Merge changes from modulerelease520 to master (#465)

* Updates for the Forseti v2.25.0 release

* Update provider versions for google

* Update forseti helm chart version

* Remove the % character from the list of possible special characters to use in the random Cloud SQL password. (#417)

* Base64 encode cloudsql username and password for the helm chart secrets. (#419)

* Base64 encode cloudsql username and password for the helm chart secrets.

* Update fixtures to use forseti 2.25.0

* Fix the Bigquery API issue for release 5.2.0 (#441)

* Update release 5.2.0 for the bigquery change. Update a few remaining places where 5.0.0 was still being used instead of 5.2.0.

* Fix for the install simple example. There is no version 5.2.0 yet, and the syntax will automatically use 5.2.0 once released. Updating to the latest 5.1.0 for now.

* Fix version constraint to use latest

* Update tutorial example to use 520 release branch

* Upgrade to devtools image 4.6

* Ran make docker_generate_docs

* Style fixes (#430)

* remove duplicated key from YAML

Signed-off-by: Dmitry Verkhoturov <[email protected]>

* convert expressions to HCL2

Signed-off-by: Dmitry Verkhoturov <[email protected]>

* Wrapping this map key in paranthesis does not fix the issue - hashicorp/terraform#21566. Instead using string interpolation resolves the validation error but might show up as a lint error related to moving to HCL2 expressions. (#449)

* Increased open files limit to fix OSError: [Errno 24] Too many open files  (#450)

* Increased open files limit

* Added if block

* add spanner.googleapis.com (#451)

* Made some changes from the modulerelease520 branch to get all non-version changes into the master branch.

* Revert helm chart version from 2.2.0 to 2.1.0

* Lint fixes and updating symlinks for the shared vpc tests to use the controls from the install_simple test.

* Fix linting issues

* Move policy library test into it's own control file so that server control can be shared.

* Update fixtures to use the master branch of Forseti. Add assertion for the forseti service check so that if the service is not running, we will see the error message.

* Update to regex for checking forseti service health

* Fix setup script for cloudshell tutorial

Co-authored-by: Dmitry Verkhoturov <[email protected]>
Co-authored-by: red2k18 <[email protected]>
Co-authored-by: hshin-g <[email protected]>

.kitchen.yml

@@ -41,6 +41,7 @@ suites:
         - name: server
           backend: ssh
           controls:
+            - policy-library
             - server
           hosts_output: forseti-server-vm-ip
           user: ubuntu

CHANGELOG.md

@@ -6,10 +6,46 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 Extending the adopted spec, each change should have a link to its corresponding pull request appended.
 
-## [5.1.0] - 2019-11-15
+## [Unreleased] - TBD
 
 ### Added
+- Configure firewall rules in support of private Client and Server [#391]
+- Add Service Account Key to CAI assets in Server config [#393]
+- Add policy_library_repository_branch to GCE module [#394]
+- Add sql instance user and password [#399]
+- Conditional firewall rules [#400]
+- Conditional service networking [#401]
+- Create stale.yml for Stale Bot [#402]
+- Enable uniform bucket-level access [#405]
+- Add Cloud SQL DB User and Password as outputs [#407]
+- Added install-simple tests [#408]
+- Use network project for private IP address in CloudSQL submodule [#412]
+- Allow user to configure Scanner Rules path to GCS or local dir [#414]
+- Update version in README [#426]
+- Removed simple_example [#444]
+- Create CONTRIBUTORS file [#454]
+
+### Fixed
+- Fix space in Location Rules template [#392]
+- Fix string interpolation warnings [#395]
+- Remove the % character from the Cloud SQL password [#417]
+- Base64 encode CloudSQL username and password for the helm chart secrets [#419]
+- Style fixes [#430]
+- Add spanner.googleapis.com [#435]
+- Update the Bigquery api to the new name [#437]
+- Fix validate error [#449]
+- Increased open files limit to fix OSError: [Errno 24] Too many open files [#450]
+- Sync policy library with gsutil rsync [#463]
+
+## [v5.1.1] - 2020-01-14
+
+### Fixed
+- Update the Bigquery api to the new name
+
 
+## [5.1.0] - 2019-11-15
+
+### Added
 - Support for Forseti v2.24.0 [#386]
 - Parameterized Kubernetes version [#385]
 - GCS bucket location to tutorials and examples [#382]
@@ -36,7 +72,6 @@ Extending the adopted spec, each change should have a link to its corresponding
 Version 5.0.0 is a backwards-incompatible release. Please see the [upgrade instructions](./docs/upgrading_to_v5.0.md) for details.
 
 ### Added
-
 - Support for Forseti v2.23.0 [#329]
 - Updated README and Cloud Shell Tutorial [#330]
 - Added additional submodules for Forseti infrastructure components [#284]
@@ -291,7 +326,7 @@ Version 4.0.0 is a backwards-incompatible release. Please see the [upgrade instr
 ### ADDED
 - This is the initial release of the Forseti module.
 
-[Unreleased]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v5.0.0...HEAD
+[Unreleased]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v5.1.1...HEAD
 [v0.1.0]: https://github.com/terraform-google-modules/terraform-google-forseti/releases/tag/v0.1.0
 [v1.0.0]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v0.1.0...v1.0.0
 [v1.1.0]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v1.0.0...v1.1.0
@@ -316,7 +351,33 @@ Version 4.0.0 is a backwards-incompatible release. Please see the [upgrade instr
 [v4.3.0]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v4.2.1...v4.3.0
 [v5.0.0]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v4.3.0...v5.0.0
 [v5.1.0]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v5.0.0...v5.1.0
-
+[v5.1.1]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v5.1.0...v5.1.1
+
+[#463]: https://github.com/forseti-security/terraform-google-forseti/pull/463
+[#454]: https://github.com/forseti-security/terraform-google-forseti/pull/454
+[#450]: https://github.com/forseti-security/terraform-google-forseti/pull/450
+[#449]: https://github.com/forseti-security/terraform-google-forseti/pull/449
+[#444]: https://github.com/forseti-security/terraform-google-forseti/pull/444
+[#437]: https://github.com/forseti-security/terraform-google-forseti/pull/437
+[#435]: https://github.com/forseti-security/terraform-google-forseti/pull/435
+[#430]: https://github.com/forseti-security/terraform-google-forseti/pull/430
+[#426]: https://github.com/forseti-security/terraform-google-forseti/pull/426
+[#419]: https://github.com/forseti-security/terraform-google-forseti/pull/419
+[#417]: https://github.com/forseti-security/terraform-google-forseti/pull/417
+[#414]: https://github.com/forseti-security/terraform-google-forseti/pull/414
+[#412]: https://github.com/forseti-security/terraform-google-forseti/pull/412
+[#408]: https://github.com/forseti-security/terraform-google-forseti/pull/408
+[#407]: https://github.com/forseti-security/terraform-google-forseti/pull/407
+[#405]: https://github.com/forseti-security/terraform-google-forseti/pull/405
+[#402]: https://github.com/forseti-security/terraform-google-forseti/pull/402
+[#401]: https://github.com/forseti-security/terraform-google-forseti/pull/401
+[#400]: https://github.com/forseti-security/terraform-google-forseti/pull/400
+[#399]: https://github.com/forseti-security/terraform-google-forseti/pull/399
+[#395]: https://github.com/forseti-security/terraform-google-forseti/pull/395
+[#394]: https://github.com/forseti-security/terraform-google-forseti/pull/394
+[#393]: https://github.com/forseti-security/terraform-google-forseti/pull/393
+[#392]: https://github.com/forseti-security/terraform-google-forseti/pull/392
+[#391]: https://github.com/forseti-security/terraform-google-forseti/pull/391
 [#386]: https://github.com/forseti-security/terraform-google-forseti/pull/386
 [#385]: https://github.com/forseti-security/terraform-google-forseti/pull/385
 [#383]: https://github.com/forseti-security/terraform-google-forseti/pull/383

CONTRIBUTORS

@@ -3,7 +3,7 @@
 # https://developers.google.com/open-source/cla/individual
 # https://developers.google.com/open-source/cla/corporate
 #
-# Names listed here are sourced from Github profiles. 
+# Names listed here are sourced from Github profiles.
 # Users who did not list their full name in their Github profiles are
 # listed with their Github username.
 #

Makefile

@@ -18,7 +18,7 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.1.0
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.4.6
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 

README.md

@@ -7,7 +7,7 @@ A Google Cloud Shell Walkthrough has been setup to make it easy for users who ar
 
 If you are familiar with Terraform and would like to run Terraform from a different machine, you can skip this walkthrough and move onto the [How to Deploy](#how-to-deploy) section.
 
-[![Open in Google Cloud Shell](https://gstatic.com/cloudssh/images/open-btn.svg)](https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fforseti-security%2Fterraform-google-forseti.git&cloudshell_git_branch=modulerelease510&cloudshell_working_dir=examples/install_simple&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&cloudshell_tutorial=.%2Ftutorial.md)
+[![Open in Google Cloud Shell](https://gstatic.com/cloudssh/images/open-btn.svg)](https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fforseti-security%2Fterraform-google-forseti.git&cloudshell_git_branch=modulerelease511&cloudshell_working_dir=examples/install_simple&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&cloudshell_tutorial=.%2Ftutorial.md)
 
 ## How to Deploy
 In order to run this module you will need to be authenticated as a user that has access to the project and can create/authorize service accounts at both the organization and project levels. To login to GCP from a shell:
@@ -20,7 +20,7 @@ gcloud auth login
 The repository has several helper scripts that can be used with the deployment process.
 
 ```bash
-git clone --branch module-release-5.0.0 --depth 1 https://github.com/forseti-security/terraform-google-forseti.git
+git clone --branch modulerelease511 --depth 1 https://github.com/forseti-security/terraform-google-forseti.git
 ```
 
 ### Install Terraform
@@ -298,6 +298,7 @@ For this module to work, you need the following APIs enabled on the Forseti proj
 | resource\_enabled | Resource scanner enabled. | bool | `"true"` | no |
 | resource\_name\_suffix | A suffix which will be appended to resource names. | string | `"null"` | no |
 | resource\_violations\_should\_notify | Notify for resource violations | bool | `"true"` | no |
+| rules\_path | Path for Scanner Rules config files; if GCS, should be gs://bucket-name/path | string | `"/home/ubuntu/forseti-security/rules"` | no |
 | securitycenter\_max\_calls | Maximum calls that can be made to Security Center API | string | `"14"` | no |
 | securitycenter\_period | The period of max calls for the Security Center API (in seconds) | string | `"1.0"` | no |
 | sendgrid\_api\_key | Sendgrid.com API key to enable email notifications | string | `""` | no |

build/int.cloudbuild.yaml

@@ -38,4 +38,4 @@ tags:
 - 'integration'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.1.0'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.4.6'

build/lint.cloudbuild.yaml

@@ -21,4 +21,4 @@ tags:
 - 'lint'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.1.0'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.4.6'

examples/install_simple/README.md

@@ -12,6 +12,7 @@ This configuration is used to simply install Forseti. It includes a full Cloud S
 | domain | The domain associated with the GCP Organization ID | string | n/a | yes |
 | forseti\_email\_recipient | Forseti email recipient. | string | `""` | no |
 | forseti\_email\_sender | Forseti email sender. | string | `""` | no |
+| forseti\_version | The version of Forseti to install | string | `"v2.24.0"` | no |
 | gsuite\_admin\_email | The email of a GSuite super admin, used for pulling user directory information *and* sending notifications. | string | n/a | yes |
 | instance\_metadata | Metadata key/value pairs to make available from within the client and server instances. | map(string) | `<map>` | no |
 | instance\_tags | Tags to assign the client and server instances. | list(string) | `<list>` | no |

examples/install_simple/main.tf

@@ -36,7 +36,8 @@ provider "random" {
 }
 
 module "forseti-install-simple" {
-  source = "../../"
+  source  = "terraform-google-modules/forseti/google"
+  version = "~> 5.1"
 
   project_id = var.project_id
   org_id     = var.org_id

examples/migrate_forseti/main.tf

@@ -40,7 +40,7 @@ provider "random" {
 
 module "forseti" {
   source  = "terraform-google-modules/forseti/google"
-  version = "~> 5.0.0"
+  version = "~> 5.1"
 
   # Replace these argument values with those obtained in the Prerequisites section
   domain               = "DOMAIN"

examples/migrate_forseti/tutorial.md

@@ -30,7 +30,7 @@ Before you begin the migration process, you will need:
 - The suffix appended to the names of the Forseti resources; this is
   likely a string of seven characters like a1b2c3d.
 - A service account for the organization with the
-  [roles required by the Terraform module](https://registry.terraform.io/modules/terraform-google-modules/forseti/google/5.0.0#iam-roles).
+  [roles required by the Terraform module](https://registry.terraform.io/modules/terraform-google-modules/forseti/google/5.1.1#iam-roles).
 - A
   [JSON key file](https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating_service_account_keys)
   for the service account.
@@ -160,7 +160,7 @@ to match the region where the CAI GCS bucket is deployed.
 Starting with Forseti Security 2.23, Terraform will manage your server
  configuration file for you.  Configuration options will now be input
  variables that are defined in the Terraform module. Available variables
- and their default values can be found [here](https://github.com/forseti-security/terraform-google-forseti/blob/module-release-5.0.0/variables.tf).
+ and their default values can be found [here](https://github.com/forseti-security/terraform-google-forseti/blob/modulerelease511/variables.tf).
  Default values will be used if values are not explicitly added.
  This will ensure upgrading Forseti will be as easy as possible going forward.
 
@@ -202,10 +202,10 @@ to your <walkthrough-editor-select-regex
   regex="Add any Forseti Server Configuration Variables Here">main.tf</walkthrough-editor-select-regex>.
 
 ## Obtain and Run the Import Script
-This [import script](https://github.com/forseti-security/terraform-google-forseti/blob/module-release-5.0.0/helpers/import.sh) will import the Forseti GCP resources into a local state file.
+This [import script](https://github.com/forseti-security/terraform-google-forseti/blob/modulerelease511/helpers/import.sh) will import the Forseti GCP resources into a local state file.
 
 ```sh
-curl --location --remote-name https://raw.githubusercontent.com/forseti-security/terraform-google-forseti/module-release-5.0.0/helpers/import.sh
+curl --location --remote-name https://raw.githubusercontent.com/forseti-security/terraform-google-forseti/modulerelease511/helpers/import.sh
 chmod +x import.sh
 ./import.sh -h
 ```

examples/on_gke/main.tf

@@ -70,7 +70,7 @@ provider "kubernetes" {
   load_config_file       = false
   host                   = "https://${data.google_container_cluster.forseti_cluster.endpoint}"
   token                  = data.google_client_config.default.access_token
-  cluster_ca_certificate = "${base64decode(data.google_container_cluster.forseti_cluster.master_auth.0.cluster_ca_certificate)}"
+  cluster_ca_certificate = base64decode(data.google_container_cluster.forseti_cluster.master_auth.0.cluster_ca_certificate)
 }
 
 #---------------#
@@ -85,7 +85,7 @@ provider "helm" {
     load_config_file       = false
     host                   = "https://${data.google_container_cluster.forseti_cluster.endpoint}"
     token                  = data.google_client_config.default.access_token
-    cluster_ca_certificate = "${base64decode(data.google_container_cluster.forseti_cluster.master_auth.0.cluster_ca_certificate)}"
+    cluster_ca_certificate = base64decode(data.google_container_cluster.forseti_cluster.master_auth.0.cluster_ca_certificate)
   }
   debug                           = true
   automount_service_account_token = true

examples/on_gke_end_to_end/main.tf

@@ -39,7 +39,7 @@ provider "kubernetes" {
   load_config_file       = false
   host                   = "https://${module.gke.endpoint}"
   token                  = data.google_client_config.default.access_token
-  cluster_ca_certificate = "${base64decode(module.gke.ca_certificate)}"
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
 }
 
 //*****************************************
@@ -53,8 +53,8 @@ provider "helm" {
   kubernetes {
     load_config_file       = false
     host                   = "https://${module.gke.endpoint}"
-    token                  = "${data.google_client_config.default.access_token}"
-    cluster_ca_certificate = "${base64decode(module.gke.ca_certificate)}"
+    token                  = data.google_client_config.default.access_token
+    cluster_ca_certificate = base64decode(module.gke.ca_certificate)
   }
   debug                           = true
   automount_service_account_token = true

helpers/setup.sh

@@ -137,8 +137,10 @@ gcloud services enable \
 
 if [[ "$IS_UPDATE" == "0" ]]; then
 
-    # If is an update i don't create service accout and re-download credentials
+    # Create new service accout and download credentials
     echo "Creating a new service account ${SERVICE_ACCOUNT_EMAIL} ..."
+    export FORSETI_SETUP_SERVICE_ACCOUNT_NAME="${SERVICE_ACCOUNT_NAME}"
+
     gcloud iam service-accounts \
         --project "${PROJECT_ID}" create "${SERVICE_ACCOUNT_NAME}" \
         --display-name "${SERVICE_ACCOUNT_NAME}"
@@ -148,6 +150,8 @@ if [[ "$IS_UPDATE" == "0" ]]; then
     gcloud iam service-accounts keys create "${KEY_FILE}" \
         --iam-account "${SERVICE_ACCOUNT_EMAIL}" \
         --user-output-enabled false
+
+    export GOOGLE_APPLICATION_CREDENTIALS="${KEY_FILE}"
 fi
 
 echo "Applying permissions for org $ORG_ID and project $PROJECT_ID..."

modules/cloudsql/main.tf

@@ -119,7 +119,7 @@ resource "google_sql_user" "forseti_user" {
 resource "random_password" "password" {
   length           = 16
   special          = true
-  override_special = "_%@"
+  override_special = "_@"
 }
 
 resource "null_resource" "services-dependency" {

modules/on_gke/main.tf

@@ -241,12 +241,12 @@ resource "helm_release" "forseti-security" {
 
   set {
     name  = "database.username"
-    value = module.cloudsql.forseti-cloudsql-user
+    value = base64encode(module.cloudsql.forseti-cloudsql-user)
   }
 
   set_sensitive {
     name  = "database.password"
-    value = module.cloudsql.forseti-cloudsql-password
+    value = base64encode(module.cloudsql.forseti-cloudsql-password)
   }
 
   set {
@@ -276,7 +276,7 @@ resource "helm_release" "forseti-security" {
 
   set_string {
     name  = "server.config.contents"
-    value = "${base64encode(data.http.server_config_contents.body)}"
+    value = base64encode(data.http.server_config_contents.body)
   }
 
   set {
@@ -346,7 +346,7 @@ resource "helm_release" "forseti-security" {
 
   set_sensitive {
     name  = "configValidator.policyLibrary.gitSync.privateSSHKey"
-    value = "${base64encode(local.git_sync_private_ssh_key)}"
+    value = base64encode(local.git_sync_private_ssh_key)
   }
 
   set {

modules/real_time_enforcer/main.tf

@@ -47,18 +47,18 @@ locals {
 
   network_interface_base = {
     private = [{
-      subnetwork_project = "${local.network_project}"
-      subnetwork         = "${var.subnetwork}"
+      subnetwork_project = local.network_project
+      subnetwork         = var.subnetwork
     }]
 
     public = [{
-      subnetwork_project = "${local.network_project}"
-      subnetwork         = "${var.subnetwork}"
-      access_config      = ["${var.enforcer_instance_access_config}"]
+      subnetwork_project = local.network_project
+      subnetwork         = var.subnetwork
+      access_config      = [var.enforcer_instance_access_config]
     }]
   }
 
-  network_interface = "${local.network_interface_base[var.enforcer_instance_private ? "private" : "public"]}"
+  network_interface = local.network_interface_base[var.enforcer_instance_private ? "private" : "public"]
 }
 
 resource "google_service_account" "main" {

modules/rules/templates/rules/groups_settings_rules.yaml

@@ -40,7 +40,6 @@ rules:
     groups_emails:
       - '*'
     settings:
-      allowExternalMembers: True
       whoCanJoin: "INVITED_CAN_JOIN"
       whoCanInvite: "ALL_MANAGERS_CAN_INVITE"
       whoCanAdd: "ALL_MANAGERS_CAN_ADD"

modules/server/templates/scripts/forseti-server/forseti_server_startup_script.sh.tpl

@@ -150,6 +150,19 @@ echo "Forseti Startup - Enabling and starting Forseti service."
 systemctl enable --now forseti
 echo "Forseti Startup - Success! The Forseti API server has been enabled and started."
 
+# Increase Open File Limit
+if grep -q "ubuntu soft nofile" /etc/security/limits.conf ; then
+  echo "Ulimit soft nofile already set."
+else
+  echo "ubuntu soft nofile 32768" | sudo tee -a /etc/security/limits.conf
+fi
+
+if grep -q "ubuntu hard nofile" /etc/security/limits.conf ; then
+  echo "Ulimit hard nofile already set."
+else
+  echo "ubuntu hard nofile 32768" | sudo tee -a /etc/security/limits.conf
+fi
+
 # Create a Forseti env script
 FORSETI_ENV="$(cat << EOF
 #!/bin/bash

test/fixtures/install_simple/policy-library/policies/constraints/sql_public_ip.yaml

@@ -1,17 +1,17 @@
-# Copyright 2019 Google LLC
+# Copyright 2020 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
-#      http://www.apache.org/licenses/LICENSE-2.0
+#     https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-#
+
 apiVersion: constraints.gatekeeper.sh/v1alpha1
 kind: GCPSQLPublicIpConstraintV1
 metadata: