Validate policies

Before you begin

Install Google Cloud CLI

To use gcloud beta terraform vet you must first install Google Cloud CLI:

  1. Install Google Cloud CLI but skip the gcloud init command.

  2. Run the following commands to install the terraform-tools component:

    gcloud components update
    gcloud components install terraform-tools
    
  3. Verify that the gcloud CLI is installed by running the following command:

    gcloud beta terraform vet --help
    

Get required permissions

The Google Cloud account that you use for validation must have the following permissions:

  • getIamPolicy: gcloud beta terraform vet needs to get full Identity and Access Management (IAM) policies and merge them with members and bindings to get an accurate end state to validate.
  • resourcemanager.projects.get: gcloud beta terraform vet needs to get project ancestry from the API in order to accurately construct a full CAI Asset Name for any projects that validated resources are related to.
  • resourcemanager.folders.get: gcloud beta terraform vet needs to get folder ancestry from the API in order to accurately construct a full CAI Asset Name if the validated resources contain any folder-related resources.

Set up a policy library

You need to create a policy library to use this tool.

Validate policies

1. Generate a Terraform plan

gcloud beta terraform vet is compatible with Terraform 0.12+. gcloud beta terraform vet takes terraform plan JSON as its input. You can generate the JSON file by running the following commands in your Terraform directory:

terraform plan -out=tfplan.tfplan
terraform show -json ./tfplan.tfplan > ./tfplan.json

2. Run gcloud beta terraform vet

gcloud beta terraform vet lets you validate your terraform plan JSON against your organization's POLICY_LIBRARY_REPO. For example:

git clone POLICY_LIBRARY_REPO POLICY_LIBRARY_DIR
gcloud beta terraform vet tfplan.json --policy-library=POLICY_LIBRARY_DIR

When you execute this command, gcloud beta terraform vet retrieves project data by using Google Cloud APIs that are necessary for an accurate validation of your plan.

Flags

  • --policy-library=POLICY_LIBRARY_DIR - Directory that contains a policy library.
  • --project=PROJECT_ID - gcloud beta terraform vet accepts an optional --project flag. This flag specifies the default project when building the ancestry (from the Google Cloud resource hierarchy) for any resource that doesn't have an explicit project set.
  • --format=FORMAT - The default is yaml. The supported formats are: default, json, none, text, yaml. For more details run $ gcloud topic formats.

Exit code and output

  • If all constraints are validated, the command returns exit code 0 and does not display violations.
  • If violations are found, gcloud beta terraform vet returns exit code 2, and displays a list of violations. For example, JSON output might look like:
[
  {
    "constraint": "GCPIAMAllowedPolicyMemberDomainsConstraintV2.service_accounts_only",
    "constraint_config": {
      "api_version": "constraints.gatekeeper.sh/v1alpha1",
      "kind": "GCPIAMAllowedPolicyMemberDomainsConstraintV2",
      "metadata": {
        "annotations": {
          "description": "Checks that members that have been granted IAM roles belong to allowlisted domains.",
          "validation.gcp.forsetisecurity.org/originalName": "service_accounts_only",
          "validation.gcp.forsetisecurity.org/yamlpath": "policies/constraints/iam_service_accounts_only.yaml"
        },
        "name": "service-accounts-only"
      },
      "spec": {
        "match": {
          "target": [
            "organizations/**"
          ]
        },
        "parameters": {
          "domains": [
            "gserviceaccount.com"
          ]
        },
        "severity": "high"
      }
    },
    "message": "IAM policy for //cloudresourcemanager.googleapis.com/projects/PROJECT_ID contains member from unexpected domain: user:me@example.com",
    "metadata": {
      "ancestry_path": "organizations/ORG_ID/projects/PROJECT_ID",
      "constraint": {
        "annotations": {
          "description": "Checks that members that have been granted IAM roles belong to allowlisted domains.",
          "validation.gcp.forsetisecurity.org/originalName": "service_accounts_only",
          "validation.gcp.forsetisecurity.org/yamlpath": "policies/constraints/iam_service_accounts_only.yaml"
        },
        "labels": {},
        "parameters": {
          "domains": [
            "gserviceaccount.com"
          ]
        }
      },
      "details": {
        "member": "user:me@example.com",
        "resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID"
      }
    },
    "resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
    "severity": "high"
  }
]

CI/CD example

A bash script for using gcloud beta terraform vet in a CI/CD pipeline might look like this:

terraform plan -out=tfplan.tfplan
terraform show -json ./tfplan.tfplan > ./tfplan.json
git clone POLICY_LIBRARY_REPO POLICY_LIBRARY_DIR
VIOLATIONS=$(gcloud beta terraform vet tfplan.json --policy-library=POLICY_LIBRARY_DIR --format=json)
retVal=$?
if [ $retVal -eq 2 ]; then
  # Optional: parse the VIOLATIONS variable as json and check the severity level
  echo "$VIOLATIONS"
  echo "Violations found; not proceeding with terraform apply"
  exit 1
fi
if [ $retVal -ne 0]; then
  echo "Error during gcloud beta terraform vet; not proceeding with terraform apply"
  exit 1
fi

echo "No policy violations detected; proceeding with terraform apply"

terraform apply

Developers can also use gcloud beta terraform vet locally to test Terraform changes prior to running your CI/CD pipeline.