README and shell script added.

nyoung · Oct 20, 2020 · a4afcdb · a4afcdb
1 parent 6c2bed9
commit a4afcdb
Show file tree

Hide file tree

Showing 3 changed files with 101 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -0,0 +1,85 @@
+# GCP Project Audit #
+
+This repo will let you audit all the IAM settings on projects in the GCP organization.
+
+## SETUP ##
+
+### Google Compute Environment ###
+
+Create the a Virtual Machine (VM) in the Google Compute Engine dashboard.
+
+Once the VM instance has been created, stop the VM instance and change the following setting:
+
+Cloud API access scopes
+Allow full access to all Cloud APIs
+
+*Hint: copy your service account information for later use*
+
+Start the VM instance back up, and enter into the SSH terminal for the machine. Run the following commands to prepare the environment for the repo:
+
+Install git:
+```sudo apt-get install git```
+
+Install pip3:
+```sudo apt-get install python3-pip```
+
+Install pandas:
+```sudo pip install pandas```
+
+**NOTE:** You are allowed [1 free F1-micro instance per month](https://cloud.google.com/free/) in your Google environment.
+
+If you don't see the ability to create an F1-micro instance from the dashboard, you can use the following example command in Cloud Shell to create one:
+
+```gcloud compute instances create <instance-name> --machine-type=f1-micro --zone=us-east1-b```
+
+
+### IAM Role ###
+
+The service account running the machine will need to have rights to query the organization, folders, and projects for the IAM policies.
+
+Create a role under the main organization with the following permissions:
+
+orgpolicy.policy.get
+resourcemanager.folders.get
+resourcemanager.folders.getIamPolicy
+resourcemanager.folders.list
+resourcemanager.projects.get
+resourcemanager.projects.getIamPolicy
+resourcemanager.projects.list
+
+Once the role has been created, add the VM instance's service account to the role.
+
+
+### Create BigQuery Table ###
+
+Create a table for the audit to push to. If you are using separate projects for BigQuery and Compute Engine, you may need to allow the service account permissions to create jobs and insert data into the table.
+
+### Create the AppScript Project ###
+
+Log into [AppScript](https://script.google.com) and create a new project. Take note of the project ID for later use.
+
+
+### Install & Configure ###
+
+Using the SSH terminal to the VM instance, clone the repo to the machine. 
+
+Copy settings.default to settings.py and edit the file using your editor of choice (if using Compute Engine, vi / vim / nano come preinstalled on some machines).
+
+Enter your organization ID, app script folder id, and any project IDs you may want to exclude.
+
+Next, edit run_audit.sh and set the TABLE variable to your BigQuery table URI.
+
+
+### Schedule The Audit ###
+
+You will need to change the execution permission on the run_audit.sh script to allowed (chmod +x run_audit.sh).
+
+Use crontab (or your favorite scheduler) to execute the script on your desired schedule.
+
+### Who do I talk to? ###
+
+* Nick Young
+* nickyoung@uncg.edu
+
+* Tim Watts
+* timwatts@uncg.edu
diff --git a/run_audit.sh b/run_audit.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# get the current directory
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+# table URI in project:dataset.table format
+TABLE="<project>:<dataset>.<table>"
+
+# run the audit files
+python3 "$DIR/get_folders.py"
+python3 "$DIR/get_projects.py"
+python3 "$DIR/owner_report.py"
+
+# load into BQ table
+bq load --source_format=NEWLINE_DELIMITED_JSON "$DIR/owners_nldj.json" $TABLE "$DIR/schema.json"
diff --git a/settings.default b/settings.default
@@ -7,4 +7,5 @@ ORGANIZATION_ID = ''
 APPS_SCRIPT_FOLDER_ID = ''
 
 # projects to exclude in the audit
+# comma separated, ex ['project_id_2','project_id_2']
 EXCLUDED_PROJECTS = []