hub-and-spoke-vpn/), [DNS and Google Private Access for on-premises](./networking/onprem-google-access-dns/), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [ILB as next hop](./networking/ilb-next-hop), [PSC for on-premises Cloud Function invocation](./networking/private-cloud-function-from-onprem/), [decentralized firewall](./networking/decentralized-firewall)
- **data solutions** - [GCE/GCS CMEK via centralized Cloud KMS](./data-solutions/cmek-via-centralized-kms/), [Cloud Storage to Bigquery with Cloud Dataflow](./data-solutions/gcs-to-bq-with-dataflow/) - **data solutions** - [GCE/GCS CMEK via centralized Cloud KMS](./data-solutions/cmek-via-centralized-kms/), [Cloud Storage to Bigquery with Cloud Dataflow](./data-solutions/gcs-to-bq-with-dataflow/)
- **cloud operations** - [Resource tracking and remediation via Cloud Asset feeds](.//cloud-operations/asset-inventory-feed-remediation), [Granular Cloud DNS IAM via Service Directory](./cloud-operations/dns-fine-grained-iam), [Granular Cloud DNS IAM for Shared VPC](./cloud-operations/dns-shared-vpc), [Compute Engine quota monitoring](./cloud-operations/quota-monitoring), [Scheduled Cloud Asset Inventory Export to Bigquery](./cloud-operations/scheduled-asset-inventory-export-bq), [Packer image builder](./cloud-operations/packer-image-builder) - **cloud operations** - [Resource tracking and remediation via Cloud Asset feeds](.//cloud-operations/asset-inventory-feed-remediation), [Granular Cloud DNS IAM via Service Directory](./cloud-operations/dns-fine-grained-iam), [Granular Cloud DNS IAM for Shared VPC](./cloud-operations/dns-shared-vpc), [Compute Engine quota monitoring](./cloud-operations/quota-monitoring), [Scheduled Cloud Asset Inventory Export to Bigquery](./cloud-operations/scheduled-asset-inventory-export-bq), [Packer image builder](./cloud-operations/packer-image-builder), [On-prem SA key management](./cloud-operations/onprem-sa-key-management)
- **third party solutions** - [OpenShift cluster on Shared VPC](./third-party-solutions/openshift) - **third party solutions** - [OpenShift cluster on Shared VPC](./third-party-solutions/openshift)
- **factories** - [Example environments](./factories/example-environments), [Hierarchical Firewall Policies](./factories/firewall-hierarchical-policies), [VPC Firewall Rules](./factories/firewall-vpc-rules), [Subnets](./factories/subnets) - **factories** - [Example environments](./factories/example-environments), [Hierarchical Firewall Policies](./factories/firewall-hierarchical-policies), [VPC Firewall Rules](./factories/firewall-vpc-rules), [Subnets](./factories/subnets)

7
cloud-operations/README.md
View File

@ -45,3 +45,10 @@ The example's feed tracks changes to Google Compute instances, and the Cloud Fun
<a href="./packer-image-builder" title="Packer image builder"><img src="./packer-image-builder/diagram.png" align="left" width="280px"></a> This [example](./packer-image-builder) shows how to deploy infrastructure for a Compute Engine image builder based on [Hashicorp's Packer tool](https://www.packer.io). <a href="./packer-image-builder" title="Packer image builder"><img src="./packer-image-builder/diagram.png" align="left" width="280px"></a> This [example](./packer-image-builder) shows how to deploy infrastructure for a Compute Engine image builder based on [Hashicorp's Packer tool](https://www.packer.io).
<br clear="left"> <br clear="left">
## On-prem Service Account key management
This [example](./onprem-sa-key-management) shows how to manage IAM Service Account Keys by generating a key pair and uploading the public part of the key to GCP.
<br clear="left">

72
cloud-operations/onprem-sa-key-management/README.md
View File

@ -1,41 +1,65 @@
# Generationg and uploading public keys for a service accounts # Managing on-prem service account keys by uploading public keys
This example shows how to manage IAM Service Account Keys by generating a key pair and uploading public keys to GCP. When managing GCP Service Accounts with terraform, it's often a question on **how to avoid Service Account Key in the terraform state?**
This example shows how to manage IAM Service Account Keys by generating a key pair and uploading the public part of the key to GCP, it has the following benefits:
- no [passing keys between users](https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys#pass-between-users) or systems
- no SA key stored in the terraform state (only public part of the key in the state)
- let keys [expire automatically](https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys#key-expiryhaving)
By generating a key inside a `box` where the key is intended to be used we AVOID:
- [passing keys between users](https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys#pass-between-users) or systems
- having SA key stored in the terraform state (only public part in the state)
- having SA key with no expiration period
TODO (averbukh)
## Running the example ## Running the example
# cleaning up example keys
- rm -f /public-keys/data-uploader/
- rm -f /public-keys/prisma-security/
# generate your keys Clone this repository or [open it in cloud shell](https://ssh.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fcloud-foundation-fabric&cloudshell_print=cloud-shell-readme.txt&cloudshell_working_dir=cloud-operations%2Fonprem-sa-key-management&cloudshell_open_in_editor=cloudshell_open%2Fcloud-foundation-fabric%2Fcloud-operations%2Fonprem-sa-key-management%2Fvariables.tf), then go through the following steps to create resources:
- mkdir keys && cd keys
- openssl req -x509 -nodes -newkey rsa:2048 -days 3650 \ Cleaning up example keys
```bash
rm -f /public-keys/data-uploader/
rm -f /public-keys/prisma-security/
```
Generate keys for service accounts
```bash
mkdir keys && cd keys
openssl req -x509 -nodes -newkey rsa:2048 -days 30 \
-keyout data_uploader_private_key.pem \ -keyout data_uploader_private_key.pem \
-out ../public-keys/data-uploader/public_key.pem \ -out ../public-keys/data-uploader/public_key.pem \
-subj "/CN=unused" -subj "/CN=unused"
- openssl req -x509 -nodes -newkey rsa:2048 -days 3650 \ openssl req -x509 -nodes -newkey rsa:2048 -days 30 \
-keyout prisma_security_private_key.pem \ -keyout prisma_security_private_key.pem \
-out ../public-keys/prisma-security/public_key.pem \ -out ../public-keys/prisma-security/public_key.pem \
-subj "/CN=unused" -subj "/CN=unused"
```
- cd .. Deploy service accounts and keys
- terraform init ```bash
- terraform apply -var project_id=$GOOGLE_CLOUD_PROJECT cd ..
terraform init
terraform apply -var project_id=$GOOGLE_CLOUD_PROJECT
- terraform show -json | jq '.values.outputs."data-uploader-credentials".value."public_key.pem" | fromjson' > data-uploader.json ```
- terraform show -json | jq '.values.outputs."prisma-security-credentials".value."public_key.pem" | fromjson' > prisma-security.json
- contents=$(jq --arg key "$(cat keys/data_uploader_private_key.pem)" '.private_key=$key' data-uploader.json) && echo "$contents" > data-uploader.json Extract JSON credentials templates from terraform output and put the private part of the keys into templates
- contents=$(jq --arg key "$(cat keys/prisma_security_private_key.pem)" '.private_key=$key' prisma-security.json) && echo "$contents" > prisma-security.json ```bash
terraform show -json | jq '.values.outputs."data-uploader-credentials".value."public_key.pem" | fromjson' > data-uploader.json
terraform show -json | jq '.values.outputs."prisma-security-credentials".value."public_key.pem" | fromjson' > prisma-security.json
- gcloud auth activate-service-account --key-file prisma-security.json contents=$(jq --arg key "$(cat keys/data_uploader_private_key.pem)" '.private_key=$key' data-uploader.json) && echo "$contents" > data-uploader.json
- gcloud auth activate-service-account --key-file data-uploader.json contents=$(jq --arg key "$(cat keys/prisma_security_private_key.pem)" '.private_key=$key' prisma-security.json) && echo "$contents" > prisma-security.json
```
## Testing the example
Validate that service accounts json credentials are valid
```bash
gcloud auth activate-service-account --key-file prisma-security.json
gcloud auth activate-service-account --key-file data-uploader.json
```
## Cleaning up
```bash
terraform destroy -var project_id=$GOOGLE_CLOUD_PROJECT
```
<!-- BEGIN TFDOC --> <!-- BEGIN TFDOC -->
## Variables ## Variables
@ -43,7 +67,7 @@ TODO (averbukh)
| name | description | type | required | default | | name | description | type | required | default |
|---|---|:---: |:---:|:---:| |---|---|:---: |:---:|:---:|
| project_id | Project id. | <code title="">string</code> | ✓ | | | project_id | Project id. | <code title="">string</code> | ✓ | |
| *project_create* | Create project instead ofusing an existing one. | <code title="">bool</code> | | <code title="">false</code> | | *project_create* | Create project instead of using an existing one. | <code title="">bool</code> | | <code title="">false</code> |
## Outputs ## Outputs

45
cloud-operations/onprem-sa-key-management/cloud-shell-readme.txt
View File

@ -1,5 +1,46 @@
################################# Quickstart ################################# ################################# Quickstart #################################
TODO(averbukh)
Refer to the README.md file for more info and testing flow. # cleaning up example keys
- rm -f /public-keys/data-uploader/
- rm -f /public-keys/prisma-security/
# generate keys for service accounts
- mkdir keys && cd keys
- openssl req -x509 -nodes -newkey rsa:2048 -days 30 \
-keyout data_uploader_private_key.pem \
-out ../public-keys/data-uploader/public_key.pem \
-subj "/CN=unused"
- openssl req -x509 -nodes -newkey rsa:2048 -days 30 \
-keyout prisma_security_private_key.pem \
-out ../public-keys/prisma-security/public_key.pem \
-subj "/CN=unused"
# deploy service accounts and keys
- cd ..
- terraform init
- terraform apply -var project_id=$GOOGLE_CLOUD_PROJECT
# extract JSON credentials templates from terraform output and put the private part of the keys into templates
- terraform show -json | jq '.values.outputs."data-uploader-credentials".value."public_key.pem" | fromjson' > data-uploader.json
- terraform show -json | jq '.values.outputs."prisma-security-credentials".value."public_key.pem" | fromjson' > prisma-security.json
- contents=$(jq --arg key "$(cat keys/data_uploader_private_key.pem)" '.private_key=$key' data-uploader.json) && echo "$contents" > data-uploader.json
- contents=$(jq --arg key "$(cat keys/prisma_security_private_key.pem)" '.private_key=$key' prisma-security.json) && echo "$contents" > prisma-security.json
# validate that service accounts json credentials are valid
- gcloud auth activate-service-account --key-file prisma-security.json
- gcloud auth activate-service-account --key-file data-uploader.json
# cleaning up
- terraform destroy -var project_id=$GOOGLE_CLOUD_PROJECT

1
cloud-operations/onprem-sa-key-management/main.tf
View File

@ -14,7 +14,6 @@
* limitations under the License. * limitations under the License.
*/ */
module "project" { module "project" {
source = "../../modules/project" source = "../../modules/project"
name = var.project_id name = var.project_id

2
cloud-operations/onprem-sa-key-management/variables.tf
View File

@ -15,7 +15,7 @@
*/ */
variable "project_create" { variable "project_create" {
description = "Create project instead ofusing an existing one." description = "Create project instead of using an existing one."
type = bool type = bool
default = false default = false
} }