Last active
February 2, 2023 15:36
-
-
Save willisc7/19df9ddb4c2b41402fbe9e13674515ba to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# this is based on some work done for the GKE toolkit script Modify Argolis Policies that block GKE Toolkit deployment | |
# References: | |
# - https://cloud.google.com/sdk/gcloud/reference/beta/resource-manager | |
# - https://cloud.google.com/compute/docs/images/restricting-image-access#trusted_images | |
echo "********* Welcome to the Argolis opener***************" | |
echo "⚡️ Fixing Org Policies and Constaints." | |
export PROJECT_ID=$(gcloud config get-value project) | |
export BASE_DIR=${BASE_DIR:="${PWD}"} | |
export WORK_DIR=${WORK_DIR:="${BASE_DIR}/workdir"} | |
export ZONE=us-central1-a | |
echo "WORK_DIR set to $WORK_DIR" | |
echo "PROJECT_ID set to $PROJECT_ID" | |
gcloud config set project $PROJECT_ID | |
# Disable Policies without Constraints | |
gcloud beta resource-manager org-policies disable-enforce compute.requireShieldedVm --project=$PROJECT_ID | |
gcloud beta resource-manager org-policies disable-enforce compute.requireOsLogin --project=$PROJECT_ID | |
gcloud beta resource-manager org-policies disable-enforce iam.disableServiceAccountKeyCreation --project=$PROJECT_ID | |
gcloud beta resource-manager org-policies disable-enforce iam.disableServiceAccountCreation --project=$PROJECT_ID | |
# now loop and fix policies with constraints in Argolis | |
# Inner Loop - Loop Through Policies with Constraints | |
declare -a policies=("constraints/compute.trustedImageProjects" | |
"constraints/compute.vmExternalIpAccess" | |
"constraints/compute.restrictSharedVpcSubnetworks" | |
"constraints/compute.restrictSharedVpcHostProjects" | |
"constraints/compute.restrictVpcPeering" | |
"constraints/compute.vmCanIpForward" | |
"constraints/compute.restrictVpnPeerIPs") | |
for policy in "${policies[@]}" | |
do | |
cat <<EOF > new_policy.yaml | |
constraint: $policy | |
listPolicy: | |
allValues: ALLOW | |
EOF | |
gcloud resource-manager org-policies set-policy new_policy.yaml --project=$PROJECT_ID | |
done | |
# End Inner Loop | |
# Create default network and allow internal communication | |
gcloud compute networks create default --subnet-mode=auto --mtu=1460 --bgp-routing-mode=regional | |
gcloud compute firewall-rules create allow-internal --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=all --source-ranges=10.128.0.0/9 | |
# Disable domain restricted sharing | |
cat <<EOT > allowedPolicyMemberDomains.yaml | |
name: projects/$PROJECT_ID/policies/iam.allowedPolicyMemberDomains | |
spec: | |
rules: | |
- allowAll: true | |
EOT | |
gcloud org-policies set-policy allowedPolicyMemberDomains.yaml | |
# Disable domain restricted contacts | |
cat <<EOT > allowedContactDomains.yaml | |
name: projects/$PROJECT_ID/policies/essentialcontacts.allowedContactDomains | |
spec: | |
rules: | |
- allowAll: true | |
EOT | |
gcloud org-policies set-policy allowedContactDomains.yaml |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment