willisc7/fix-argolis.sh

## fix-argolis.sh
#!/bin/bash
# this is based on some work done for the GKE toolkit script Modify Argolis Policies that block GKE Toolkit deployment
# References:
# - https://cloud.google.com/sdk/gcloud/reference/beta/resource-manager
# - https://cloud.google.com/compute/docs/images/restricting-image-access#trusted_images

echo "********* Welcome to the Argolis opener***************"
echo "⚡️ Fixing Org Policies and Constaints."
export PROJECT_ID=$(gcloud config get-value project)
export BASE_DIR=${BASE_DIR:="${PWD}"}
export WORK_DIR=${WORK_DIR:="${BASE_DIR}/workdir"}
export ZONE=us-central1-a
echo "WORK_DIR set to $WORK_DIR"
echo "PROJECT_ID set to $PROJECT_ID"
gcloud config set project $PROJECT_ID

# Disable Policies without Constraints
gcloud beta resource-manager org-policies disable-enforce compute.requireShieldedVm --project=$PROJECT_ID
gcloud beta resource-manager org-policies disable-enforce compute.requireOsLogin --project=$PROJECT_ID
gcloud beta resource-manager org-policies disable-enforce iam.disableServiceAccountKeyCreation --project=$PROJECT_ID
gcloud beta resource-manager org-policies disable-enforce iam.disableServiceAccountCreation --project=$PROJECT_ID
gcloud beta resource-manager org-policies disable-enforce compute.disableGuestAttributesAccess --project=$PROJECT_ID

# now loop and fix policies with  constraints in Argolis
# Inner Loop - Loop Through Policies with Constraints
declare -a policies=("constraints/compute.trustedImageProjects"
 "constraints/compute.vmExternalIpAccess"
 "constraints/compute.restrictSharedVpcSubnetworks"
 "constraints/compute.restrictSharedVpcHostProjects"
 "constraints/compute.restrictVpcPeering"
 "constraints/compute.vmCanIpForward"
 "constraints/compute.restrictVpnPeerIPs")

for policy in "${policies[@]}"
do
cat <<EOF > new_policy.yaml
constraint: $policy
listPolicy:
 allValues: ALLOW
EOF
    gcloud resource-manager org-policies set-policy new_policy.yaml --project=$PROJECT_ID
done
# End Inner Loop

# Create default network and allow internal communication
gcloud compute networks create default --subnet-mode=auto --mtu=1460 --bgp-routing-mode=regional
gcloud compute firewall-rules create allow-internal --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=all --source-ranges=10.128.0.0/9

# Disable domain restricted sharing
cat <<EOT > allowedPolicyMemberDomains.yaml
name: projects/$PROJECT_ID/policies/iam.allowedPolicyMemberDomains
spec:
  rules:
  - allowAll: true
EOT

gcloud org-policies set-policy allowedPolicyMemberDomains.yaml

# Disable domain restricted contacts
cat <<EOT > allowedContactDomains.yaml
name: projects/$PROJECT_ID/policies/essentialcontacts.allowedContactDomains
spec:
  rules:
  - allowAll: true
EOT

gcloud org-policies set-policy allowedContactDomains.yaml
	#!/bin/bash
	# this is based on some work done for the GKE toolkit script Modify Argolis Policies that block GKE Toolkit deployment
	# References:
	# - https://cloud.google.com/sdk/gcloud/reference/beta/resource-manager
	# - https://cloud.google.com/compute/docs/images/restricting-image-access#trusted_images

	echo "******* Welcome to the Argolis opener*************"
	echo "⚡️ Fixing Org Policies and Constaints."
	export PROJECT_ID=$(gcloud config get-value project)
	export BASE_DIR=${BASE_DIR:="${PWD}"}
	export WORK_DIR=${WORK_DIR:="${BASE_DIR}/workdir"}
	export ZONE=us-central1-a
	echo "WORK_DIR set to $WORK_DIR"
	echo "PROJECT_ID set to $PROJECT_ID"
	gcloud config set project $PROJECT_ID

	# Disable Policies without Constraints
	gcloud beta resource-manager org-policies disable-enforce compute.requireShieldedVm --project=$PROJECT_ID
	gcloud beta resource-manager org-policies disable-enforce compute.requireOsLogin --project=$PROJECT_ID
	gcloud beta resource-manager org-policies disable-enforce iam.disableServiceAccountKeyCreation --project=$PROJECT_ID
	gcloud beta resource-manager org-policies disable-enforce iam.disableServiceAccountCreation --project=$PROJECT_ID
	gcloud beta resource-manager org-policies disable-enforce compute.disableGuestAttributesAccess --project=$PROJECT_ID

	# now loop and fix policies with constraints in Argolis
	# Inner Loop - Loop Through Policies with Constraints
	declare -a policies=("constraints/compute.trustedImageProjects"
	"constraints/compute.vmExternalIpAccess"
	"constraints/compute.restrictSharedVpcSubnetworks"
	"constraints/compute.restrictSharedVpcHostProjects"
	"constraints/compute.restrictVpcPeering"
	"constraints/compute.vmCanIpForward"
	"constraints/compute.restrictVpnPeerIPs")

	for policy in "${policies[@]}"
	do
	cat <<EOF > new_policy.yaml
	constraint: $policy
	listPolicy:
	allValues: ALLOW
	EOF
	gcloud resource-manager org-policies set-policy new_policy.yaml --project=$PROJECT_ID
	done
	# End Inner Loop

	# Create default network and allow internal communication
	gcloud compute networks create default --subnet-mode=auto --mtu=1460 --bgp-routing-mode=regional
	gcloud compute firewall-rules create allow-internal --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=all --source-ranges=10.128.0.0/9

	# Disable domain restricted sharing
	cat <<EOT > allowedPolicyMemberDomains.yaml
	name: projects/$PROJECT_ID/policies/iam.allowedPolicyMemberDomains
	spec:
	rules:
	- allowAll: true
	EOT

	gcloud org-policies set-policy allowedPolicyMemberDomains.yaml

	# Disable domain restricted contacts
	cat <<EOT > allowedContactDomains.yaml
	name: projects/$PROJECT_ID/policies/essentialcontacts.allowedContactDomains
	spec:
	rules:
	- allowAll: true
	EOT

	gcloud org-policies set-policy allowedContactDomains.yaml