This repository provides a collection of example Terraform templates for common GCP resources with security baked in.
These modules build a secure foundation for spinning up GCP resources securely. These terraform modules are written with alignment to Google Best Practices, and industry standards such as CIS Benchmarks, where applicable.
Each repository contains documentation in the form of a README.md file that specifies what security frameworks, standards, and benchmarks were applied to the templates.
Caveat: Security is ever evolving, and every company's compliance and data handling requirements are different. These modules serve as a foundation for furhter building up the security of your GCP organization as needs arise.
Currently the host GCP project for testing deployments of templates in this repository is service-hardening-test project.
Within the service-hardening-test project there are two triggers:
-
First is the
cloud-build-terraform-imagewhich builds a Docker image with Terraform pre-installed. This image is used in the second trigger. The repository for this trigger is jonacto-google/cloudbuild-terraform-image. This trigger activates on pushes to the main branch of the repository. -
The second trigger is
service-hardening-pr. This trigger is in charge of watching for changes to the main branch of cxzczxzc/gcp-service-hardening and running a plan/apply. This pipeline plans, applies, and destroys back-to-back. If you need to persist resources without destroying them, comment out lines 15-18 in cloudbuild.yaml. Just please remember to uncomment them again when you're done.
- Make sure you have GCloud SDK, Terraform, and Checkov installed locall (see Required Software Installations section).
- Authenticate to GCP via the gcloud cli with the following command and follow the subsequent prompts in the CLI:
gcloud auth application-default login
- Using this command will create Application Default Credentials that Terraform can pick up and use to plan/apply without needing to manually pass in secrets.
- Clone the repository
- cd into the local repository directory
- Run
terraform init - Before committing code to the main branch, test your working branch locally by doing some or all of the following:
terraform fmt
terraform validate
terraform plan
terraform apply
checkov --directory .
For the time being, Checkov will be used as a PaC check to make sure we don't intriduce any common security misconfigurations.
You can run Checkov locally by installing it (see install instructions below) and running the following command within the gcp-service-hardening repository root:
checkov --quiet --compact --directory . --framework terraform --output cli --output-file-path .
This will create the results_cli.txt file in the repository root. If you open this file you will see the failing policy checks.
We plan on eventually moving away from Checkov and use Policy Validation instead, as it is a GCP native feature.
GCloud SDK: https://cloud.google.com/sdk/docs/install
Terraform: https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli
Checkov: https://www.checkov.io/2.Basics/Installing%20Checkov.html