Programmatic Governance in GCP
Multicloud.7 Deployments, Configurations, Templates, glcoud, and API calls
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.
🔒 Related Stories: Multi-Cloud Security | GCP & Google Security.
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the last post I looked at some mechanisms to apply policies in Azure.
In this post, I’m going to walk through some of the options for programmatic policies and governance in GCP.
Resource Manager
GCP has a feature named Resource Manager that allows you to define a structure for resources in your organization.
Resource Manager is the feature that offers GCP Organizations and organization policies as well as folders, projects, and IAM Policy management. I explained a bit about how Organizations, organization policies and constraints, folders and projects in this post:
How can we manage these things programmatically, so we can check the code into source control that manages the objects and monitor changes to them on the way in?
Deployment Manager
GCP Deployment Manager is the service that provides the functionality to deploy cloud resources.
Rest APIs for GCP Resources supported by Deployment Manager
The resources you can deploy with Deployment Manager are listed on this page. The links send you to the syntax to create a resource using a REST API.
Supported resource types | Cloud Deployment Manager Documentation | Google Cloud
undefined
undefined
Configuration
To deploy resources using GCP Deployment Manager you create a configuration. A configuration is a file written in YAML that describes the resources you want to deploy.
A resource in a configuration essentially maps to the API for that resource. The list of supported resources above links to the REST API you can use to create that resource. You can see what the mapping for a resource type would look like in the documentation below. The type in the YAML file matches the API structure for that resource. You also specify which version you are using.
You determine the properties to add to your YAML file based on the properties in the API. The first image below is the API snippet and the second image is the YAML in the configuration file.
The consistency between the API call and the template layout is nice and I presume this saves time for resource implementations at Google as well. It seems like the support for configurations could almost be generated based on the API so there’s no need to wait to “add support” for a new resource if things are maintained consistently.
You can find the syntax for configuration files here:
The layout is similar to the syntax used on other cloud platforms. Configurations are written in YAML, an option also available for AWS CloudFormation but not Azure deployments. Of course the specifics of the configuration will have different resource names and structure matching what is required by GCP, but the syntax for a list will be consistent across platforms if both use YAML to define configurations.
Templates
Configurations are monolithic stacks of resources. I’ve written before about how I prefer a different approach which I dubbed “micro-templates” here — yes I made that term up.
Instead of creating a monolithic configuration file you can break your configuration down into separate blocks of code called templates for the different resources you want to deploy. GCP’s templates work in a similar manner. You can define a template for the resource you want to create and deploy it.
Here’s the structure for a GCP configuration file which imports templates:
I love the capability to import reusable templates into a larger stack of resources. I would love to be able to reuse template snippets in AWS without requiring an S3 bucket. I have that request on the #awswishlist for that.
What I find odd is that GCP configurations are written in YAML but these included snippets are written in a different format. You can use Jinja or Python.
Jinja most closely maps to YAML. Why not just use YAML? Yaml would be more portable. Jinja can be converted to YAML but does not sound simple. I haven’t tried this as I never had a need. Just noting that it is possible.
The thing that concerns me at first glance is the inclusion of a .py file. Is that actually executable code? As I mentioned in the post on Azure templates above, the description of your resources should not contain free-form executable code (if you are intending to have a secure deployment system that is easier to monitor.)
Let’s take a look at those .py file options.
Herein lies the problem:
I’m all for generating templates programmatically when it’s easier. In fact it was the only way I could figure out how to make deployment of certain resources easier in my automation series above. The problem is this: The free form code generation should be outside of the template. The template should describe the configuration deployed to production. Ideally the template is a static file.
The code that generates the template should be separate from the template itself so you have consistent templates that are easy to parse for drift detection and monitoring. I just also wrote about this concept for AWS LanguageTransformation which comes pretty close to a solution I would really like but needs a few tweaks.
But the py file has to conform to a particular syntax, one might argue. Does it? What happens when you have a file that ends in .py and you try to execute it on an operating system? Most systems will try to execute a py file simply by virtue of that extension. A py file is not a configuration file or definition of a configuration. That’s an executable.
What happens when someone puts something in that file that behaves in a way it should not within your deployment pipeline? It’s like when someone inserts executable code in a text box on your website and some component down the line executes that code by virtue of how it works, even though you only intended to capture text to store in a database. I haven’t fully fleshed out this idea but to me it is an unnecessary risk not worth spending a lot of time on because it is easily avoidable. You have other options.
Even though I and a number of my fellow AWS Heroes are not fans of the AWS CDK for various reasons discussed at the latest AWS Heroes event I just attended in Seattle, I do like the fact that it ends up generating CloudFormation in the end. (Presuming it’s not generating executable code.) I don’t use it so I don’t know all the capabilities. I prefer to write and control my own templates for better code integrity and security. I can check them into source control and track versions. I’m also working on more ideas around integrity checking and git repository security.
The generation of code should be separate from the template that gets deployed or you could end up with a SolarWinds type incident due to lack of ability to check the integrity of what was deployed and the resulting output.
If you are going to use GCP templates and includes I would recommend staying away from the Python option or anything that executes arbitrary code within a template as it has potential side effects you might not want. Write your Python eternally to produce the configuration and templates that get deployed instead.
gcloud
After you’ve created a configuration you can deploy it with the Google Cloud CLI named gcloud. Here’s the command for creating a deployment:
Deploying Governance Resources on GCP
Let’s look at how we can deploy the governance resources I introduced in my earlier post programmatically in GCP.
Projects
If you click on the list of resources supported by Google Deployment Manager above, it shows that projects are a supported resource.
The link lands you at the page with the API information for deploying a project.
Just as was done in the example above you can translate the resource and properties in the API into YAML code you can add to your configuration and template file.
Then you can deploy it with gcloud.
Folders
At the time of this writing, I don’t see an option for creation of Folders with a Deployment Manager configuration in this list. The only thing that exists at this moment for cloudresourcemanager is a project.
Supported resource types | Cloud Deployment Manager Documentation | Google Cloud
undefined
undefined
If we consult the documentation, gcloud and API options exist so perhaps this will be coming to Deployment Manager soon.
For now you can use gcloud:
Organization
As noted an organization is configured for you automatically when you create a Google Cloud Workspace or Identity Provider account.
Google also offers this wizard to help with the initial configuration of your organization:
The wizard is handy but note that if you use it you’re not going to have resources in source control so you can monitor deployments and configuration changes effectively. It might be better to try out the wizard in a stand alone account and then figure out how to write or generate the code to deploy those resources programmatically. Also note this is “Pre-GA” meaning it’s still a bit experimental, apparently.
What would be cool is if this wizard created individual templates for each resource in a non-executable format so you could pick and choose what you want to deploy and maintain that code in your own source control system.
IAM
Just a note that I’ll cover IAM in a separate post.
Organizational Policy
It does not appear that you can deploy policies with GCP Deployment Manager at the time of this writing based on the current supported resource types, or via an API.
You can use built in constraints provided by GCP:
This page lists the built in constraints you can use for different GCP services:
You create a YAML file to apply the constraints with your preferred value to your organization.
Then run the set-policy command to apply the configuration value.
As you can see this is a very opinionated method of allowing you to apply policies. You can’t simply create any rule you want. You can only define the settings for certain values GCP has defined in its built-in constraints.
You can also create custom constraints to a limited degree. Here is the format for a custom constraint YAML file for GCP.
The you can deploy the constraint with gcloud as follows:
Policies use the Common Expression Language (CEL). You’ll want to test your policies to make sure they evaluate as expected on any cloud platform.
Note that custom constraints are only supported on a handful of services at this time in Preview so you may or may not be able to use them and Google is still testing them.
As you can see, organizational policy management on GCP is a bit behind Azure or AWS at the moment but I’m sure that will change quickly. Things are always changing in cloud environments.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
