Validate policies

Before you begin

Install Google Cloud CLI

To use gcloud beta terraform vet you must first install Google Cloud CLI:

  1. Install Google Cloud CLI but skip the gcloud init command.

  2. Run the following commands to install the terraform-tools component:

    gcloud components update gcloud components install terraform-tools

  3. Verify that the gcloud CLI is installed by running the following command:

    gcloud beta terraform vet --help

Get required permissions

The Google Cloud account that you use for validation must have the following permissions:

  • getIamPolicy: gcloud beta terraform vet needs to get full Identity and Access Management (IAM) policies and merge them with members and bindings to get an accurate end state to validate.
  • resourcemanager.projects.get: gcloud beta terraform vet needs to get project ancestry from the API in order to accurately construct a full CAI Asset Name for any projects that validated resources are related to.
  • resourcemanager.folders.get: gcloud beta terraform vet needs to get folder ancestry from the API in order to accurately construct a full CAI Asset Name if the validated resources contain any folder-related resources.

Set up a policy library

You need to create a policy library to use this tool.

Validate policies

1. Generate a Terraform plan

gcloud beta terraform vet is compatible with Terraform 0.12+. gcloud beta terraform vet takes terraform plan JSON as its input. You can generate the JSON file by running the following commands in your Terraform directory:

 terraform plan -out=tfplan.tfplan terraform show -json ./tfplan.tfplan > ./tfplan.json

2. Run gcloud beta terraform vet

gcloud beta terraform vet lets you validate your terraform plan JSON against your organization's POLICY_LIBRARY_REPO. For example:

 git clone POLICY_LIBRARY_REPO POLICY_LIBRARY_DIR gcloud beta terraform vet tfplan.json --policy-library=POLICY_LIBRARY_DIR

When you execute this command, gcloud beta terraform vet retrieves project data by using Google Cloud APIs that are necessary for an accurate validation of your plan.

Flags

  • --policy-library=POLICY_LIBRARY_DIR - Directory that contains a policy library.
  • --project=PROJECT_ID - gcloud beta terraform vet accepts an optional --project flag. This flag specifies the default project when building the ancestry (from the Google Cloud resource hierarchy) for any resource that doesn't have an explicit project set.
  • --format=FORMAT - The default is yaml. The supported formats are: default, json, none, text, yaml. For more details run $ gcloud topic formats.

Exit code and output

  • If all constraints are validated, the command returns exit code 0 and does not display violations.
  • If violations are found, gcloud beta terraform vet returns exit code 2, and displays a list of violations. For example, JSON output might look like:
 [ { "constraint": "GCPIAMAllowedPolicyMemberDomainsConstraintV2.service_accounts_only", "constraint_config": { "api_version": "constraints.gatekeeper.sh/v1alpha1", "kind": "GCPIAMAllowedPolicyMemberDomainsConstraintV2", "metadata": { "annotations": { "description": "Checks that members that have been granted IAM roles belong to allowlisted domains.", "validation.gcp.forsetisecurity.org/originalName": "service_accounts_only", "validation.gcp.forsetisecurity.org/yamlpath": "policies/constraints/iam_service_accounts_only.yaml" }, "name": "service-accounts-only" }, "spec": { "match": { "target": [ "organizations/**" ] }, "parameters": { "domains": [ "gserviceaccount.com" ] }, "severity": "high" } }, "message": "IAM policy for //cloudresourcemanager.googleapis.com/projects/PROJECT_ID contains member from unexpected domain: user:me@example.com", "metadata": { "ancestry_path": "organizations/ORG_ID/projects/PROJECT_ID", "constraint": { "annotations": { "description": "Checks that members that have been granted IAM roles belong to allowlisted domains.", "validation.gcp.forsetisecurity.org/originalName": "service_accounts_only", "validation.gcp.forsetisecurity.org/yamlpath": "policies/constraints/iam_service_accounts_only.yaml" }, "labels": {}, "parameters": { "domains": [ "gserviceaccount.com" ] } }, "details": { "member": "user:me@example.com", "resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID" } }, "resource": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID", "severity": "high" } ]

CI/CD example

A bash script for using gcloud beta terraform vet in a CI/CD pipeline might look like this:

terraform plan -out=tfplan.tfplan terraform show -json ./tfplan.tfplan > ./tfplan.json git clone POLICY_LIBRARY_REPO POLICY_LIBRARY_DIR VIOLATIONS=$(gcloud beta terraform vet tfplan.json --policy-library=POLICY_LIBRARY_DIR --format=json) retVal=$? if [ $retVal -eq 2 ]; then  # Optional: parse the VIOLATIONS variable as json and check the severity level  echo "$VIOLATIONS"  echo "Violations found; not proceeding with terraform apply"  exit 1 fi if [ $retVal -ne 0]; then  echo "Error during gcloud beta terraform vet; not proceeding with terraform apply"  exit 1 fi echo "No policy violations detected; proceeding with terraform apply" terraform apply

Developers can also use gcloud beta terraform vet locally to test Terraform changes prior to running your CI/CD pipeline.