search

canada-ca / cloud-guardrails-gcp

Recommended configuration guidance for Google Cloud Platform / Conseils de configuration recommandés pour Platforme infonuagique de Google
Other
22 stars 14 forks source link

validation run broken on missing assets/*.json files from the asset inventory export and hardcoded "my-unique-bucket-name" #12

Open obriensystems opened 2 years ago

obriensystems commented 2 years ago

following https://github.com/canada-ca/cloud-guardrails-gcp/tree/main/guardrails-validation

Workaround - turn off regional restriction on the project - or delete it on the parent and the rerun a terraform apply to get it back after

admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)$ gcloud services enable cloudasset.googleapis.com
Operation "operations/acat.p2-502392433631-09e81fe7-570c-44a3-8345-9852d82fd884" finished successfully.
admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)$ export MY_BUCKET_NAME=validation-ggz
admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)$ gsutil mb gs://$MY_BUCKET_NAME
Creating gs://validation-ggz/...
admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)$ gcloud asset export --output-path=gs://$MY_BUCKET_NAME/resource_inventory.json --content-type=resource --project=gr-bootstrap-ggz
Export in progress for root asset [projects/gr-bootstrap-ggz].
Use [gcloud asset operations describe projects/502392433631/operations/ExportAssets/RESOURCE/c6cfd41c3c7720348b468221cf6c688e] to check the status of the operation.
admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)

admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)$ git clone https://github.com/canada-ca/cloud-guardrails-gcp.git

admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)$ ls
accelerators_accelerateurs-gcp  cloud-guardrails-gcp
admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)$ gsutil cp gs://$MY_BUCKET_NAME/resource_inventory.json ./assets
Copying gs://validation-ggz/resource_inventory.json...
/ [1 files][ 16.8 KiB/ 16.8 KiB]
Operation completed over 1 objects/16.8 KiB.
admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)

dmin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)$ cd
accelerators_accelerateurs-gcp/ cloud-guardrails-gcp/
admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)$ cd cloud-guardrails-gcp/
.git/                  guardrails/            guardrails-validation/
admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)$ cd cloud-guardrails-gcp/guardrails-validation/
admin_@cloudshell:~/cloudshell_open/cloud-guardrails-gcp/guardrails-validation (gr-bootstrap-ggz)$ ls
assets  cloudbuild.yaml  Dockerfile  install.sh  policies  README.md  run-all.sh  run.sh  tests.sh
admin_@cloudshell:~/cloudshell_open/cloud-guardrails-gcp/guardrails-validation (gr-bootstrap-ggz)$

min_@cloudshell:~/cloudshell_open/cloud-guardrails-gcp/guardrails-validation (gr-bootstrap-ggz)$ ./install.sh
--2022-11-20 15:39:04--  https://github.com/open-policy-agent/conftest/releases/download/v0.32.1/conftest_0.32.1_Linux_x86_64.tar.gz
Resolving github.com (github.com)... 140.82.113.3
Connecting to github.com (github.com)|140.82.113.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/178249461/a9c964a8-a471-41f8-aed7-86bca64ad3f8?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20221120%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221120T153904Z&X-Amz-Expires=300&X-Amz-Signature=7b360ba6a1ab670e8c8957132cfcfda8d28cb797571ec78759636b3b6e402da8&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=178249461&response-content-disposition=attachment%3B%20filename%3Dconftest_0.32.1_Linux_x86_64.tar.gz&response-content-type=application%2Foctet-stream [following]
--2022-11-20 15:39:04--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/178249461/a9c964a8-a471-41f8-aed7-86bca64ad3f8?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20221120%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221120T153904Z&X-Amz-Expires=300&X-Amz-Signature=7b360ba6a1ab670e8c8957132cfcfda8d28cb797571ec78759636b3b6e402da8&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=178249461&response-content-disposition=attachment%3B%20filename%3Dconftest_0.32.1_Linux_x86_64.tar.gz&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.108.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12264521 (12M) [application/octet-stream]
Saving to: ‘conftest_0.32.1_Linux_x86_64.tar.gz’

conftest_0.32.1_Linux_x86_64.tar.gz      100%[=================================================================================>]  11.70M  44.0MB/s    in 0.3s

2022-11-20 15:39:04 (44.0 MB/s) - ‘conftest_0.32.1_Linux_x86_64.tar.gz’ saved [12264521/12264521]

LICENSE
README.md
conftest
admin_@cloudshell:~/cloudshell_open/cloud-guardrails-gcp/guardrails-validation (gr-bootstrap-ggz)$

admin_@cloudshell:~/cloudshell_open/cloud-guardrails-gcp/guardrails-validation (gr-bootstrap-ggz)$ conftest --version
Conftest: 0.32.1
OPA: 0.40.0

run n/a due to missing json in the assets dir
dmin_@cloudshell:~/cloudshell_open/cloud-guardrails-gcp/guardrails-validation (gr-bootstrap-ggz)$ ./run.sh
Checking ./assets/*.json
cat: './assets/*.json': No such file or directory
admin_@cloudshell:~/cloudshell_open/cloud-guardrails-gcp/guardrails-validation (gr-bootstrap-ggz)$ ls ../
guardrails  guardrails-validation  LICENSE  README.md
admin_@cloudshell:~/cloudshell_open/cloud-guardrails-gcp/guardrails-validation (gr-bootstrap-ggz)$ ls
assets  cloudbuild.yaml  Dockerfile  install.sh  policies  README.md  report.txt  run-all.sh  run.sh  tests.sh
admin_@cloudshell:~/cloudshell_open/cloud-guardrails-gcp/guardrails-validation (gr-bootstrap-ggz)$ ls assets/
admin_@cloudshell:~/cloudshell_open/cloud-guardrails-gcp/guardrails-validation (gr-bootstrap-ggz)$

run-all also requires a rename of"my-unique-bucket-name" as well as addition storage admin role

admin_@cloudshell:~/cloudshell_open/cloud-guardrails-gcp/guardrails-validation (gr-bootstrap-ggz)$ ./run-all.sh
Your active configuration is: [cloudshell-22055]
Creating gs://my-unique-bucket-name/...
ServiceException: 409 A Cloud Storage bucket named 'my-unique-bucket-name' already exists. Try another name. Bucket names must be globally unique across all Google Cloud projects, including those outside of your organization.
ERROR: (gcloud.asset.export) code: 403
message: The billing account for the owning project is disabled in state closed
status: PERMISSION_DENIED
AccessDeniedException: 403 admin@guardrails.gcp.zone does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).
cat: './assets/*.json': No such file or directory