terraform-validation fails in 5-infrastructure + violations

[daniel-cit]

Expected Behavior

Cloud build execution of step 5-infrastructure has no terraform-validator violations

Actual Behavior

Cloud build execution of step 5-infrastructure fails by cloning a empty gcp-policies repo

Step #1 - "tf plan validate all": Error: validating: FCV: initializing gcv validator: failed to read files in /workspace/policy-library/policies: error visiting path /workspace/policy-library/policies: lstat /workspace/policy-library/policies: no such file or directory

If we push the policies to the repo following the Foundation 5-app-infra README instructions, we got these terraform-validator violations:

• Constraint GCPSQLSSLConstraintV1.require_sql_ssl on resource //cloudsql.googleapis.com/projects/prj-bu1-n-boa-sql-9521/instances/placeholder-6HEdz0Th: //cloudsql.googleapis.com/projects/prj-bu1-n-boa-sql-9521/instances/placeholder-6HEdz0Th does not require SSL
• Constraint GCPSQLSSLConstraintV1.require_sql_ssl on resource //cloudsql.googleapis.com/projects/prj-bu1-n-boa-sql-9521/instances/placeholder-JE9fQbzO: //cloudsql.googleapis.com/projects/prj-bu1-n-boa-sql-9521/instances/placeholder-JE9fQbzO does not require SSL
• Constraint GCPSQLSSLConstraintV1.require_sql_ssl on resource //cloudsql.googleapis.com/projects/prj-bu1-n-boa-sql-9521/instances/placeholder-NJAAwdCx: //cloudsql.googleapis.com/projects/prj-bu1-n-boa-sql-9521/instances/placeholder-NJAAwdCx does not require SSL
• Constraint GCPSQLSSLConstraintV1.require_sql_ssl on resource //cloudsql.googleapis.com/projects/prj-bu1-n-boa-sql-9521/instances/placeholder-TZHWUsaD: //cloudsql.googleapis.com/projects/prj-bu1-n-boa-sql-9521/instances/placeholder-TZHWUsaD does not require SSL
• Constraint GCPSQLSSLConstraintV1.require_sql_ssl on resource //cloudsql.googleapis.com/projects/prj-bu1-n-boa-sql-9521/instances/placeholder-VQKGNbSu: //cloudsql.googleapis.com/projects/prj-bu1-n-boa-sql-9521/instances/placeholder-VQKGNbSu does not require SSL
• Constraint GCPSQLSSLConstraintV1.require_sql_ssl on resource //cloudsql.googleapis.com/projects/prj-bu1-n-boa-sql-9521/instances/placeholder-bXfQ6pYS: //cloudsql.googleapis.com/projects/prj-bu1-n-boa-sql-9521/instances/placeholder-bXfQ6pYS does not require SSL
• Constraint GCPGKEDashboardConstraintV1.disable_gke_dashboard on resource //container.googleapis.com/projects/prj-bu1-n-boa-gke-8100/locations/us-east1/clusters/gke-1-boa-n-us-east1: //container.googleapis.com/projects/prj-bu1-n-boa-gke-8100/locations/us-east1/clusters/gke-1-boa-n-us-east1 has kubernetes dashboard enabled.
• Constraint GCPGKEMasterAuthorizedNetworksEnabledConstraintV1.enable_gke_master_authorized_networks on resource //container.googleapis.com/projects/prj-bu1-n-boa-gke-8100/locations/us-east1/clusters/gke-1-boa-n-us-east1: //container.googleapis.com/projects/prj-bu1-n-boa-gke-8100/locations/us-east1/clusters/gke-1-boa-n-us-east1 master is accessible from unauthorized networks: {"10.0.130.0/29", "100.65.128.0/22"}
• Constraint GCPGKERestrictPodTrafficConstraintV1.gke_restrict_pod_traffic on resource //container.googleapis.com/projects/prj-bu1-n-boa-gke-8100/locations/us-east1/clusters/gke-1-boa-n-us-east1: //container.googleapis.com/projects/prj-bu1-n-boa-gke-8100/locations/us-east1/clusters/gke-1-boa-n-us-east1 doesn't restrict traffic among pods with a network policy.
• Constraint GCPGKEMasterAuthorizedNetworksEnabledConstraintV1.enable_gke_master_authorized_networks on resource //container.googleapis.com/projects/prj-bu1-n-boa-gke-8100/locations/us-east1/clusters/mci-boa-n-us-east1: //container.googleapis.com/projects/prj-bu1-n-boa-gke-8100/locations/us-east1/clusters/mci-boa-n-us-east1 master is accessible from unauthorized networks: {"10.0.130.0/29"}
• Constraint GCPGKERestrictPodTrafficConstraintV1.gke_restrict_pod_traffic on resource //container.googleapis.com/projects/prj-bu1-n-boa-gke-8100/locations/us-east1/clusters/mci-boa-n-us-east1: //container.googleapis.com/projects/prj-bu1-n-boa-gke-8100/locations/us-east1/clusters/mci-boa-n-us-east1 doesn't restrict traffic among pods with a network policy.
• Constraint GCPGKEDashboardConstraintV1.disable_gke_dashboard on resource //container.googleapis.com/projects/prj-bu1-n-boa-gke-8100/locations/us-east1/clusters/mci-boa-n-us-east1: //container.googleapis.com/projects/prj-bu1-n-boa-gke-8100/locations/us-east1/clusters/mci-boa-n-us-east1 has kubernetes dashboard enabled.
• Constraint GCPGKEMasterAuthorizedNetworksEnabledConstraintV1.enable_gke_master_authorized_networks on resource //container.googleapis.com/projects/prj-bu1-n-boa-gke-8100/locations/us-west1/clusters/gke-2-boa-n-us-west1: //container.googleapis.com/projects/prj-bu1-n-boa-gke-8100/locations/us-west1/clusters/gke-2-boa-n-us-west1 master is accessible from unauthorized networks: {"10.0.130.0/29", "100.64.136.0/22"}
• Constraint GCPGKERestrictPodTrafficConstraintV1.gke_restrict_pod_traffic on resource //container.googleapis.com/projects/prj-bu1-n-boa-gke-8100/locations/us-west1/clusters/gke-2-boa-n-us-west1: //container.googleapis.com/projects/prj-bu1-n-boa-gke-8100/locations/us-west1/clusters/gke-2-boa-n-us-west1 doesn't restrict traffic among pods with a network policy.
• Constraint GCPGKEDashboardConstraintV1.disable_gke_dashboard on resource //container.googleapis.com/projects/prj-bu1-n-boa-gke-8100/locations/us-west1/clusters/gke-2-boa-n-us-west1: //container.googleapis.com/projects/prj-bu1-n-boa-gke-8100/locations/us-west1/clusters/gke-2-boa-n-us-west1 has kubernetes dashboard enabled.

Steps to Reproduce the Problem

1. Follow the instruction in https://github.com/GoogleCloudPlatform/terraform-example-foundation-app/blob/main/5-infrastructure/README.md

Specifications

• Version: d92e89485d2b6ea1caf633b66b41d8a10380e64d
• Platform: Ubuntu 20.04 LTS + Cloud Build

[daniel-cit]

• It is necessary to grant browser role to the cloud build service account in the infra pipeline to be able to augment the IAM bindings for (without this, terraform-validator fails with permission denied):
  • the environment folders development, non-production, and production.
  • In the prj-bu1-c-app-cicd project in the common folder.
• It is necessary to used impersonate when running the cloudbuild_image_builder: https://github.com/GoogleCloudPlatform/terraform-example-foundation-app/blob/ae238f3cce0f9541e683ec14bb2f23d307e51354/5-infrastructure/modules/app_cicd_pipeline/repo.tf#L89

    --impersonate-service-account=${var.app_cicd_build_sa}

• Project prj-bu1-c-infra-pipeline needs to enable Cloud Resource Manager API
• The gcp-policies repo need to be populated like is done in the step 5 of the foundation https://github.com/terraform-google-modules/terraform-example-foundation/tree/master/5-app-infra#deploying-with-cloud-build
• New APIs that need to be added to the gcp-polices in the infra pipeline.
  • "binaryauthorization.googleapis.com"
  • "containeranalysis.googleapis.com"
• It is necessary to enable SSL in the Cloud SQL replicas to remove the violation GCPSQLSSLConstraintV1.require_sql_ssl on resource https://github.com/GoogleCloudPlatform/terraform-example-foundation-app/blob/ae238f3cce0f9541e683ec14bb2f23d307e51354/5-infrastructure/modules/cloud-sql/main.tf#L20
• It is necessary to add the subnetwork CIDR ranges to the authorized networks configuration to fix violation GCPGKEMasterAuthorizedNetworksEnabledConstraintV1.enable_gke_master_authorized_networks https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/policy-library/policies/constraints/gke_master_authorized_networks_enabled.yaml
  • 10.0.130.0/29
  • 10.0.194.0/29
  • 10.0.66.0/29
  • 100.65.128.0/22
  • 100.64.136.0/22
  • 100.65.192.0/22
  • 100.64.200.0/22
  • 100.65.64.0/22
  • 100.64.72.0/22
• The GCPGKEDashboardConstraintV1.disable_gke_dashboard violation is a false positive since the dashboard is no longer installed by default and cannot be enable since version 1.15. You can delete the file https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/policy-library/policies/constraints/gke_dashboard_disable.yaml to remove this violation

GCPGKERestrictPodTrafficConstraintV1.gke_restrict_pod_traffic violations needs additional configuration for:

• network policy config
• security policy config
• network policy