Skip to content

Instantly share code, notes, and snippets.

@willisc7
Last active February 2, 2023 15:36
Show Gist options
  • Save willisc7/19df9ddb4c2b41402fbe9e13674515ba to your computer and use it in GitHub Desktop.
Save willisc7/19df9ddb4c2b41402fbe9e13674515ba to your computer and use it in GitHub Desktop.
#!/bin/bash
# this is based on some work done for the GKE toolkit script Modify Argolis Policies that block GKE Toolkit deployment
# References:
# - https://cloud.google.com/sdk/gcloud/reference/beta/resource-manager
# - https://cloud.google.com/compute/docs/images/restricting-image-access#trusted_images
echo "********* Welcome to the Argolis opener***************"
echo "⚡️ Fixing Org Policies and Constaints."
export PROJECT_ID=$(gcloud config get-value project)
export BASE_DIR=${BASE_DIR:="${PWD}"}
export WORK_DIR=${WORK_DIR:="${BASE_DIR}/workdir"}
export ZONE=us-central1-a
echo "WORK_DIR set to $WORK_DIR"
echo "PROJECT_ID set to $PROJECT_ID"
gcloud config set project $PROJECT_ID
# Disable Policies without Constraints
gcloud beta resource-manager org-policies disable-enforce compute.requireShieldedVm --project=$PROJECT_ID
gcloud beta resource-manager org-policies disable-enforce compute.requireOsLogin --project=$PROJECT_ID
gcloud beta resource-manager org-policies disable-enforce iam.disableServiceAccountKeyCreation --project=$PROJECT_ID
gcloud beta resource-manager org-policies disable-enforce iam.disableServiceAccountCreation --project=$PROJECT_ID
# now loop and fix policies with constraints in Argolis
# Inner Loop - Loop Through Policies with Constraints
declare -a policies=("constraints/compute.trustedImageProjects"
"constraints/compute.vmExternalIpAccess"
"constraints/compute.restrictSharedVpcSubnetworks"
"constraints/compute.restrictSharedVpcHostProjects"
"constraints/compute.restrictVpcPeering"
"constraints/compute.vmCanIpForward"
"constraints/compute.restrictVpnPeerIPs")
for policy in "${policies[@]}"
do
cat <<EOF > new_policy.yaml
constraint: $policy
listPolicy:
allValues: ALLOW
EOF
gcloud resource-manager org-policies set-policy new_policy.yaml --project=$PROJECT_ID
done
# End Inner Loop
# Create default network and allow internal communication
gcloud compute networks create default --subnet-mode=auto --mtu=1460 --bgp-routing-mode=regional
gcloud compute firewall-rules create allow-internal --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=all --source-ranges=10.128.0.0/9
# Disable domain restricted sharing
cat <<EOT > allowedPolicyMemberDomains.yaml
name: projects/$PROJECT_ID/policies/iam.allowedPolicyMemberDomains
spec:
rules:
- allowAll: true
EOT
gcloud org-policies set-policy allowedPolicyMemberDomains.yaml
# Disable domain restricted contacts
cat <<EOT > allowedContactDomains.yaml
name: projects/$PROJECT_ID/policies/essentialcontacts.allowedContactDomains
spec:
rules:
- allowAll: true
EOT
gcloud org-policies set-policy allowedContactDomains.yaml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment