feat: support deletion of firewall policies attached to folders in clean up module (#76)

daniel-cit · web-flow · commit 87037ddbb935 · 2022-06-08T14:12:01.000-05:00
* support deletion of firewall policies attached to folders

* continue processing of firewall policies on error
diff --git a/modules/project_cleanup/README.md b/modules/project_cleanup/README.md
@@ -15,6 +15,7 @@ The following services must be enabled on the project housing the cleanup functi
 - Cloud Functions (`cloudfunctions.googleapis.com`)
 - Cloud Scheduler (`cloudscheduler.googleapis.com`)
 - Cloud Resource Manager (`cloudresourcemanager.googleapis.com`)
+- Compute Engine API (`compute.googleapis.com`)
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
diff --git a/modules/project_cleanup/function_source/main.go b/modules/project_cleanup/function_source/main.go
@@ -31,6 +31,7 @@ import (
 	"golang.org/x/oauth2/google"
 	"google.golang.org/api/cloudresourcemanager/v1"
 	cloudresourcemanager2 "google.golang.org/api/cloudresourcemanager/v2"
+	"google.golang.org/api/compute/v1"
 	"google.golang.org/api/googleapi"
 	"google.golang.org/api/servicemanagement/v1"
 )
@@ -203,12 +204,22 @@ func getFolderServiceOrTerminateExecution(client *http.Client) *cloudresourceman
 	logger.Println("Try to get Folders Service")
 	cloudResourceManagerService, err := cloudresourcemanager2.New(client)
 	if err != nil {
-		logger.Fatalf("Fail to get Folders Servicewith error [%s], terminate execution", err.Error())
+		logger.Fatalf("Fail to get Folders Service with error [%s], terminate execution", err.Error())
 	}
 	logger.Println("Got Folders Service")
 	return cloudResourceManagerService.Folders
 }
 
+func getFirewallPoliciesServiceOrTerminateExecution(client *http.Client) *compute.FirewallPoliciesService {
+	logger.Println("Try to get Firewall Policies Service")
+	computeService, err := compute.New(client)
+	if err != nil {
+		logger.Fatalf("Fail to get Firewall Policies Service with error [%s], terminate execution", err.Error())
+	}
+	logger.Println("Got Firewall Policies Service")
+	return computeService.FirewallPolicies
+}
+
 func initializeGoogleClient(ctx context.Context) *http.Client {
 	logger.Println("Try to initialize Google client")
 	client, err := google.DefaultClient(ctx, cloudresourcemanager.CloudPlatformScope)
@@ -223,6 +234,7 @@ func invoke(ctx context.Context) {
 	client := initializeGoogleClient(ctx)
 	cloudResourceManagerService := getResourceManagerServiceOrTerminateExecution(client)
 	folderService := getFolderServiceOrTerminateExecution(client)
+	firewallPoliciesService := getFirewallPoliciesServiceOrTerminateExecution(client)
 	endpointService := getServiceManagementServiceOrTerminateExecution(client)
 
 	removeLien := func(name string) {
@@ -235,6 +247,27 @@ func invoke(ctx context.Context) {
 		}
 	}
 
+	removeFirewallPolicies := func(folder string) {
+		logger.Printf("Try to remove Firewall Policies from folder [%s]", folder)
+		firewallPolicyList, err := firewallPoliciesService.List().ParentId(folder).Context(ctx).Do()
+		if err != nil {
+			logger.Printf("Fail to list Firewall Policies from folder [%s], error [%s]", folder, err.Error())
+			return
+		}
+		for _, policy := range firewallPolicyList.Items {
+			for _, association := range policy.Associations {
+				_, err := firewallPoliciesService.RemoveAssociation(policy.Name).Name(association.Name).Context(ctx).Do()
+				if err != nil {
+					logger.Printf("Fail to Remove Association for Firewall Policies from folder [%s], error [%s]", folder, err.Error())
+				}
+			}
+			_, err := firewallPoliciesService.Delete(policy.Name).Context(ctx).Do()
+			if err != nil {
+				logger.Printf("Fail to delete Firewall Policy [%s] from folder [%s], error [%s]", policy.Name, folder, err.Error())
+			}
+		}
+	}
+
 	removeProjectById := func(projectId string) error {
 		_, err := cloudResourceManagerService.Projects.Delete(projectId).Context(ctx).Do()
 		return err
@@ -312,6 +345,7 @@ func invoke(ctx context.Context) {
 
 	removeFolder := func(folder *cloudresourcemanager2.Folder) {
 		folderId := folder.Name
+		removeFirewallPolicies(folderId)
 		logger.Printf("Try to delete folder with id [%s]", folderId)
 		_, err := folderService.Delete(folderId).Do()
 		if err != nil {
diff --git a/modules/project_cleanup/main.tf b/modules/project_cleanup/main.tf
@@ -29,7 +29,10 @@ resource "google_organization_iam_member" "main" {
     "roles/resourcemanager.projectDeleter",
     "roles/resourcemanager.folderEditor",
     "roles/resourcemanager.lienModifier",
-    "roles/owner"
+    "roles/serviceusage.serviceUsageAdmin",
+    "roles/compute.orgSecurityResourceAdmin",
+    "roles/compute.orgSecurityPolicyAdmin",
+    "roles/viewer"
   ])
 
   member = "serviceAccount:${google_service_account.project_cleaner_function.email}"
