feat: add org policies to confidential computing example (#427)

Author: arthurlapertosa

examples/confidential_computing/README.md

@@ -2,7 +2,12 @@
 
 This is an example of a vm creation with confidential computing,
 encrypted disk using a multiregion (US by default) Cloud HSM key
-and a custom service account with cloud-platform scope.
+and a custom service account with cloud-platform scope. It also
+creates org policies enforcing the use of CMEK encrypted instances
+and confidential computing to all newly created VMs within the project.
+Also, an additional org policy constraint is created, which only allows
+Cloud KMS keys (used for CMEK protection) that come from the provided input project.
+Note: existing VM instances won't be affected by the new org policy.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs

examples/confidential_computing/org_policies.tf

@@ -0,0 +1,51 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "confidential-computing-org-policy" {
+  source  = "terraform-google-modules/org-policy/google"
+  version = "~> 5.3"
+
+  project_id       = var.project_id
+  policy_for       = "project"
+  constraint       = "constraints/compute.restrictNonConfidentialComputing"
+  policy_type      = "list"
+  deny             = ["compute.googleapis.com"]
+  deny_list_length = 1
+}
+
+module "enforce-cmek-org-policy" {
+  source  = "terraform-google-modules/org-policy/google"
+  version = "~> 5.3"
+
+  project_id       = var.project_id
+  policy_for       = "project"
+  constraint       = "constraints/gcp.restrictNonCmekServices"
+  policy_type      = "list"
+  deny             = ["compute.googleapis.com"]
+  deny_list_length = 1
+}
+
+module "restrict-cmek-cryptokey-projects-policy" {
+  source  = "terraform-google-modules/org-policy/google"
+  version = "~> 5.3"
+
+  project_id        = var.project_id
+  policy_for        = "project"
+  constraint        = "constraints/gcp.restrictCmekCryptoKeyProjects"
+  policy_type       = "list"
+  allow             = ["projects/${var.project_id}"]
+  allow_list_length = 1
+}

test/integration/confidential_compute_instance/confidential_compute_instance_test.go

@@ -23,7 +23,7 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestConfidentialInstanceTemplate(t *testing.T) {
+func TestConfidentialComputeInstance(t *testing.T) {
 	const instanceNamePrefix = "confidential-encrypted-instance"
 
 	confCompInst := tft.NewTFBlueprintTest(t)
@@ -49,6 +49,22 @@ func TestConfidentialInstanceTemplate(t *testing.T) {
 		assert.Len(disks, 1)
 		defaultSuffix := confCompInst.GetStringOutput("suffix")
 		assert.Equal(fmt.Sprintf("projects/%s/locations/us/keyRings/key-ring-test-%s/cryptoKeys/key-test-%s/cryptoKeyVersions/1", projectId, defaultSuffix, defaultSuffix), disks[0].Get("diskEncryptionKey").Get("kmsKeyName").String())
+
+		org_policy_cmek_constraint := gcloud.Runf(t, "resource-manager org-policies list --project=%s --format=json --filter constraint='constraints/gcp.restrictNonCmekServices'", projectId).Array()
+		assert.Len(org_policy_cmek_constraint, 1)
+		cmek_denied_values_list := org_policy_cmek_constraint[0].Get("listPolicy.deniedValues").Array()
+		assert.Len(cmek_denied_values_list, 1)
+		assert.Equal("compute.googleapis.com", cmek_denied_values_list[0].String())
+		org_policy_cmek_projects := gcloud.Runf(t, "resource-manager org-policies list --project=%s --format=json --filter constraint='constraints/gcp.restrictCmekCryptoKeyProjects'", projectId).Array()
+		assert.Len(org_policy_cmek_projects, 1)
+		cmek_allowed_projects := org_policy_cmek_projects[0].Get("listPolicy.allowedValues").Array()
+		assert.Len(cmek_allowed_projects, 1)
+		assert.Equal(fmt.Sprintf("projects/%s", projectId), cmek_allowed_projects[0].String())
+		org_policy_confidential_constraint := gcloud.Runf(t, "resource-manager org-policies list --project=%s --format=json --filter constraint='constraints/compute.restrictNonConfidentialComputing'", projectId).Array()
+		assert.Len(org_policy_confidential_constraint, 1)
+		cc_denied_values_list := org_policy_confidential_constraint[0].Get("listPolicy.deniedValues").Array()
+		assert.Len(cc_denied_values_list, 1)
+		assert.Equal("compute.googleapis.com", cc_denied_values_list[0].String())
 	})
 	confCompInst.Test()
 }

test/setup/iam.tf

@@ -38,6 +38,12 @@ resource "google_project_iam_member" "ci_vm_account" {
   member  = "serviceAccount:${google_service_account.ci_vm_account.email}"
 }
 
+resource "google_organization_iam_member" "ci_vm_account_organization" {
+  org_id = var.org_id
+  role   = "roles/orgpolicy.policyAdmin"
+  member = "serviceAccount:${google_service_account.ci_vm_account.email}"
+}
+
 resource "google_service_account_key" "ci_vm_account" {
   service_account_id = google_service_account.ci_vm_account.id
 }