Skip to content

used dynamic block to handle lack of device policy #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Apr 6, 2020
Merged

used dynamic block to handle lack of device policy #31

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
7d402fc
used dynamic block to handle lack of device policy
Mar 24, 2020
6afd7c8
changed device_policy_enabled default value to true
Mar 25, 2020
7335acf
fixed issues that were causing integration tests to break
Mar 25, 2020
51cde4a
removed device enabled variable
Apr 5, 2020
395a552
fixed string formatting error
Apr 5, 2020
6b0fb57
refering to the variables using var. notation
Apr 5, 2020
6adc3b1
update the expression that determines if device policy needs to be en…
Apr 5, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion examples/bq-exfil-demo/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ variable "enabled_apis" {
"iap.googleapis.com",
"oslogin.googleapis.com",
"compute.googleapis.com",
"bigquery-json.googleapis.com",
"bigquery.googleapis.com",
"storage-api.googleapis.com",
]
}
18 changes: 11 additions & 7 deletions modules/access_level/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,14 +32,18 @@ resource "google_access_context_manager_access_level" "access_level" {
members = var.members
negate = var.negate

device_policy {
require_screen_lock = var.require_screen_lock
allowed_encryption_statuses = var.allowed_encryption_statuses
allowed_device_management_levels = var.allowed_device_management_levels
dynamic "device_policy" {
for_each = var.device_policy_enabled ? [{}] : []
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of introducing a new variable, I think we can compute this value.

Ex:

require_screen_lock || length(allowed_encryption_statuses) >= 0 || length(allowed_device_management_levels) >= 0 || minimum_version != "" || os_type != "OS_UNSPECIFIED

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made the change you had suggested. I had to make a few minor changes. I tested it locally. It seems to be working however some integration tests seem to be failing. I don't have any visibility into why the tests are failing. Let me know if I need to make any more changes. Thanks

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI you should be able to run the integration tests locally, but I'll take a look.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@morgante I went through the contribution guide to run the integration tests locally. It required using a service account with folder level permissions. It also has access. context manager policy admin permissions.

When I run
make docker_test_perpare

Error: error creating project ci-project-policy-test-0-dbc5 (ci-project-policy-test-0): googleapi: Error 409: Requested entity already exists, alreadyExists. If you received a 403 error, make sure you have the roles/resourcemanager.projectCreator permission

on .terraform/modules/project-vpc-service-controls-policy-0/modules/core_project_factory/main.tf line 126, in resource "google_project" "main":
126: resource "google_project" "main" {

I did give the service account "Project Creator" Project Creator Permissions before running the make command.
I will keep on debugging this error.

Thanks for your help


os_constraints {
minimum_version = var.minimum_version
os_type = var.os_type
content {
require_screen_lock = var.require_screen_lock
allowed_encryption_statuses = var.allowed_encryption_statuses
allowed_device_management_levels = var.allowed_device_management_levels

os_constraints {
minimum_version = var.minimum_version
os_type = var.os_type
}
}
}
}
Expand Down
6 changes: 6 additions & 0 deletions modules/access_level/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,12 @@ variable "negate" {
default = false
}

variable "device_policy_enabled" {
description = "This conditional is used to determine if device policy block needs to be created. Must to set to false if you want to not create device policy"
type = bool
default = true
}

variable "require_screen_lock" {
description = "Condition - Whether or not screenlock is required for the DevicePolicy to be true."
type = bool
Expand Down
6 changes: 3 additions & 3 deletions test/setup/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ module "project-vpc-service-controls" {
"storage-api.googleapis.com",
"serviceusage.googleapis.com",
"accesscontextmanager.googleapis.com",
"bigquery-json.googleapis.com",
"bigquery.googleapis.com",
"bigquerystorage.googleapis.com",
"compute.googleapis.com"
]
Expand All @@ -51,7 +51,7 @@ module "project-vpc-service-controls-policy-0" {
billing_account = var.billing_account

activate_apis = [
"bigquery-json.googleapis.com",
"bigquery.googleapis.com",
"bigquerystorage.googleapis.com"
]
}
Expand All @@ -67,7 +67,7 @@ module "project-vpc-service-controls-policy-1" {
billing_account = var.billing_account

activate_apis = [
"bigquery-json.googleapis.com",
"bigquery.googleapis.com",
"bigquerystorage.googleapis.com"
]
}