### Terraform Configuration - Example Variables Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-constraint-custom-constraints/README.md Example Terraform variables file demonstrating how to configure the parent resource, project IDs, and enable/disable specific constraints. ```hcl parent = "organizations/123456789012" # or folders/xxx or projects/xxx project_id = "your-gcp-project-id" billing_project = "your-gcp-project-id" # Enable/disable specific constraints enable_dns_constraint = true enable_dns_policy_logging_constraint = true enable_storage_constraint = true enable_vpc_private_google_access_constraint = true enable_vpc_custom_mode_constraint = true enable_compute_backend_service_logging_constraint = true enable_firewall_policy_logging_constraint = true enable_firewall_no_public_access_constraint = true ``` -------------------------------- ### Retrieve Setup Instructions from Terraform Output Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/agent-setup/README.md Fetches the dynamically generated setup instructions from Terraform output. These instructions include commands for exporting state and running the Hardening Agent. ```bash terraform output setup_instructions ``` -------------------------------- ### Install Pre-commit Hooks Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/docs/contributing.md Install the git hooks using `pre-commit install`. These hooks will run automatically on every commit to enforce code quality and security standards. ```bash pre-commit install ``` -------------------------------- ### Install GCP Hardening Agent Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/agent/README.md Install the Hardening Agent as a Gemini CLI extension using the provided URL. ```bash gemini extensions install https://github.com/GoogleCloudPlatform/gcp-hardening-toolkit ``` -------------------------------- ### Install Pre-commit and Detect-Secrets Dependencies Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/docs/contributing.md Install the required tools `pre-commit` and `detect-secrets` using pip. These tools help ensure consistent code quality and security checks. ```bash pip install pre-commit detect-secrets ``` -------------------------------- ### Install Pre-commit and Detect-Secrets Hooks Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/SECURITY.md Install the pre-commit and detect-secrets Python packages and then install the pre-commit hooks locally to prevent accidental secret leaks. ```bash pip install pre-commit detect-secrets pre-commit install ``` -------------------------------- ### Copy Terraform Variables Example Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-compliance-soc2/README.md Copies the example Terraform variables file to a new file named terraform.tfvars. This file should then be edited with your specific GCP environment values. ```bash cp terraform.tfvars.example terraform.tfvars ``` -------------------------------- ### Link GCP Hardening Agent Extension Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/agent/README.md Link the installed Hardening Agent extension to your local repository for use. ```bash gemini extensions link . ``` -------------------------------- ### Enable GCP APIs with gcloud Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/agent-setup/README.md Enables the Identity and Access Management (IAM) and Cloud Resource Manager APIs required for the agent setup. Ensure you have the necessary permissions. ```bash gcloud services enable iam.googleapis.com cloudresourcemanager.googleapis.com cloudaicompanion.googleapis.com ``` -------------------------------- ### Test Instance Creation with Custom Service Account (Should SUCCEED) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/compute/instance-no-default-sa-constraint/README.md First, create a custom service account, then create a Compute Engine instance using this custom service account. This operation should succeed. ```bash # First create a custom service account gcloud iam service-accounts create custom-sa \ --display-name="Custom Service Account" # Create instance with custom service account gcloud compute instances create test-instance \ --zone=us-central1-a \ --machine-type=e2-micro \ --service-account=custom-sa@PROJECT_ID.iam.gserviceaccount.com \ --scopes=cloud-platform ``` -------------------------------- ### Test Backend Service Creation (Succeed) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/compute/backend-service-logging-constraint/README.md Create a backend service with logging enabled. This operation should succeed. ```bash # Create a backend service WITH logging enabled gcloud compute backend-services create test-backend-with-logging \ --global \ --protocol=HTTP \ --health-checks=default-health-check \ --enable-logging \ --logging-sample-rate=1.0 ``` -------------------------------- ### Test VPC Creation with gcloud (Should Succeed) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/vpc/custom-mode-vpc-constraint/README.md Create a custom-mode VPC network and then manually create subnets. These operations should succeed. ```bash # Create a custom-mode VPC network gcloud compute networks create test-custom-network \ --subnet-mode=custom # Then create subnets manually as needed gcloud compute networks subnets create test-subnet \ --network=test-custom-network \ --region=us-central1 \ --range=10.0.1.0/24 ``` -------------------------------- ### Test Firewall Rule Creation (With Logging - Should Succeed) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/compute/firewall-logging-constraint/README.md Create a VPC firewall rule with logging explicitly enabled. This operation should succeed. ```bash # Create a firewall rule WITH logging enabled gcloud compute firewall-rules create test-rule-with-logging \ --network=default \ --allow=tcp:80 \ --source-ranges=0.0.0.0/0 \ --enable-logging ``` -------------------------------- ### Initialize and Apply Terraform Configuration Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-constraint-workforce-pool/README.md Initialize Terraform to download providers and then apply the configuration to create or update resources in your GCP environment. ```bash terraform init terraform apply ``` -------------------------------- ### Test Instance Creation with Default Service Account (Should FAIL) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/compute/instance-no-default-sa-constraint/README.md Attempt to create a Compute Engine instance using the default service account. This operation should fail due to the custom organization policy constraint. ```bash # Try to create instance with default service account gcloud compute instances create test-instance \ --zone=us-central1-a \ --machine-type=e2-micro ``` -------------------------------- ### Import Existing Constraint with Terraform Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-constraint-custom-constraints/README.md If constraint names conflict on re-deployment, import existing constraints into Terraform state before destroying. This example shows how to import a DNSSEC enabled constraint. Adjust the resource type and name as needed. ```bash terraform import module.dnssec_enabled_constraint.google_org_policy_custom_constraint.dnssec_enabled organizations/ORG_ID/customConstraints/custom.dnssecEnabledXXXX ``` -------------------------------- ### Test Bucket Creation Success (With Versioning) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/storage/bucket-versioning-constraint/README.md This command creates a Cloud Storage bucket with versioning explicitly enabled. It should succeed, confirming that compliant buckets can be created. ```bash # Create bucket with versioning enabled gcloud storage buckets create gs://test-bucket-with-versioning-$(date +%s) \ --location=us-central1 \ --versioning ``` -------------------------------- ### Create and Activate Python Virtual Environment Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/docs/contributing.md It is recommended to use a virtual environment to manage dependencies and avoid conflicts. This snippet shows how to create and activate a Python virtual environment. ```bash # Create the virtual environment python3 -m venv .tmp_venv # Activate the virtual environment source .tmp_venv/bin/activate ``` -------------------------------- ### Terraform Initialization and Apply - Compliant Tests Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-constraint-custom-constraints/README.md Initialize and apply Terraform for compliant tests. This verifies that the constraints do not block legitimate, secure resource creation. ```bash cd tests/compliant terraform init terraform apply ``` -------------------------------- ### Test Backend Service Creation (Fail) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/compute/backend-service-logging-constraint/README.md Attempt to create a backend service without logging enabled. This operation should fail due to the custom constraint. ```bash # Create a backend service without logging gcloud compute backend-services create test-backend-no-logging \ --global \ --protocol=HTTP \ --health-checks=default-health-check ``` -------------------------------- ### Terraform Deployment Commands Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-compliance-soc2/README.md Initializes Terraform, creates an execution plan, and applies the configuration to deploy the GCP Compliance SOC2 blueprint. Use -parallelism=1 for sequential application. ```bash terraform init terraform plan terraform apply -parallelism=1 ``` -------------------------------- ### Test Firewall Rule Creation (SUCCEED) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/compute/firewall-no-public-access-constraint/README.md Create a firewall rule using specific IP ranges. This operation should succeed as it does not violate the public access constraint. ```bash # Create a firewall rule with specific IP ranges gcloud compute firewall-rules create test-rule-specific-access \ --network=default \ --allow=tcp:80 \ --source-ranges=10.0.0.0/8,192.168.0.0/16 ``` -------------------------------- ### Test Firewall Rule Creation (No Logging - Should Fail) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/compute/firewall-logging-constraint/README.md Attempt to create a VPC firewall rule without enabling logging. This operation should fail due to the custom constraint. ```bash # Try to create a firewall rule without logging gcloud compute firewall-rules create test-rule-no-logging \ --network=default \ --allow=tcp:80 \ --source-ranges=0.0.0.0/0 ``` -------------------------------- ### Plan and Apply Terraform Deployment Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/agent-setup/README.md Generates an execution plan for the Terraform deployment and then applies the changes to create the infrastructure. Review the plan carefully before applying. ```bash terraform plan ``` ```bash terraform apply ``` -------------------------------- ### Terraform Initialization and Apply - Non-Compliant Tests Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-constraint-custom-constraints/README.md Initialize and apply Terraform for non-compliant tests. This verifies that the constraints successfully block insecure configurations. ```bash cd tests/non-compliant terraform init terraform apply ``` -------------------------------- ### Enable GCP Services using gcloud CLI Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-compliance-hipaa/README.md Enables necessary Google Cloud APIs in the specified project. Ensure the project is set up for quota and billing. ```bash gcloud services enable cloudbuild.googleapis.com --project ``` ```bash gcloud services enable serviceusage.googleapis.com --project ``` ```bash gcloud services enable cloudfunctions.googleapis.com --project ``` ```bash gcloud services enable artifactregistry.googleapis.com --project ``` ```bash gcloud services enable storage.googleapis.com --project ``` ```bash gcloud services enable run.googleapis.com --project ``` ```bash gcloud services enable eventarc.googleapis.com --project ``` -------------------------------- ### Set Quota Project using Environment Variable Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-foundation-org-iam/README.md Alternatively, set the quota project using environment variables. `GOOGLE_CLOUD_PROJECT` takes precedence over `GOOGLE_PROJECT`. ```bash export GOOGLE_CLOUD_PROJECT="YOUR_PROJECT_ID" ``` ```bash export GOOGLE_CLOUD_QUOTA_PROJECT="YOUR_PROJECT_ID" ``` -------------------------------- ### Test Instance Creation with Default SA and Full Scopes (Should Fail) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/compute/instance-no-default-sa-full-scopes-constraint/README.md Use this gcloud command to test if the constraint successfully prevents the creation of an instance with the default service account and full scopes. ```bash # Try to create instance with default SA and full scopes gcloud compute instances create test-instance \ --zone=us-central1-a \ --machine-type=e2-micro \ --scopes=cloud-platform ``` -------------------------------- ### Test DNS Policy Creation With Logging (SUCCEED) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/dns/dns-policy-logging-constraint/README.md Use this gcloud command to verify that a DNS policy with logging enabled can be successfully created. ```bash # Create a DNS policy WITH logging enabled gcloud dns policies create test-policy-with-logging \ --networks=default \ --description="Test policy with logging" \ --enable-logging ``` -------------------------------- ### Initialize Terraform Configuration Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/agent-setup/README.md Initializes the Terraform working directory. This command downloads the necessary providers and modules specified in your Terraform configuration. ```bash terraform init ``` -------------------------------- ### Test Firewall Rule Creation (FAIL) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/compute/firewall-no-public-access-constraint/README.md Attempt to create a firewall rule with a public source range (0.0.0.0/0). This operation should fail due to the custom constraint. ```bash # Try to create a firewall rule with 0.0.0.0/0 source range gcloud compute firewall-rules create test-rule-public-access \ --network=default \ --allow=tcp:80 \ --source-ranges=0.0.0.0/0 ``` -------------------------------- ### Test Instance Creation with Custom SA and Full Scopes (Should Succeed) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/compute/instance-no-default-sa-full-scopes-constraint/README.md Use this gcloud command to test a compliant scenario where an instance is created with a custom service account and full scopes, which should not be blocked by this constraint. ```bash # OR create instance with custom SA and full scopes gcloud iam service-accounts create custom-sa gcloud compute instances create test-instance \ --zone=us-central1-a \ --machine-type=e2-micro \ --service-account=custom-sa@PROJECT_ID.iam.gserviceaccount.com \ --scopes=cloud-platform ``` -------------------------------- ### Test VPC Creation with gcloud (Should Fail) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/vpc/custom-mode-vpc-constraint/README.md Attempt to create an auto-mode VPC network using gcloud. This operation should fail due to the custom constraint. ```bash # Try to create an auto-mode VPC network gcloud compute networks create test-auto-network \ --subnet-mode=auto ``` -------------------------------- ### Terraform Deployment Commands Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-constraint-custom-constraints/README.md Standard Terraform commands to initialize, plan, and apply the custom constraints configuration. ```bash terraform init terraform plan terraform apply ``` -------------------------------- ### Test Instance Creation with IP Forwarding Enabled (FAIL) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/compute/instance-no-ip-forwarding-constraint/README.md Use this gcloud command to attempt creating a Compute Engine instance with IP forwarding enabled. This operation should fail due to the custom constraint. ```bash gcloud compute instances create test-instance \ --zone=us-central1-a \ --machine-type=e2-micro \ --can-ip-forward ``` -------------------------------- ### Test DNSSEC Constraint: Create Zone (SUCCEED) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/dns/dnssec-enabled-constraint/README.md Create a public managed zone with DNSSEC enabled. This operation should succeed as it complies with the constraint. ```bash # Create a public managed zone with DNSSEC enabled gcloud dns managed-zones create test-zone-with-dnssec \ --description="Test zone with DNSSEC" \ --dns-name="test-zone.example.com." \ --dnssec-state=on ``` -------------------------------- ### Enable SQL SSL Enforcement Constraint Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/sql/sql-ssl-enforcement-constraint/README.md Enable this variable in the root `main.tf` to activate the SQL SSL enforcement custom constraint. ```hcl enable_sql_ssl_enforcement_constraint = true ``` -------------------------------- ### Test Instance Creation with Limited Scopes (Should Succeed) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/compute/instance-no-default-sa-full-scopes-constraint/README.md Use this gcloud command to test a compliant scenario where an instance is created with limited scopes, which should not be blocked by this constraint. ```bash # Create instance with default SA but limited scopes (still not recommended, but not blocked by this specific constraint) gcloud compute instances create test-instance \ --zone=us-central1-a \ --machine-type=e2-micro \ --scopes=storage-ro,logging-write ``` -------------------------------- ### Terraform Compliant Test Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/vpc/custom-mode-vpc-constraint/README.md Run the Terraform apply command in the compliant test directory to verify that the creation of a custom mode VPC is allowed. ```bash cd ../../../tests/compliant terraform apply -target=google_compute_network.custom_mode_vpc ``` -------------------------------- ### Enable Cloud Identity API Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-foundation-org-iam/README.md Enable the Cloud Identity API in your quota project using the `gcloud` command. This is required for the module to function. ```bash gcloud services enable cloudidentity.googleapis.com --project YOUR_PROJECT_ID ``` -------------------------------- ### Test SQL SSL Enforcement with gcloud (should FAIL) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/sql/sql-ssl-enforcement-constraint/README.md Attempt to create a Cloud SQL instance that allows unencrypted connections to validate the custom constraint. This command should result in a precondition check failure. ```bash gcloud sql instances create violating-instance \ --project=YOUR_PROJECT_ID \ --tier=db-f1-micro \ --region=us-central1 \ --ssl-mode=ALLOW_UNENCRYPTED_AND_ENCRYPTED ``` -------------------------------- ### Test Subnet Creation With Private Google Access (SUCCEED) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/vpc/private-google-access-constraint/README.md Use this gcloud command to test that creating a subnet with private Google access enabled is allowed. This command should succeed. ```bash # Create subnet with private Google access enabled gcloud compute networks subnets create test-subnet-with-pga \ --network=default \ --region=us-central1 \ --range=10.0.2.0/24 \ --enable-private-ip-google-access ``` -------------------------------- ### Enable Required GCP APIs Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-demo-vulnerable-project/README.md Enables necessary Google Cloud APIs for the blueprint. Replace YOUR_PROJECT_ID with your actual project ID. ```bash gcloud services enable \ compute.googleapis.com \ storage.googleapis.com \ sqladmin.googleapis.com \ iam.googleapis.com \ container.googleapis.com \ orgpolicy.googleapis.com \ --project=YOUR_PROJECT_ID ``` -------------------------------- ### Terraform Compliant Test Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/compute/instance-no-default-sa-constraint/README.md Apply Terraform configuration to verify that a compliant Compute Engine instance creation is allowed. ```bash cd ../../../tests/compliant terraform apply -target=google_compute_instance.compliant_instance ``` -------------------------------- ### Run All Pre-commit Checks Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/docs/contributing.md Execute pre-commit checks on all files in the repository. Use this to ensure your changes adhere to project standards before committing. ```bash pre-commit run --all-files ``` -------------------------------- ### Test BigQuery Dataset Creation With CMEK (SUCCEED) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/bigquery/bq-dataset-cmek-constraint/README.md Use this bq CLI command to test the constraint by creating a dataset with a default CMEK encryption configuration. This operation should succeed. ```bash # Create dataset with default CMEK encryption bq mk --dataset \ --project_id=YOUR_PROJECT_ID \ --location=us-central1 \ --default_kms_key=projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME \ test_dataset ``` -------------------------------- ### Set Quota Project using gcloud Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-foundation-org-iam/README.md Configure your Google Cloud quota project using the `gcloud` command-line tool. This is essential for API usage and billing. ```bash gcloud auth application-default set-quota-project YOUR_PROJECT_ID ``` -------------------------------- ### Terraform Compliant Test Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/vpc/private-google-access-constraint/README.md Run this Terraform command to apply a compliant subnetwork, verifying that the Private Google Access constraint allows its creation. ```bash cd ../../../tests/compliant terraform apply -target=google_compute_subnetwork.compliant_subnetwork ``` -------------------------------- ### Terraform Compliant Test Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/dns/dns-policy-logging-constraint/README.md Run this command to apply the Terraform configuration for a compliant DNS policy, verifying that the constraint allows its creation. ```bash cd ../../../tests/compliant terraform apply -target=google_dns_policy.compliant_policy ``` -------------------------------- ### Test Bucket Creation Failure (No Versioning) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/storage/bucket-versioning-constraint/README.md This command attempts to create a Cloud Storage bucket without versioning enabled. It should fail with a constraint violation error, validating the custom constraint. ```bash # Try to create bucket without versioning gcloud storage buckets create gs://test-bucket-no-versioning-$(date +%s) \ --location=us-central1 ``` -------------------------------- ### Test Dataproc Cluster Creation (Succeeds with CMEK) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/dataproc/dataproc-cmek-constraint/README.md Create a Dataproc cluster with CMEK encryption enabled. This command should succeed as it complies with the custom constraint. ```bash # Create cluster with CMEK encryption gcloud dataproc clusters create test-cluster \ --region=us-central1 \ --project=YOUR_PROJECT_ID \ --gce-pd-kms-key=projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME ``` -------------------------------- ### Test DNSSEC Constraint: Private Zone Exemption (SUCCEED) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/dns/dnssec-enabled-constraint/README.md Create a private managed zone. This operation should succeed as private zones are exempt from the DNSSEC constraint. ```bash # Private zones are not affected by this constraint gcloud dns managed-zones create test-private-zone \ --description="Private zone" \ --dns-name="internal.example.com." \ --visibility=private \ --networks=default ``` -------------------------------- ### Apply Terraform Deployment Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-demo-vulnerable-project/README.md Applies the Terraform configuration to create the resources. The -auto-approve flag skips the interactive confirmation. ```bash terraform apply -auto-approve ``` -------------------------------- ### Directory Navigation Command Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-constraint-custom-constraints/README.md Command to navigate to the root directory of the GCP hardening toolkit's custom constraints module. ```bash cd /path/to/hardening-toolkit/gcp-custom-constraints ``` -------------------------------- ### Terraform Compliant Test Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/bigquery/bq-dataset-cmek-constraint/README.md Run this command to apply the compliant test case in the centralized test suite, verifying that a correctly configured dataset creation is allowed. ```bash cd ../../../tests/compliant terraform apply -target=google_bigquery_dataset.compliant_dataset ``` -------------------------------- ### Test Instance Creation without IP Forwarding Enabled (SUCCEED) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/compute/instance-no-ip-forwarding-constraint/README.md Use this gcloud command to create a Compute Engine instance without IP forwarding enabled. This operation should succeed as it complies with the constraint. ```bash gcloud compute instances create test-instance \ --zone=us-central1-a \ --machine-type=e2-micro ``` -------------------------------- ### Test Subnet Creation Without Private Google Access (FAIL) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/vpc/private-google-access-constraint/README.md Use this gcloud command to test that creating a subnet without private Google access enabled is blocked by the constraint. The operation should result in a constraint violation error. ```bash # Try to create subnet without private Google access gcloud compute networks subnets create test-subnet-no-pga \ --network=default \ --region=us-central1 \ --range=10.0.1.0/24 ``` -------------------------------- ### Run GCP Triage Enum Script Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-triage-enum/README.md Execute the enum-project.sh script by providing the target GCP project ID as a command-line argument. ```bash ./enum-project.sh ``` -------------------------------- ### Test DNSSEC Constraint: Create Zone (FAIL) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/dns/dnssec-enabled-constraint/README.md Attempt to create a public managed zone with DNSSEC disabled. This operation should fail due to the custom constraint. ```bash # Try to create a public managed zone with DNSSEC disabled gcloud dns managed-zones create test-zone-no-dnssec \ --description="Test zone without DNSSEC" \ --dns-name="test-zone.example.com." \ --dnssec-state=off ``` -------------------------------- ### Terraform Compliant Test Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/compute/firewall-logging-constraint/README.md Apply the Terraform configuration for a compliant firewall rule to verify that creation is allowed when logging is enabled. ```bash cd ../../../tests/compliant terraform apply -target=google_compute_firewall.compliant_rule ``` -------------------------------- ### Test DNS Policy Creation Without Logging (FAIL) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/dns/dns-policy-logging-constraint/README.md Use this gcloud command to test if the constraint correctly prevents the creation of a DNS policy without logging enabled. This operation should fail. ```bash # Try to create a DNS policy without logging gcloud dns policies create test-policy-no-logging \ --networks=default \ --description="Test policy without logging" ``` -------------------------------- ### Enable SCC Services Script Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-foundation-scc/README.md Use this script to enable various SCC detection services. Ensure you update the ORGANIZATION_ID and QUOTA_PROJECT variables before running. ```bash ORGANIZATION_ID="YOUR_ORGANIZATION_ID" QUOTA_PROJECT="YOUR_QUOTA_PROJECT" # Supported Services (Default): # SCC_SERVICES=( # "event-threat-detection" # "security-health-analytics" # "web-security-scanner" # "container-threat-detection" # "virtual-machine-threat-detection" # ) # Uncomment and modify SCC_SERVICES array to customize services. # For example: # SCC_SERVICES=( # "event-threat-detection" # "security-health-analytics" # ) # echo "Enabling SCC services for organization $ORGANIZATION_ID using quota project $QUOTA_PROJECT..." # for service in "${SCC_SERVICES[@]}"; do # echo "Enabling $service..." # gcloud services enable "$service.googleapis.com" --organization="$ORGANIZATION_ID" --project="$QUOTA_PROJECT" # done # echo "SCC services enabled successfully." ``` -------------------------------- ### Terraform Compliant Test Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/sql/sql-ssl-enforcement-constraint/README.md Apply Terraform configuration for a compliant Cloud SQL instance to verify it adheres to the SSL enforcement policy. ```bash cd tests/compliant terraform apply -target=google_sql_database_instance.compliant_sql_instance ``` -------------------------------- ### Terraform Apply Command Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-constraint-custom-constraints/README.md Re-run `terraform apply --auto-approve` if you encounter transient errors. The GCP API often succeeds on subsequent attempts, though the error may recur. ```bash terraform apply --auto-approve ``` -------------------------------- ### Test BigQuery Dataset Creation Without CMEK (FAIL) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/bigquery/bq-dataset-cmek-constraint/README.md Use this bq CLI command to test the constraint by attempting to create a dataset without a default CMEK. This operation should fail. ```bash # Try to create dataset without default CMEK bq mk --dataset \ --project_id=YOUR_PROJECT_ID \ --location=us-central1 \ test_dataset ``` -------------------------------- ### Terraform Deployment - Phased Rollout (Phase 2) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-constraint-custom-constraints/README.md Second phase configuration for a phased rollout, enabling network security constraints after initial monitoring. Apply changes using `terraform apply` to create the newly enabled modules. ```hcl # Enable network security constraints enable_vpc_private_google_access_constraint = true enable_vpc_custom_mode_constraint = true ``` -------------------------------- ### Enable SHA Modules for SOC2 Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-compliance-soc2/README.md Use this script to enable the necessary built-in Security Health Analytics modules for SOC2 compliance. ```bash sh enable_sha_modules.sh ``` -------------------------------- ### Terraform Non-Compliant Test Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/compute/instance-no-default-sa-constraint/README.md Apply Terraform configuration to verify that a non-compliant Compute Engine instance creation (using default SA) is blocked. ```bash cd ../../../tests/non-compliant terraform apply -target=google_compute_instance.violating_instance_default_sa ``` -------------------------------- ### Terraform Compliant Test Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/compute/backend-service-logging-constraint/README.md Apply the Terraform configuration for a compliant backend service to verify the constraint allows its creation. ```bash cd ../../../tests/compliant terraform apply -target=google_compute_backend_service.compliant_service ``` -------------------------------- ### Terraform Compliant Test Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/dns/dnssec-enabled-constraint/README.md Apply Terraform to a compliant test scenario to verify that zone creation is allowed when DNSSEC is correctly configured. ```bash cd ../../../tests/compliant terraform apply -target=google_dns_managed_zone.compliant_zone ``` -------------------------------- ### Terraform Non-Compliant Test Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/compute/instance-no-default-sa-full-scopes-constraint/README.md Run this command to apply the Terraform configuration for a non-compliant instance, verifying that creation is blocked by the policy. ```bash cd ../../../tests/non-compliant terraform apply -target=google_compute_instance.violating_instance_default_sa_full_scopes ``` -------------------------------- ### Terraform Non-Compliant Test Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/vpc/private-google-access-constraint/README.md Run this Terraform command to apply a subnetwork that violates the Private Google Access constraint, verifying that its creation is blocked. ```bash cd ../../../tests/non-compliant terraform apply -target=google_compute_subnetwork.violating_pga_subnet ``` -------------------------------- ### Test Public IAM Binding with gcloud (should FAIL) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/iam/no-public-bindings-constraint/README.md Use this command to test if the constraint successfully prevents granting roles to `allUsers`. An error message indicating constraint violation is expected. ```bash gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \ --member="allUsers" \ --role="roles/viewer" ``` ```bash ERROR: (gcloud.projects.add-iam-policy-binding) Precondition check failed. - Constraint custom.iamNoPublicBindings violated ``` -------------------------------- ### Authenticate to Google Cloud SDK Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-constraint-workforce-pool/README.md Authenticate to Google Cloud using Application Default Credentials. This is a prerequisite for using Terraform with GCP. ```bash gcloud auth application-default login ``` -------------------------------- ### Terraform Configuration - Main Module Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-constraint-custom-constraints/README.md Root Terraform module orchestrating all custom constraints. It relies on variables for configuration and feature toggles. ```hcl gcp-custom-constraints/ ├── main.tf # Root module orchestrating all constraints ├── variables.tf # Configuration variables with feature toggles ├── terraform.tfvars.example # Example configuration template ├── modules/ # Individual constraint modules │ ├── compute/ │ ├── dns/ │ ├── storage/ │ └── vpc/ └── tests/ # Validation tests with compliant/non-compliant examples ``` -------------------------------- ### Plan Terraform Deployment Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-demo-vulnerable-project/README.md Generates an execution plan for the Terraform deployment. This shows what changes will be made to your infrastructure. ```bash terraform plan ``` -------------------------------- ### Test Dataproc Cluster Creation (Fails without CMEK) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/dataproc/dataproc-cmek-constraint/README.md Attempt to create a Dataproc cluster without specifying CMEK encryption. This command should fail due to the custom constraint violation. ```bash # Try to create cluster without CMEK gcloud dataproc clusters create test-cluster \ --region=us-central1 \ --project=YOUR_PROJECT_ID ``` -------------------------------- ### Terraform Apply and Destroy with Sequential Updates Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-constraint-custom-constraints/README.md Apply the `-parallelism=1` flag to both `terraform apply` and `terraform destroy` commands to ensure sequential execution and prevent concurrent API calls, thereby avoiding Error 409. ```bash # Recommended for apply terraform apply --auto-approve -parallelism=1 # Recommended for destroy terraform destroy --auto-approve -parallelism=1 ``` -------------------------------- ### Terraform Deployment - Phased Rollout (Phase 1) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-constraint-custom-constraints/README.md Initial configuration for a phased rollout of constraints. This phase enables low-impact constraints like storage and logging, while disabling more critical network security constraints. ```hcl parent = "organizations/123456789012" # Start with logging and versioning only enable_storage_constraint = true enable_compute_backend_service_logging_constraint = true # Disable enforcement constraints initially enable_dns_constraint = false enable_vpc_private_google_access_constraint = false enable_vpc_custom_mode_constraint = false ``` -------------------------------- ### Deploy GCP Foundation Organization IAM Blueprint Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/README.md Manually deploy the GCP Foundation Organization IAM blueprint using Terraform. Ensure you are in the correct directory and have initialized Terraform. ```bash cd blueprints/gcp-foundation-org-iam terraform init terraform apply ``` -------------------------------- ### Deploy AlloyDB Logging Constraints Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/alloydb/logging-constraints/README.md Use this module to create organization policy constraints for AlloyDB logging flags. Specify the parent resource where the constraints will be applied. ```hcl module "alloydb_logging" { source = "./modules/gcp-custom-constraints/alloydb/logging-constraints" parent = "organizations/123456789012" } ``` -------------------------------- ### Terraform Compliant Test Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/storage/bucket-versioning-constraint/README.md Apply this Terraform configuration to test the creation of a compliant Cloud Storage bucket. This verifies that the organization policy allows compliant resources. ```bash cd ../../../tests/compliant terraform apply -target=google_storage_bucket.compliant_bucket ``` -------------------------------- ### GCP CLI Verification Command Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-constraint-custom-constraints/README.md Command to verify that the organization policies (constraints) have been successfully deployed and are active. ```bash gcloud org-policies list --organization=YOUR_ORG_ID ``` -------------------------------- ### Navigate to GCP Compliance SOC2 Blueprint Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-compliance-soc2/README.md Changes the current directory to the root of the GCP Compliance SOC2 blueprint. This is the first step before configuring or deploying the blueprint. ```bash cd blueprints/gcp-compliance-soc2 ``` -------------------------------- ### Apply Terraform with Parallelism 1 Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-compliance-soc2/README.md Use `-parallelism=1` when applying Terraform configurations to prevent transient 409 errors caused by concurrent updates to the Organization Policy API. ```bash terraform apply --auto-approve -parallelism=1 ``` -------------------------------- ### Run Shell Scripts for SCC and SHA Modules Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-compliance-hipaa/README.md Execute these shell scripts from your terminal to enable Security Command Center (SCC) services and Security Health Analytics (SHA) modules. ```bash ./enable_scc_services.sh ``` ```bash ./enable_sha_modules.sh ``` -------------------------------- ### Add Vertex AI Service Agent to Allowlist Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-triage-vpc-sc-service-agents/README.md Appends the Vertex AI (AI Platform) service agent to the authorized service account list if found in the violations file. ```bash # Add Vertex AI (AI Platform) Service Agent grep "gcp-sa-aiplatform-cc.iam.gserviceaccount.com" vpc_sc_violations_sa.txt >> authorized_sa_list.txt ``` -------------------------------- ### Terraform Compliant Test Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/compute/firewall-no-public-access-constraint/README.md Apply a Terraform configuration to test a compliant firewall rule creation with specific IP ranges. ```bash cd ../../../tests/compliant terraform apply -target=google_compute_firewall.compliant_specific_range_rule ``` -------------------------------- ### Terraform Compliant Test Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/iam/no-public-bindings-constraint/README.md Run this command within the compliant test directory to apply a configuration that adheres to the IAM no public bindings constraint. ```bash cd ../../../tests/compliant terraform apply -target=google_artifact_registry_repository_iam_member.compliant_iam_binding ``` -------------------------------- ### Test DNSSEC No RSASHA1 Constraint with gcloud (SUCCEED) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/dns/dnssec-no-rsasha1-constraint/README.md Create a Cloud DNS managed zone using a strong DNSSEC algorithm like RSASHA256. This operation should succeed. ```bash # Create zone with strong DNSSEC algorithm gcloud dns managed-zones create test-zone \ --dns-name=test.example.com. \ --description="Test zone with RSASHA256" \ --dnssec-state=on \ --ksk-algorithm=rsasha256 \ --zsk-algorithm=rsasha256 ``` -------------------------------- ### Configure SHA Modules Script Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-foundation-scc/README.md Use this script to enable specific Security Health Analytics modules. Update the ORGANIZATION_ID and QUOTA_PROJECT variables, and optionally customize the SHA_MODULES array. ```bash ORGANIZATION_ID="YOUR_ORGANIZATION_ID" QUOTA_PROJECT="YOUR_QUOTA_PROJECT" # Example Modules: # SHA_MODULES=( # "BUCKET_CMEK_DISABLED" # "SQL_NO_ROOT_PASSWORD" # "VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED" # "BIGQUERY_TABLE_CMEK_DISABLED" # ) # Uncomment and modify SHA_MODULES array to customize modules. # For example: # SHA_MODULES=( # "BUCKET_CMEK_DISABLED" # "SQL_NO_ROOT_PASSWORD" # ) # echo "Configuring SHA modules for organization $ORGANIZATION_ID using quota project $QUOTA_PROJECT..." # for module in "${SHA_MODULES[@]}"; do # echo "Enabling SHA module: $module..." # gcloud scc security-health-analytics custom-modules update "organizations/$ORGANIZATION_ID/securityHealthAnalyticsSettings/customModules/$module" --enable --project="$QUOTA_PROJECT" # done # echo "SHA modules configured successfully." ``` -------------------------------- ### Terraform Non-Compliant Test Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/dns/dns-policy-logging-constraint/README.md Execute this command to apply the Terraform configuration for a non-compliant DNS policy, confirming that the constraint blocks its creation. ```bash cd ../../../tests/non-compliant terraform apply -target=google_dns_policy.violating_policy ``` -------------------------------- ### Test DNSSEC No RSASHA1 Constraint with gcloud (FAIL) Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/dns/dnssec-no-rsasha1-constraint/README.md Attempt to create a Cloud DNS managed zone with the RSASHA1 algorithm. This operation should fail due to the custom constraint. ```bash # Try to create zone with RSASHA1 algorithm gcloud dns managed-zones create test-zone \ --dns-name=test.example.com. \ --description="Test zone with RSASHA1" \ --dnssec-state=on \ --ksk-algorithm=rsasha1 \ --zsk-algorithm=rsasha1 ``` -------------------------------- ### Terraform Non-Compliant Test Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/modules/gcp-custom-constraints/bigquery/bq-dataset-cmek-constraint/README.md Run this command to apply the non-compliant test case in the centralized test suite, verifying that a dataset creation violating the constraint is blocked. ```bash cd ../../../tests/non-compliant terraform apply -target=google_bigquery_dataset.violating_bq_dataset ``` -------------------------------- ### Add Cloud Workstations Service Agent to Allowlist Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-triage-vpc-sc-service-agents/README.md Appends the Cloud Workstations service agent to the authorized service account list if found in the violations file. ```bash # Add Cloud Workstations Service Agent grep "gcp-sa-workstationsvm.iam.gserviceaccount.com" vpc_sc_violations_sa.txt >> authorized_sa_list.txt ``` -------------------------------- ### Apply VPC-SC Changes with Terraform Source: https://github.com/googlecloudplatform/gcp-hardening-toolkit/blob/main/blueprints/gcp-triage-vpc-sc-service-agents/README.md Use `terraform apply` to authorize the service accounts listed in your `authorized_sa_list.txt` file to your VPC Service Controls perimeter. ```bash terraform apply ```