Compliance

Announcing policy guardrails for Terraform on Google Cloud CLI preview

Terraform is a popular open source Infrastructure as Code (IaC) tool today and is used by organizations of all sizes across the world. Whether you use Terraform locally as a developer or as a platform admin managing complex CI/CD pipelines, Terraform makes it easy to deploy infrastructure on Google Cloud. 

Today, we are pleased to announce gcloud beta terraform vet, which is a client-side tool, available at no charge which enables policy validation for your infrastructure deployments and existing infrastructure pipelines. With this release, you can now write policies on any resource from Terraform’s google and google-beta providers. If you're already using Terraform Validator on GitHub today, follow the migration instructions to leverage this new capability. 

The challenge

Infrastructure automation with Terraform increases agility and reduces errors by automating the deployment of infrastructure and services that are used together to deliver applications.

Businesses implement continuous delivery to develop applications faster and to respond to changes quickly. Changes to infrastructure are common and in many cases occur often. It can become difficult to monitor every change to your infrastructure, especially across multiple business units to help process requests quickly and efficiently in an automated fashion. As you scale Terraform within your organization, there is an increased risk for misconfigurations and human error. Human authored configuration changes can extend infrastructure vulnerability periods which expose organizations to compliance or budgetary risks. Policy guardrails are necessary to allow organizations to move fast at scale, securely, and in a cost effective manner - and the earlier in the development process, the better to avoid problems with audits down the road. 

The solution

gcloud beta terraform vet provides guardrails and governance for your Terraform configurations to help reduce misconfigurations of Google Cloud resources that violate any of your organization's policies.

CLI Terraform Validation preview.jpg

These are some of the benefits of using gcloud beta terraform vet:  

  • Enforce your organization's policy at any stage of application development
  • Prevent manual errors by automating policy validation
  • Fail fast with pre-deployment checks

New functionality

In addition to creating CAI based constraints, you can now write policies on any resource from Terraform’s google and google-beta providers. This functionality was added after receiving feedback from our existing users of terraform validator on github. Migrate to gcloud beta terraform vet today to take advantage of this new functionality. 

Primary use cases for policy validation

Platform teams can easily add guardrails to infrastructure CI/CD pipelines (between the plan & apply stages) to ensure all requests for infrastructure are validated before deployment to the cloud. This limits platform team involvement by providing failure messages to end users during their pre-deployment checks which tell them which policies they have violated. 

Application teams and developers can validate their Terraform configurations against the organization’s central policy library to identify misconfigurations early in the development process. Before submitting to a CI/CD pipeline, you can easily ensure your Terraform configurations are in compliance with your organization’s policies, thus saving time and effort.

Security teams can create a centralized policy library that is used by all teams across the organization to identify and prevent policy violations. Depending on how your organization is structured, the security team (or other trusted teams) can add the necessary policies according to the company’s needs or compliance requirements. 

Getting started

The quickstart provides detailed instructions on how to get started. Let’s review the simple high-level process:

1. First, clone the policy library. This contains sample constraint templates and bundles to get started. These constraint templates specify the logic to be used by constraints.

2. Add your constraints to the policies/constraints folder. This represents the policies you want to enforce. For example, the IAM domain restriction constraint ensures all IAM policy members are in the “gserviceaccount.com” domain. See sample constraints for more samples.

  apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedPolicyMemberDomainsConstraintV2
metadata:
  name: service_accounts_only
  annotations:
    description: Checks that members that have been granted IAM roles belong to allowlisted
      domains.
spec:
  severity: high
  match:
    target: # {"$ref":"#/definitions/io.k8s.cli.setters.target"}
    - "organizations/**"
  parameters:
    domains:
    - gserviceaccount.com

3. Generate a Terraform plan and convert it to JSON format
$ terraform show -json ./test.tfplan > ./tfplan.json

4. Install the gcloud component, terraform-tools
$ gcloud components update
$ gcloud components install terraform-tools

5. Run gcloud beta terraform vet
$ gcloud beta terraform vet tfplan.json --policy-library=.

6. Finally, view the results. If you violated any policy checks, you will see the following outputs. 

Pass:

  []

Fail: The output is much longer, here is a snippet:

  [
{
  "constraint": 

"message": "IAM policy for //cloudresourcemanager.googleapis.com/projects/PROJECT_ID contains member from unexpected domain: user:user@example.com",
]

Feedback

We’d love to hear how this feature is working for you and your ideas on improvements we can make.