feat: Update terraform-validator version, instructions and CMEK bucket (

#397)

* update terraform-validator instructions in bootstrap README

* use new version of terraform-validator and use simple_bucket module in cmek example

* fix terraform lint error

* replace bind with neutral link

* fix terraform-validator version in infra pipeline

0-bootstrap/README.md

@@ -38,10 +38,10 @@ If you are using the `jenkins_bootstrap` sub-module, please see [README-Jenkins]
 1. Copy tfvars by running `cp terraform.example.tfvars terraform.tfvars` and update `terraform.tfvars` with values from your environment.
 1. Run `terraform init`
 1. Run `terraform plan` and review output
-1. To run terraform-validator steps please follow these [instructions](https://github.com/forseti-security/policy-library/blob/master/docs/user_guide.md#install-terraform-validator) and install the latest version.
+1. To run terraform-validator steps please follow the [instructions](https://github.com/forseti-security/policy-library/blob/master/docs/user_guide.md#install-terraform-validator) in the **Install Terraform Validator** section and install version `2021-03-22`. You will also need to rename the binary from `terraform-validator-<your-platform>` to `terraform-validator`.
     1. Run `terraform plan -input=false -out bootstrap.tfplan`
     1. Run `terraform show -json bootstrap.tfplan > bootstrap.json`
-    1. Run `terraform-validator validate bootstrap.json --policy-path="../policy-library" --project <A-VALID-PROJECT>` and check for violations.
+    1. Run `terraform-validator validate bootstrap.json --policy-path="../policy-library" --project <A-VALID-PROJECT-ID>` and check for violations (`<A-VALID-PROJECT-ID>` must be an existing project you have access to, this is necessary because Terraform-validator needs to link resources to a valid Google Cloud Platform project).
 1. Run `terraform apply`
 1. Run `terraform output gcs_bucket_tfstate` to get your GCS bucket from the apply step
 1. Copy the backend by running `cp backend.tf.example backend.tf` and update `backend.tf` with your GCS bucket.

0-bootstrap/main.tf

@@ -114,7 +114,7 @@ module "cloudbuild_bootstrap" {
   cloudbuild_apply_filename   = "cloudbuild-tf-apply.yaml"
   project_prefix              = var.project_prefix
   cloud_source_repos          = var.cloud_source_repos
-  terraform_validator_release = "2021-01-21"
+  terraform_validator_release = "2021-03-22"
   terraform_version           = "0.13.6"
   terraform_version_sha256sum = "55f2db00b05675026be9c898bdd3e8230ff0c5c78dd12d743ca38032092abfc9"
 

0-bootstrap/modules/jenkins-agent/files/jenkins_gce_startup_script.sh

@@ -42,7 +42,7 @@ wget "https://releases.hashicorp.com/terraform/${tpl_TERRAFORM_VERSION}/terrafor
     rm -rf /var/lib/apt/lists/*
 
 echo "**** Startup Step 6/9: Download and install the Terraform validator ****"
-gsutil cp gs://terraform-validator/releases/2021-01-21/terraform-validator-linux-amd64 .
+gsutil cp gs://terraform-validator/releases/2021-03-22/terraform-validator-linux-amd64 .
 chmod 755 "${tpl_TERRAFORM_DIR}terraform-validator-linux-amd64"
 mv "${tpl_TERRAFORM_DIR}terraform-validator-linux-amd64" "${tpl_TERRAFORM_DIR}terraform-validator"
 

4-projects/business_unit_1/development/example_storage_cmek.tf

@@ -65,12 +65,14 @@ resource "random_string" "bucket_name" {
 }
 
 module "gcs_buckets" {
-  depends_on           = [module.kms]
-  source               = "terraform-google-modules/cloud-storage/google"
-  version              = "~> 1.7"
-  project_id           = module.base_shared_vpc_project.project_id
-  location             = var.location_gcs
-  names                = [random_string.bucket_name.result]
-  prefix               = var.gcs_bucket_prefix
-  encryption_key_names = zipmap([random_string.bucket_name.result], values(module.kms.keys))
+  depends_on         = [module.kms]
+  source             = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
+  version            = "~> 1.7"
+  project_id         = module.base_shared_vpc_project.project_id
+  location           = var.location_gcs
+  name               = "${var.gcs_bucket_prefix}-${lower(var.location_gcs)}-${random_string.bucket_name.result}"
+  bucket_policy_only = true
+  encryption = {
+    default_kms_key_name = module.kms.keys[var.key_name]
+  }
 }

4-projects/business_unit_1/non-production/example_storage_cmek.tf

@@ -65,12 +65,14 @@ resource "random_string" "bucket_name" {
 }
 
 module "gcs_buckets" {
-  depends_on           = [module.kms]
-  source               = "terraform-google-modules/cloud-storage/google"
-  version              = "~> 1.7"
-  project_id           = module.base_shared_vpc_project.project_id
-  location             = var.location_gcs
-  names                = [random_string.bucket_name.result]
-  prefix               = var.gcs_bucket_prefix
-  encryption_key_names = zipmap([random_string.bucket_name.result], values(module.kms.keys))
+  depends_on         = [module.kms]
+  source             = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
+  version            = "~> 1.7"
+  project_id         = module.base_shared_vpc_project.project_id
+  location           = var.location_gcs
+  name               = "${var.gcs_bucket_prefix}-${lower(var.location_gcs)}-${random_string.bucket_name.result}"
+  bucket_policy_only = true
+  encryption = {
+    default_kms_key_name = module.kms.keys[var.key_name]
+  }
 }

4-projects/business_unit_1/production/example_storage_cmek.tf

@@ -65,12 +65,14 @@ resource "random_string" "bucket_name" {
 }
 
 module "gcs_buckets" {
-  depends_on           = [module.kms]
-  source               = "terraform-google-modules/cloud-storage/google"
-  version              = "~> 1.7"
-  project_id           = module.base_shared_vpc_project.project_id
-  location             = var.location_gcs
-  names                = [random_string.bucket_name.result]
-  prefix               = var.gcs_bucket_prefix
-  encryption_key_names = zipmap([random_string.bucket_name.result], values(module.kms.keys))
+  depends_on         = [module.kms]
+  source             = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
+  version            = "~> 1.7"
+  project_id         = module.base_shared_vpc_project.project_id
+  location           = var.location_gcs
+  name               = "${var.gcs_bucket_prefix}-${lower(var.location_gcs)}-${random_string.bucket_name.result}"
+  bucket_policy_only = true
+  encryption = {
+    default_kms_key_name = module.kms.keys[var.key_name]
+  }
 }

4-projects/business_unit_2/development/example_storage_cmek.tf

@@ -65,12 +65,14 @@ resource "random_string" "bucket_name" {
 }
 
 module "gcs_buckets" {
-  depends_on           = [module.kms]
-  source               = "terraform-google-modules/cloud-storage/google"
-  version              = "~> 1.7"
-  project_id           = module.base_shared_vpc_project.project_id
-  location             = var.location_gcs
-  names                = [random_string.bucket_name.result]
-  prefix               = var.gcs_bucket_prefix
-  encryption_key_names = zipmap([random_string.bucket_name.result], values(module.kms.keys))
+  depends_on         = [module.kms]
+  source             = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
+  version            = "~> 1.7"
+  project_id         = module.base_shared_vpc_project.project_id
+  location           = var.location_gcs
+  name               = "${var.gcs_bucket_prefix}-${lower(var.location_gcs)}-${random_string.bucket_name.result}"
+  bucket_policy_only = true
+  encryption = {
+    default_kms_key_name = module.kms.keys[var.key_name]
+  }
 }

4-projects/business_unit_2/non-production/example_storage_cmek.tf

@@ -65,12 +65,14 @@ resource "random_string" "bucket_name" {
 }
 
 module "gcs_buckets" {
-  depends_on           = [module.kms]
-  source               = "terraform-google-modules/cloud-storage/google"
-  version              = "~> 1.7"
-  project_id           = module.base_shared_vpc_project.project_id
-  location             = var.location_gcs
-  names                = [random_string.bucket_name.result]
-  prefix               = var.gcs_bucket_prefix
-  encryption_key_names = zipmap([random_string.bucket_name.result], values(module.kms.keys))
+  depends_on         = [module.kms]
+  source             = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
+  version            = "~> 1.7"
+  project_id         = module.base_shared_vpc_project.project_id
+  location           = var.location_gcs
+  name               = "${var.gcs_bucket_prefix}-${lower(var.location_gcs)}-${random_string.bucket_name.result}"
+  bucket_policy_only = true
+  encryption = {
+    default_kms_key_name = module.kms.keys[var.key_name]
+  }
 }

4-projects/business_unit_2/production/example_storage_cmek.tf

@@ -65,12 +65,14 @@ resource "random_string" "bucket_name" {
 }
 
 module "gcs_buckets" {
-  depends_on           = [module.kms]
-  source               = "terraform-google-modules/cloud-storage/google"
-  version              = "~> 1.7"
-  project_id           = module.base_shared_vpc_project.project_id
-  location             = var.location_gcs
-  names                = [random_string.bucket_name.result]
-  prefix               = var.gcs_bucket_prefix
-  encryption_key_names = zipmap([random_string.bucket_name.result], values(module.kms.keys))
+  depends_on         = [module.kms]
+  source             = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
+  version            = "~> 1.7"
+  project_id         = module.base_shared_vpc_project.project_id
+  location           = var.location_gcs
+  name               = "${var.gcs_bucket_prefix}-${lower(var.location_gcs)}-${random_string.bucket_name.result}"
+  bucket_policy_only = true
+  encryption = {
+    default_kms_key_name = module.kms.keys[var.key_name]
+  }
 }

4-projects/modules/infra_pipelines/README.md

@@ -10,7 +10,7 @@
 | cloudbuild\_plan\_filename | Path and name of Cloud Build YAML definition used for terraform plan. | `string` | `"cloudbuild-tf-plan.yaml"` | no |
 | cloudbuild\_project\_id | The project id where the pipelines and repos should be created | `string` | n/a | yes |
 | terraform\_apply\_branches | List of git branches configured to run terraform apply Cloud Build trigger. All other branches will run plan by default. | `list(string)` | <pre>[<br>  "development",<br>  "non-production",<br>  "production"<br>]</pre> | no |
-| terraform\_validator\_release | Default terraform-validator release. | `string` | `"2021-01-21"` | no |
+| terraform\_validator\_release | Default terraform-validator release. | `string` | `"2021-03-22"` | no |
 | terraform\_version | Default terraform version. | `string` | `"0.13.6"` | no |
 | terraform\_version\_sha256sum | sha256sum for default terraform version. | `string` | `"55f2db00b05675026be9c898bdd3e8230ff0c5c78dd12d743ca38032092abfc9"` | no |
 

4-projects/modules/infra_pipelines/cloudbuild_builder/Dockerfile

@@ -17,7 +17,7 @@ FROM gcr.io/cloud-builders/gcloud-slim
 # Use ARG so that values can be overriden by user/cloudbuild
 ARG TERRAFORM_VERSION=0.13.6
 ARG TERRAFORM_VERSION_SHA256SUM=55f2db00b05675026be9c898bdd3e8230ff0c5c78dd12d743ca38032092abfc9
-ARG TERRAFORM_VALIDATOR_RELEASE=2020-09-24
+ARG TERRAFORM_VALIDATOR_RELEASE=2021-03-22
 
 ENV ENV_TERRAFORM_VERSION=$TERRAFORM_VERSION
 ENV ENV_TERRAFORM_VERSION_SHA256SUM=$TERRAFORM_VERSION_SHA256SUM

4-projects/modules/infra_pipelines/cloudbuild_builder/cloudbuild.yaml

@@ -29,5 +29,5 @@ steps:
 substitutions:
   _TERRAFORM_VERSION: '0.13.6' # default value
   _TERRAFORM_VERSION_SHA256SUM: '55f2db00b05675026be9c898bdd3e8230ff0c5c78dd12d743ca38032092abfc9' # default value
-  _TERRAFORM_VALIDATOR_RELEASE: '2020-09-24'
+  _TERRAFORM_VALIDATOR_RELEASE: '2021-03-22'
 images: ['gcr.io/${PROJECT_ID}/terraform']

4-projects/modules/infra_pipelines/variables.tf

@@ -71,5 +71,5 @@ variable "terraform_version_sha256sum" {
 variable "terraform_validator_release" {
   description = "Default terraform-validator release."
   type        = string
-  default     = "2021-01-21"
+  default     = "2021-03-22"
 }