/** * Copyright 2021 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ # Append all resource names to help with testing # buckets must be all lowercase for buckets resource "random_string" "random_name" { length = 4 min_lower = 4 special = false } locals { region = split("-", var.zone)[0] folder_trusted = "folders/${data.google_project.trusted_analytics.folder_id}" bootstrap_bkt_name = format("restricted-%s-%s", var.bootstrap_notebooks_bucket_name, random_string.random_name.result) } # The key ring holds data keys that encrypt any PII data at rest such as BQ, GCS, or boot images. # Initial key is HSM backed key rotates every 45 days. module "kms_data" { source = "terraform-google-modules/kms/google" version = "~> 1.2" project_id = var.project_trusted_kms location = local.region keyring = format("trusted-data-keyring-%s", random_string.random_name.result) keys = [var.notebook_key_name] key_protection_level = "HSM" key_rotation_period = "3888000s" # 45 days } module "bootstrap" { source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" version = "~> 1.7" project_id = var.project_trusted_kms name = local.bootstrap_bkt_name location = local.region force_destroy = true encryption = { default_kms_key_name = module.kms_data.keys[var.notebook_key_name] } } # IAM for the AI Platform user service account to read the post startup script. resource "google_storage_bucket_iam_member" "member" { bucket = module.bootstrap.bucket.name role = "roles/storage.objectViewer" member = "serviceAccount:${google_service_account.sa_p_notebook_compute.email}" } resource "google_storage_bucket_object" "postscript" { name = "post_startup_script.sh" source = "${path.module}/bootstrap_files/post_startup_script.sh" bucket = module.bootstrap.bucket.name } # IAM policy for each user (ie. data scientist) resource "google_project_iam_member" "notebook_caip_user_iam" { project = var.project_trusted_analytics role = "roles/notebooks.viewer" for_each = toset(var.trusted_scientists) member = each.value } # Creates a trusted notebook per relevant user that has file # download disabled. Although some values are hard-coded, you can # customize them using variables. resource "google_notebooks_instance" "caip_nbk_p_trusted" { provider = google-beta project = var.project_trusted_analytics # var.trusted_scientists has users that are defined with the IAM type such as "user:aaa@example.com", "group:bbb@example.com", "serviceAccount:ccc@example.com". # Therefore, we need to remove the prefix type for_each = toset(split("\n",replace(join("\n",tolist(var.trusted_scientists)),"/\\S+:/",""))) service_account = google_service_account.sa_p_notebook_compute.email # replace characters with dash (-) from user identities not supported in GCE instance names such as period (.), apostrophe ('), underscore (_) name = format("caip-nbk-%s-%s-%s", var.notebook_name_prefix, split("@", replace(each.value, "/[.'_]+/", "-"))[0], random_string.random_name.result) location = var.zone machine_type = "n1-standard-1" vm_image { project = "deeplearning-platform-release" image_family = "tf-latest-cpu" } instance_owners = [each.value] post_startup_script = format("%s/%s", module.bootstrap.bucket.url, google_storage_bucket_object.postscript.name) install_gpu_driver = false boot_disk_type = "PD_SSD" boot_disk_size_gb = 110 disk_encryption = "CMEK" kms_key = module.kms_data.keys[var.notebook_key_name] # only allow network with private IP no_public_ip = true # If true, forces to use an SSH tunnel. no_proxy_access = false network = var.trusted_private_network subnet = var.trusted_private_subnet labels = { blueprint = "security" } metadata = { terraform = "true" proxy-mode = "mail" proxy-user-mail = each.value notebook-disable-root = "true" notebook-disable-downloads = "true" notebook-disable-nbconvert = "true" serial-port-enable = "FALSE" block-project-ssh-keys = "TRUE" } lifecycle { prevent_destroy = false ignore_changes = [ # Ignore changes to the following attributes to allow idempotent re-deployment # when re-applying, terraform cannot get the disk-encryption type even though it's already set to CMEK create_time, disk_encryption, kms_key, update_time, vm_image, ] } depends_on = [ module.kms_data, module.iam_grant_policy, google_storage_bucket_object.postscript, google_service_account.sa_p_notebook_compute, google_compute_subnetwork_iam_binding.subnet_binding, ] } module "access_level_members_higher_trust" { source = "terraform-google-modules/vpc-service-controls/google//modules/access_level" version = "~> 2.0" policy = var.default_policy_id name = format("higher_trust_notebooks_members_%s", random_string.random_name.result) members = var.trusted_scientists ip_subnetworks = var.vpc_perimeter_ip_subnetworks # Note: Below are additional policy attributes you should configure based on your security policies, which are additional context information part of endpoint verification configuration. # regions = var.vpc_perimeter_regions # allowed_encryption_statuses = ["ENCRYPTED"] # require_corp_owned = true # require_screen_lock = true } data "google_project" "trusted_data" { project_id = var.project_trusted_data } data "google_project" "trusted_analytics" { project_id = var.project_trusted_analytics } data "google_project" "trusted_kms" { project_id = var.project_trusted_kms } module "regular_service_perimeter_higher_trust" { source = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter" version = "~> 2.0" policy = var.default_policy_id perimeter_name = format("higher_trust_notebooks_%s", random_string.random_name.result) description = "Perimeter shielding Notebook projects with PII data" resources = [ "${data.google_project.trusted_data.number}", "${data.google_project.trusted_analytics.number}", "${data.google_project.trusted_kms.number}", ] access_levels = [module.access_level_members_higher_trust.name] restricted_services = [ "compute.googleapis.com", "storage.googleapis.com", "notebooks.googleapis.com", "bigquery.googleapis.com", "datacatalog.googleapis.com", "dataflow.googleapis.com", "dlp.googleapis.com", "cloudkms.googleapis.com", "secretmanager.googleapis.com", "cloudasset.googleapis.com", "cloudfunctions.googleapis.com", "pubsub.googleapis.com", "monitoring.googleapis.com", "logging.googleapis.com" ] depends_on = [ google_notebooks_instance.caip_nbk_p_trusted, ] }