feat: add Shielded VMs & OS Login org policies (#283)

terraform-google-modules · Mar 31, 2021 · 07a201e · 07a201e
1 parent f40c5fe
commit 07a201e
Show file tree

Hide file tree

Showing 6 changed files with 46 additions and 0 deletions.
diff --git a/1-org/README.md b/1-org/README.md
@@ -21,6 +21,10 @@ You can change the filters & sinks by modifying the configuration in `envs/share
 
 **Note:** Currently, this module does not enable bucket policy retention for organization logs, please, enable it if needed.
 
+**Note:** It is possible to enable an organization policy for [OS Login](https://cloud.google.com/compute/docs/oslogin/manage-oslogin-in-an-org) with this module.
+OS Login has some [limitations](https://cloud.google.com/compute/docs/instances/managing-instance-access#limitations).
+If those limitations do not apply to your workload/environment you can choose to enable the OS Login policy by setting variable `enable_os_login_policy` to `true`.
+
 ### Setup to run via Cloud Build
 1. Clone repo `gcloud source repos clone gcp-org --project=YOUR_CLOUD_BUILD_PROJECT_ID` (this is from terraform output from the previous section, 0-bootstrap).
 1. Navigate into the repo `cd gcp-org` and change to a non production branch `git checkout -b plan`

diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md
@@ -15,6 +15,8 @@
 | dns\_hub\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the DNS hub project. | `list(number)` | <pre>[<br>  0.5,<br>  0.75,<br>  0.9,<br>  0.95<br>]</pre> | no |
 | dns\_hub\_project\_budget\_amount | The amount to use as the budget for the DNS hub project. | `number` | `1000` | no |
 | domains\_to\_allow | The list of domains to allow users from in IAM. | `list(string)` | n/a | yes |
+| enable\_os\_login\_policy | Enable OS Login policy. | `bool` | `false` | no |
+| enable\_shielded\_vm\_policy | Enable Shielded VMs policy. | `bool` | `false` | no |
 | interconnect\_project\_alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the interconnect project. | `string` | `null` | no |
 | interconnect\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the interconnect project. | `list(number)` | <pre>[<br>  0.5,<br>  0.75,<br>  0.9,<br>  0.95<br>]</pre> | no |
 | interconnect\_project\_budget\_amount | The amount to use as the budget for the interconnect project. | `number` | `1000` | no |

diff --git a/1-org/envs/shared/org_policy.tf b/1-org/envs/shared/org_policy.tf
@@ -91,6 +91,30 @@ module "org_shared_vpc_lien_removal" {
   constraint      = "constraints/compute.restrictXpnProjectLienRemoval"
 }
 
+module "org_shared_require_shielded_vm" {
+  source          = "terraform-google-modules/org-policy/google"
+  count           = var.enable_shielded_vm_policy ? 1 : 0
+  version         = "~> 3.0"
+  organization_id = local.organization_id
+  folder_id       = local.folder_id
+  policy_for      = local.policy_for
+  policy_type     = "boolean"
+  enforce         = "true"
+  constraint      = "constraints/compute.requireShieldedVm"
+}
+
+module "org_shared_require_os_login" {
+  source          = "terraform-google-modules/org-policy/google"
+  count           = var.enable_os_login_policy ? 1 : 0
+  version         = "~> 3.0"
+  organization_id = local.organization_id
+  folder_id       = local.folder_id
+  policy_for      = local.policy_for
+  policy_type     = "boolean"
+  enforce         = "true"
+  constraint      = "constraints/compute.requireOsLogin"
+}
+
 /******************************************
   Cloud SQL
 *******************************************/

diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf
@@ -49,6 +49,18 @@ variable "domains_to_allow" {
   type        = list(string)
 }
 
+variable "enable_shielded_vm_policy" {
+  description = "Enable Shielded VMs policy."
+  type        = bool
+  default     = false
+}
+
+variable "enable_os_login_policy" {
+  description = "Enable OS Login policy."
+  type        = bool
+  default     = false
+}
+
 variable "audit_logs_table_expiration_days" {
   description = "Period before tables expire for all audit logs in milliseconds. Default is 30 days."
   type        = number

diff --git a/test/fixtures/org/main.tf b/test/fixtures/org/main.tf
@@ -33,4 +33,6 @@ module "test" {
   create_access_context_manager_access_policy = false
   audit_logs_table_delete_contents_on_destroy = true
   log_export_storage_force_destroy            = true
+  enable_shielded_vm_policy                   = true
+  enable_os_login_policy                      = true
 }
diff --git a/test/integration/org/controls/gcloud_policy.rb b/test/integration/org/controls/gcloud_policy.rb
@@ -21,6 +21,8 @@
   'constraints/compute.disableGuestAttributesAccess',
   'constraints/compute.vmExternalIpAccess',
   'constraints/compute.skipDefaultNetworkCreation',
+  'constraints/compute.requireOsLogin',
+  'constraints/compute.requireShieldedVm',
   'constraints/compute.restrictXpnProjectLienRemoval',
   'constraints/sql.restrictPublicIp',
   'constraints/iam.disableServiceAccountKeyCreation',