A Terraform code for deploying GKE Policy Automation as an automatic serverless solution on Google Cloud Platform.
The solution leverages the below GCP components:
- Cloud Scheduler to trigger execution of a GKE Policy Automation tool in a periodic manner
- Cloud Run Jobs to run containerized GKE Policy Automation tool
- Artifact Registry to store GKE Policy Automation tool container image locally
- Cloud Asset Inventory to discover GKE clusters in GCP organization, selected folders or projects
- Optionally, Cloud Storage, Cloud Pub/Sub, or Security Command Center as destinations for cluster evaluation results
- Terraform tool, version >=1.13
gcloudcommand- Exiting project for GKE Policy Automation resources
- IAM permissions to create resources in the GKE Policy Automation project
- IAM permissions to create new IAM role bindings on projects, folders or organization levels (depending on desired cluster discovery or outputs configuration)
Provision infrastructure with Terraform:
-
Set Terraform configuration variables (check examples or inputs below for details).
Example
tfvarsfile:project_id = "gke-policy-123" region = "europe-west2" discovery { projects = ["gke-project-one", "gke-project-two"] } output_storage = { enabled = true bucket_name = "gke-validations" bucket_location = "EU" }
-
Adjust GKE Policy Automation's
config.yamlaccordingly (check User Guide for details). -
Run
terraform init -
Run
terraform apply -var-file <your-sample-vars-file.tfvars>
Push container image to Artifact Registry and create Cloud Run job:
-
Set environmental variables using env file generated by Terraform
source ./cloudrun-config-env.sh -
Automatic option: run
./cloudrun-config.shscriptNOTE: script can be also executed automatically by Terraform with local-exec by setting run_script variable to
true. In a such case, script also sets all required environmental variables. -
Manual option: run below commands
-
Pull latest GKE Policy Automation container image
docker pull ghcr.io/google/gke-policy-automation:latest
-
Authenticate to Artifact Registry
gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://${GKE_PA_REGION}-docker.pkg.dev
-
Tag GKE Policy automation container image
docker tag ghcr.io/google/gke-policy-automation:latest ${GKE_PA_REGION}-docker.pkg.dev/${GKE_PA_PROJECT_ID}/gke-policy-automation/gke-policy-automation:latest
-
Push GKE Policy automation container image to Artifact Registry
docker push ${GKE_PA_REGION}-docker.pkg.dev/${GKE_PA_PROJECT_ID}/gke-policy-automation/gke-policy-automation:latest
-
Create Cloud Run job
gcloud beta run jobs create ${GKE_PA_JOB_NAME} \ --image ${GKE_PA_REGION}-docker.pkg.dev/${GKE_PA_PROJECT_ID}/gke-policy-automation/gke-policy-automation:latest\ --command=/gke-policy,check \ --args=-c,/etc/secrets/config.yaml \ --set-secrets /etc/secrets/config.yaml=${GKE_PA_SECRET_NAME}:latest \ --service-account=${GKE_PA_SA_EMAIL} \ --set-env-vars=GKE_POLICY_LOG=INFO \ --region=${GKE_PA_REGION} \ --project=${GKE_PA_PROJECT_ID}"
-
The Terraform script within this folder enables all required APIs for you and creates necessary service accounts and IAM bindings. Depending on configured cluster discovery options, corresponding IAM bindings for GKE Policy Automation Service Account are created on projects, folders or organization levels. The code also creates the Artifact Registry required by Cloud Run and a the Secret Manager secret for storing tool's configuration file.
Depending on configured outputs, the code will provision corresponding resources and IAM role bindings for Cloud Storage, Pub/Sub or Security Command Center.
Lastly, the script creates a Cloud Scheduler running once per day to trigger Cloud Run Job.
-
Cluster discovery on provided projects and Cloud Storage output
project_id = "gke-policy-123" region = "europe-west2" discovery = { projects = [ "gke-project-01", "gke-project-02" ] } output_storage = { enabled = true bucket_name = "gke-validations" bucket_location = "EU" }
-
Cluster discovery on selected folders, Pub/Sub and Security Command Center outputs
project_id = "gke-policy-123" region = "europe-west2" discovery = { folders = [ "112316249356", "246836235717" ] } output_pubsub = { enabled = true topic = "gke-validations" } output_scc = { enabled = true organization = "123456789012" }
-
Cluster discovery on the organization with a Security Command Center output
project_id = "gke-policy-123" region = "europe-west2" discovery = { organization = "123456789012" } output_scc = { enabled = true organization = "153963171798" }
| Name | Description | Type | Required | Default |
|---|---|---|---|---|
| project_id | Identifier of an existing GCP project for GKE Policy Automation resources. | string |
✓ | |
| region | GCP region for GKE Policy Automation resources. | string |
✓ | |
| discovery | Configuration of cluster discovery mechanism. Check discovery attributes. | object |
✓ | |
| job_name | Name of a Cloud Run Job for GKE Policy Automation container. | string |
gke-policy-automation |
|
| config_file_path | Path to the YAML file with GKE Policy Automation configuration. | string |
config.yaml |
|
| cron_interval | CRON interval for triggering the GKE Policy Automation job. | string |
"0 1 * * * |
|
| run_script | Indicates whether to run script for populating Artifact Registry and Cloud Run Jobs. | bool |
false |
|
| output_storage | Configuration of Cloud Storage output. Check Cloud Storage attributes. | object |
{"enabled" = false} |
|
| output_pubsub | Configuration of Pub/Sub output. Check Pub/Sub attributes | object |
{"enabled" = false} |
|
| output_scc | Configuration of Security Command Center output. Check Security Command Center attributes. | object |
{"enabled" = false} |
| Name | Description | Type | Required | Default |
|---|---|---|---|---|
| organization | The organization number to provision discovery resources for. One of organization, folders or projects is required. |
string |
null |
|
| folders | List of folder numbers to provision discovery resources for. One of organization, folders or projects is required. |
list(string) |
[] |
|
| projects | List of project identifiers to provision discovery resources for. One of organization, folders or projects is required. |
list(string) |
[] |
| Name | Description | Type | Required | Default |
|---|---|---|---|---|
| enabled | Indicates if resources for Cloud Storage output will be provisioned. | bool |
✓ | |
| bucket_name | The name of a bucket that will be provisioned. | string |
✓ | |
| bucket_location | The location of a bucket that will be provisioned. | string |
✓ |
| Name | Description | Type | Required | Default |
|---|---|---|---|---|
| enabled | Indicates if resources for Pub/Sub output will be provisioned. | bool |
✓ | |
| topic | The name of a topic that will be provisioned. | string |
✓ |
| Name | Description | Type | Required | Default |
|---|---|---|---|---|
| enabled | Indicates if resources for Pub/Sub output will be provisioned. | bool |
✓ | |
| organization | The organization number to provision discovery resources for. | string |
✓ | |
| provision_source | Indicates weather to provision roles/securitycenter.sourcesAdmin for the tool, so it will be able to automatically register itself as a source. If not enabled, then this has to be done manually beforehand. |
bool |
true |
| name | description | sensitive |
|---|---|---|
| sa_email | GKE Policy Automation service account's email address. | |
| repository_id | Identifier of a GKE Policy Automation repository. | |
| config_secret_id | Identifier of a GKE Policy Automation configuration secret. | |
| env_variables_file | File with environmental variables for Artifact Registry and Cloud Run configuration. |
If your Cloud Run scheduler shows an error message before you have deployed your Cloud Run Job, please ignore it. The scheduler cannot reach the job before it has been deployed. If the scheduler still shows an error after you have deployed the job AND it has been triggered at least once afterwards, then something is wrong.