Closed iam2010 closed 3 years ago
Hi, can you try organization/<org_id>/project/<project-id>
for the target?
I get the following Error using project-id
Error: validating: FCV: initializing gcv validator: unable to set up GCP Constraint Framework client: failed to add constraint &{map[apiVersion:constraints.gatekeeper.sh/v1alpha1 kind:GCPAlwaysViolatesConstraintV1 metadata:map[annotations:map[description:Testing policy, will always violate. validation.gcp.forsetisecurity.org/originalName:always_violates_all validation.gcp.forsetisecurity.org/yamlpath:/home/chandan/terraform/policy-library/policies/constraints/terraform-test/always_violates.yaml] name:always-violates-all] spec:map[constraintVersion:0.1.0 match:map[target:[organizations/<org-id>/projects/<project-id>]] parameters:map[] severity:high]]}: invalid glob in target: idx: 0: unexpected item <project-id> element 3 in organizations/<org-id>/projects/<project-id>
Usage:
terraform-validator validate <tfplan> [flags]
Flags:
--ancestry string Override the ancestry location of the project when validating resources
-h, --help help for validate
--offline Do not connect to GCP API
--output-json Print violations as JSON
--policy-path string Path to directory containing validation policies
--project string Provider project override (override the default project configuration assigned to the google terraform provider when validating resources)
Global Flags:
--verbose Log output to stderr
What version of Terraform Validator are you using?
Terraform Validator version
Build version: 2020-09-24
Can you try downloading the most recent version?
Just tried with the latest build,
Build version: 2021-01-21
Getting the same error.
Hi @morgante, is there anything I can do to help to fix this issue or find a workaround for this?
Can you try running the convert
command? The generated asset should reveal what the actual asset looks like (in particular, we're interested in the ancestry path.
Here is the full output of convert command
[
{
"name": "//cloudresourcemanager.googleapis.com/projects/<project-id-1>",
"asset_type": "cloudresourcemanager.googleapis.com/Project",
"ancestry_path": "organization/<org-id>/folder/<folder-id-1>/folder/<folder-id-2>/project/<project-id-1>",
"iam_policy": {
"bindings": [
{
"role": "roles/source.admin",
"members": [
"group:valid-group@googlegroups.com",
"user:valid-user@gmail.com"
]
}
]
}
},
{
"name": "//cloudresourcemanager.googleapis.com/projects/<project-id-2>",
"asset_type": "cloudresourcemanager.googleapis.com/Project",
"ancestry_path": "organization/<org-id>/project/<project-id-2>",
"iam_policy": {
"bindings": [
{
"role": "roles/source.admin",
"members": [
"group:valid-group@googlegroups.com",
"user:valid-user@gmail.com"
]
}
]
}
},
{
"name": "//compute.googleapis.com/projects/<project-id-1>/global/firewalls/test-firewall-2",
"asset_type": "compute.googleapis.com/Firewall",
"ancestry_path": "organization/<org-id>/folder/<folder-id-1>/folder/<folder-id-2>/project/<project-id-1>",
"resource": {
"version": "v1",
"discovery_document_uri": "https://www.googleapis.com/discovery/v1/apis/compute/v1/rest",
"discovery_name": "Firewall",
"parent": "//cloudresourcemanager.googleapis.com/projects/<project-id-1>",
"data": {
"allowed": [
{
"IPProtocol": "icmp"
},
{
"IPProtocol": "tcp",
"ports": [
"22",
"33"
]
}
],
"description": "testing firewall scripts",
"direction": "INGRESS",
"disabled": false,
"logConfig": {
"enable": false
},
"name": "test-firewall-2",
"network": "projects/<project-id-1>/global/networks/default",
"priority": 1000,
"sourceRanges": [
"10.0.0.0/15",
"192.168.1.0/24"
],
"sourceServiceAccounts": [
"terraform-test@<project-id-2>.iam.gserviceaccount.com"
]
}
}
},
{
"name": "//compute.googleapis.com/projects/<project-id-2>/global/firewalls/test-firewall",
"asset_type": "compute.googleapis.com/Firewall",
"ancestry_path": "organization/<org-id>/project/<project-id-2>",
"resource": {
"version": "v1",
"discovery_document_uri": "https://www.googleapis.com/discovery/v1/apis/compute/v1/rest",
"discovery_name": "Firewall",
"parent": "//cloudresourcemanager.googleapis.com/projects/<project-id-2>",
"data": {
"allowed": [
{
"IPProtocol": "icmp"
},
{
"IPProtocol": "tcp",
"ports": [
"22",
"33"
]
}
],
"description": "testing firewall scripts",
"direction": "INGRESS",
"disabled": false,
"logConfig": {
"enable": false
},
"name": "test-firewall",
"network": "projects/<project-id-2>/global/networks/default",
"priority": 1000,
"sourceRanges": [
"10.0.0.0/15",
"192.168.1.0/24"
],
"sourceServiceAccounts": [
"terraform-gke-test@<project-id-2>.iam.gserviceaccount.com"
]
}
}
},
{
"name": "//compute.googleapis.com/projects/<project-id-2>/zones/us-central1-a/instances/test-vm-1",
"asset_type": "compute.googleapis.com/Instance",
"ancestry_path": "organization/<org-id>/project/<project-id-2>",
"resource": {
"version": "v1",
"discovery_document_uri": "https://www.googleapis.com/discovery/v1/apis/compute/v1/rest",
"discovery_name": "Instance",
"parent": "//cloudresourcemanager.googleapis.com/projects/<project-id-2>",
"data": {
"canIpForward": false,
"deletionProtection": false,
"description": "Compute Instance",
"disks": [
{
"autoDelete": true,
"boot": true,
"initializeParams": {
"sourceImage": "projects/debian-cloud/global/images/family/debian-9"
},
"mode": "READ_WRITE"
}
],
"displayDevice": {
"enableDisplay": false
},
"machineType": "projects/<project-id-2>/zones/us-central1-a/machineTypes/f1-micro",
"metadata": {},
"name": "test-vm-1",
"networkInterfaces": [
{
"accessConfigs": [
{
"type": "ONE_TO_ONE_NAT"
}
],
"network": "projects/<project-id-2>/global/networks/default"
}
],
"scheduling": {
"automaticRestart": true
},
"shieldedInstanceConfig": {
"enableIntegrityMonitoring": false,
"enableSecureBoot": false,
"enableVtpm": false
},
"tags": {}
}
}
}
]
I get the following Error using project-id
Error: validating: FCV: initializing gcv validator: unable to set up GCP Constraint Framework client: failed to add constraint &{map[apiVersion:constraints.gatekeeper.sh/v1alpha1 kind:GCPAlwaysViolatesConstraintV1 metadata:map[annotations:map[description:Testing policy, will always violate. validation.gcp.forsetisecurity.org/originalName:always_violates_all validation.gcp.forsetisecurity.org/yamlpath:/home/chandan/terraform/policy-library/policies/constraints/terraform-test/always_violates.yaml] name:always-violates-all] spec:map[constraintVersion:0.1.0 match:map[target:[organizations/<org-id>/projects/<project-id>]] parameters:map[] severity:high]]}: invalid glob in target: idx: 0: unexpected item <project-id> element 3 in organizations/<org-id>/projects/<project-id> Usage: terraform-validator validate <tfplan> [flags] Flags: --ancestry string Override the ancestry location of the project when validating resources -h, --help help for validate --offline Do not connect to GCP API --output-json Print violations as JSON --policy-path string Path to directory containing validation policies --project string Provider project override (override the default project configuration assigned to the google terraform provider when validating resources) Global Flags: --verbose Log output to stderr
We are seeing the same issue.
I Have multiple folders and projects under organization, I am trying to write policy constraints for each project individually.
I'm having issue similar to #134
My config is as below
Terraform Version
Terraform v0.14.4
provider registry.terraform.io/hashicorp/google v3.56.0
Terraform Validator version
Build version: 2020-09-24
Policy library from Forseti Security
My Issue:
Does not seem to work. I always get a No Violation Found result.
However,
works. Throws proper constraint violations.
when I run
terraform-validator validate --policy-path=${POLICY_PATH} ./terraform.tfplan.json --verbose=true
I get the following
I am using the credentials of a service account to run, and the service account has the following roles at Organization level