From a4afcdb6283f1e7ba1a4751ebb426eef829d2b45 Mon Sep 17 00:00:00 2001 From: t_watts Date: Tue, 20 Oct 2020 17:16:27 -0400 Subject: [PATCH] README and shell script added. --- README.md | 85 ++++++++++++++++++++++++++++++++++++++++++++++++ run_audit.sh | 15 +++++++++ settings.default | 1 + 3 files changed, 101 insertions(+) create mode 100644 README.md create mode 100644 run_audit.sh diff --git a/README.md b/README.md new file mode 100644 index 0000000..9ef96a0 --- /dev/null +++ b/README.md @@ -0,0 +1,85 @@ +# GCP Project Audit # + +This repo will let you audit all the IAM settings on projects in the GCP organization. + +## SETUP ## + +### Google Compute Environment ### + +Create the a Virtual Machine (VM) in the Google Compute Engine dashboard. + +Once the VM instance has been created, stop the VM instance and change the following setting: + +Cloud API access scopes +Allow full access to all Cloud APIs + +*Hint: copy your service account information for later use* + +Start the VM instance back up, and enter into the SSH terminal for the machine. Run the following commands to prepare the environment for the repo: + +Install git: +```sudo apt-get install git``` + +Install pip3: +```sudo apt-get install python3-pip``` + +Install pandas: +```sudo pip install pandas``` + +**NOTE:** You are allowed [1 free F1-micro instance per month](https://cloud.google.com/free/) in your Google environment. + +If you don't see the ability to create an F1-micro instance from the dashboard, you can use the following example command in Cloud Shell to create one: + +```gcloud compute instances create --machine-type=f1-micro --zone=us-east1-b``` + + +### IAM Role ### + +The service account running the machine will need to have rights to query the organization, folders, and projects for the IAM policies. + +Create a role under the main organization with the following permissions: + +orgpolicy.policy.get +resourcemanager.folders.get +resourcemanager.folders.getIamPolicy +resourcemanager.folders.list +resourcemanager.projects.get +resourcemanager.projects.getIamPolicy +resourcemanager.projects.list + +Once the role has been created, add the VM instance's service account to the role. + + +### Create BigQuery Table ### + +Create a table for the audit to push to. If you are using separate projects for BigQuery and Compute Engine, you may need to allow the service account permissions to create jobs and insert data into the table. + +### Create the AppScript Project ### + +Log into [AppScript](https://script.google.com) and create a new project. Take note of the project ID for later use. + + +### Install & Configure ### + +Using the SSH terminal to the VM instance, clone the repo to the machine. + +Copy settings.default to settings.py and edit the file using your editor of choice (if using Compute Engine, vi / vim / nano come preinstalled on some machines). + +Enter your organization ID, app script folder id, and any project IDs you may want to exclude. + +Next, edit run_audit.sh and set the TABLE variable to your BigQuery table URI. + + +### Schedule The Audit ### + +You will need to change the execution permission on the run_audit.sh script to allowed (chmod +x run_audit.sh). + +Use crontab (or your favorite scheduler) to execute the script on your desired schedule. + +### Who do I talk to? ### + +* Nick Young +* nickyoung@uncg.edu + +* Tim Watts +* timwatts@uncg.edu \ No newline at end of file diff --git a/run_audit.sh b/run_audit.sh new file mode 100644 index 0000000..e591edc --- /dev/null +++ b/run_audit.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +# get the current directory +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" + +# table URI in project:dataset.table format +TABLE=":." + +# run the audit files +python3 "$DIR/get_folders.py" +python3 "$DIR/get_projects.py" +python3 "$DIR/owner_report.py" + +# load into BQ table +bq load --source_format=NEWLINE_DELIMITED_JSON "$DIR/owners_nldj.json" $TABLE "$DIR/schema.json" \ No newline at end of file diff --git a/settings.default b/settings.default index ee84cf2..1177fa2 100644 --- a/settings.default +++ b/settings.default @@ -7,4 +7,5 @@ ORGANIZATION_ID = '' APPS_SCRIPT_FOLDER_ID = '' # projects to exclude in the audit +# comma separated, ex ['project_id_2','project_id_2'] EXCLUDED_PROJECTS = [] \ No newline at end of file