Merge pull request #34 from bridgecrewio/feature/add_initial_gcp

Add initial GCP scenarios

.github/template.md

@@ -15,6 +15,7 @@ TerraGoat is a learning and training project that demonstrates how common config
 * [Getting Started](#getting-started)
   * [AWS](#aws-setup)
   * [Azure](#azure-setup)
+  * [GCP](#gcp-setup)
 * [Contributing](#contributing)
 * [Support](#support)
 
@@ -172,6 +173,57 @@ terraform apply
 terraform destroy
 ```
 
+### GCP Setup
+
+#### Installation (GCP)
+
+You can deploy multiple TerraGoat stacks in a single GCP project using the parameter `TF_VAR_environment`.
+
+#### Create a GCS backend to keep Terraform state
+
+To use terraform, a Service Account and matching set of credentials are required.
+If they do not exist, they must be manually created for the relevant project.
+To create the Service Account:
+1. Sign into your GCP project, go to `IAM` > `Service Accounts`.
+2. Click the `CREATE SERVICE ACCOUNT`.
+3. Give a name to your service account (for example - `terragoat`) and click `CREATE`.
+4. Grant the Service Account the `Project` > `Editor` role and click `CONTINUE`.
+5. Click `DONE`.
+
+To create the credentials:
+1. Sign into your GCP project, go to `IAM` > `Service Accounts` and click on the relevant Service Account.
+2. Click `ADD KEY` > `Create new key` > `JSON` and click `CREATE`. This will create a `.json` file and download it to your computer.
+
+We recommend saving the key with a nicer name than the auto-generated one (i.e. `terragoat_credentials.json`), and storing the resulting JSON file inside `terraform/gcp` directory of terragoat.
+Once the credentials are set up, create the BE configuration as follows:
+
+```bash
+export TF_VAR_environment="dev"
+export TF_TERRAGOAT_STATE_BUCKET=remote-state-bucket-terragoat
+export TF_VAR_credentials_path=<PATH_TO_CREDNETIALS_FILE> # example: export TF_VAR_credentials_path=terragoat_credentials.json
+export TF_VAR_project=<YOUR_PROJECT_NAME_HERE>
+
+# Create storage bucket
+gsutil mb gs://${TF_TERRAGOAT_STATE_BUCKET}
+```
+
+#### Apply TerraGoat (GCP)
+
+```bash
+cd terraform/gcp/
+terraform init -reconfigure -backend-config="bucket=$TF_TERRAGOAT_STATE_BUCKET" \
+    -backend-config "credentials=$TF_VAR_credentials_path" \
+    -backend-config "prefix=terragoat/${TF_VAR_environment}"
+
+terraform apply
+```
+
+#### Remove TerraGoat (GCP)
+
+```bash
+terraform destroy
+```
+
 ## Bridgecrew's IaC herd of goats
 
 * [CfnGoat](https://github.com/bridgecrewio/cfngoat) - Vulnerable by design Cloudformation template

.gitignore

@@ -21,6 +21,9 @@ override.tf
 override.tf.json
 *_override.tf
 *_override.tf.json
+credentials.json
+*.tfbackend
+*.tfvars
 
 # Include override files you do wish to add to version control using negated pattern
 #

terraform/gcp/gcs.tf

@@ -0,0 +1,10 @@
+resource "google_storage_bucket" "terragoat_website" {
+  name          = "terragot-${var.environment}"
+  force_destroy = true
+}
+
+resource "google_storage_bucket_iam_binding" "allow_public_read" {
+  bucket  = google_storage_bucket.terragoat_website.id
+  members = ["allUsers"]
+  role    = "roles/storage.objectViewer"
+}

terraform/gcp/gke.tf

@@ -0,0 +1,21 @@
+data "google_compute_zones" "available_zones" {
+  project = var.project
+  region  = var.region
+}
+
+resource "google_container_cluster" "workload_cluster" {
+  name               = "terragoat-${var.environment}-cluster"
+  logging_service    = "none"
+  location           = data.google_compute_zones.available_zones.names[0]
+  initial_node_count = 1
+
+  enable_legacy_abac = true
+  monitoring_service = "none"
+  remove_default_node_pool = true
+
+  master_authorized_networks_config {
+    cidr_blocks {
+      cidr_block = "0.0.0.0/0"
+    }
+  }
+}

terraform/gcp/provider.tf

@@ -0,0 +1,12 @@
+provider "google" {
+  credentials = file(var.credentials_path)
+  project     = var.project
+  region      = var.region
+}
+
+terraform {
+  backend "gcs" {
+    credentials = var.credentials_path
+    prefix      = "terragoat/${var.environment}"
+  }
+}

terraform/gcp/variables.tf

@@ -0,0 +1,19 @@
+variable "credentials_path" {
+  type        = string
+  description = "Path to credentials file"
+}
+
+variable "project" {
+  type        = string
+  description = "The GCP project to be deployed to"
+}
+
+variable "region" {
+  default = "us-central1"
+  type    = string
+}
+
+variable "environment" {
+  default     = "dev"
+  description = "The environment name"
+}