Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

validation run broken on missing assets/*.json files from the asset inventory export and hardcoded "my-unique-bucket-name" #12

Open
obriensystems opened this issue Nov 20, 2022 · 0 comments
Open

validation run broken on missing assets/*.json files from the asset inventory export and hardcoded "my-unique-bucket-name" #12

obriensystems opened this issue Nov 20, 2022 · 0 comments

Comments

@obriensystems
Copy link

following
https://github.com/canada-ca/cloud-guardrails-gcp/tree/main/guardrails-validation

Workaround - turn off regional restriction on the project - or delete it on the parent and the rerun a terraform apply to get it back after

admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)$ gcloud services enable cloudasset.googleapis.com
Operation "operations/acat.p2-502392433631-09e81fe7-570c-44a3-8345-9852d82fd884" finished successfully.
admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)$ export MY_BUCKET_NAME=validation-ggz
admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)$ gsutil mb gs://$MY_BUCKET_NAME
Creating gs://validation-ggz/...
admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)$ gcloud asset export --output-path=gs://$MY_BUCKET_NAME/resource_inventory.json --content-type=resource --project=gr-bootstrap-ggz
Export in progress for root asset [projects/gr-bootstrap-ggz].
Use [gcloud asset operations describe projects/502392433631/operations/ExportAssets/RESOURCE/c6cfd41c3c7720348b468221cf6c688e] to check the status of the operation.
admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)

admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)$ git clone https://github.com/canada-ca/cloud-guardrails-gcp.git


admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)$ ls
accelerators_accelerateurs-gcp  cloud-guardrails-gcp
admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)$ gsutil cp gs://$MY_BUCKET_NAME/resource_inventory.json ./assets
Copying gs://validation-ggz/resource_inventory.json...
/ [1 files][ 16.8 KiB/ 16.8 KiB]
Operation completed over 1 objects/16.8 KiB.
admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)


dmin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)$ cd
accelerators_accelerateurs-gcp/ cloud-guardrails-gcp/
admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)$ cd cloud-guardrails-gcp/
.git/                  guardrails/            guardrails-validation/
admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)$ cd cloud-guardrails-gcp/guardrails-validation/
admin_@cloudshell:~/cloudshell_open/cloud-guardrails-gcp/guardrails-validation (gr-bootstrap-ggz)$ ls
assets  cloudbuild.yaml  Dockerfile  install.sh  policies  README.md  run-all.sh  run.sh  tests.sh
admin_@cloudshell:~/cloudshell_open/cloud-guardrails-gcp/guardrails-validation (gr-bootstrap-ggz)$


min_@cloudshell:~/cloudshell_open/cloud-guardrails-gcp/guardrails-validation (gr-bootstrap-ggz)$ ./install.sh
--2022-11-20 15:39:04--  https://github.com/open-policy-agent/conftest/releases/download/v0.32.1/conftest_0.32.1_Linux_x86_64.tar.gz
Resolving github.com (github.com)... 140.82.113.3
Connecting to github.com (github.com)|140.82.113.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/178249461/a9c964a8-a471-41f8-aed7-86bca64ad3f8?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20221120%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221120T153904Z&X-Amz-Expires=300&X-Amz-Signature=7b360ba6a1ab670e8c8957132cfcfda8d28cb797571ec78759636b3b6e402da8&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=178249461&response-content-disposition=attachment%3B%20filename%3Dconftest_0.32.1_Linux_x86_64.tar.gz&response-content-type=application%2Foctet-stream [following]
--2022-11-20 15:39:04--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/178249461/a9c964a8-a471-41f8-aed7-86bca64ad3f8?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20221120%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221120T153904Z&X-Amz-Expires=300&X-Amz-Signature=7b360ba6a1ab670e8c8957132cfcfda8d28cb797571ec78759636b3b6e402da8&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=178249461&response-content-disposition=attachment%3B%20filename%3Dconftest_0.32.1_Linux_x86_64.tar.gz&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.108.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12264521 (12M) [application/octet-stream]
Saving to: ‘conftest_0.32.1_Linux_x86_64.tar.gz’

conftest_0.32.1_Linux_x86_64.tar.gz      100%[=================================================================================>]  11.70M  44.0MB/s    in 0.3s

2022-11-20 15:39:04 (44.0 MB/s) - ‘conftest_0.32.1_Linux_x86_64.tar.gz’ saved [12264521/12264521]

LICENSE
README.md
conftest
admin_@cloudshell:~/cloudshell_open/cloud-guardrails-gcp/guardrails-validation (gr-bootstrap-ggz)$


admin_@cloudshell:~/cloudshell_open/cloud-guardrails-gcp/guardrails-validation (gr-bootstrap-ggz)$ conftest --version
Conftest: 0.32.1
OPA: 0.40.0

run n/a due to missing json in the assets dir
dmin_@cloudshell:~/cloudshell_open/cloud-guardrails-gcp/guardrails-validation (gr-bootstrap-ggz)$ ./run.sh
Checking ./assets/*.json
cat: './assets/*.json': No such file or directory
admin_@cloudshell:~/cloudshell_open/cloud-guardrails-gcp/guardrails-validation (gr-bootstrap-ggz)$ ls ../
guardrails  guardrails-validation  LICENSE  README.md
admin_@cloudshell:~/cloudshell_open/cloud-guardrails-gcp/guardrails-validation (gr-bootstrap-ggz)$ ls
assets  cloudbuild.yaml  Dockerfile  install.sh  policies  README.md  report.txt  run-all.sh  run.sh  tests.sh
admin_@cloudshell:~/cloudshell_open/cloud-guardrails-gcp/guardrails-validation (gr-bootstrap-ggz)$ ls assets/
admin_@cloudshell:~/cloudshell_open/cloud-guardrails-gcp/guardrails-validation (gr-bootstrap-ggz)$


run-all also requires a rename of"my-unique-bucket-name" as well as addition storage admin role

admin_@cloudshell:~/cloudshell_open/cloud-guardrails-gcp/guardrails-validation (gr-bootstrap-ggz)$ ./run-all.sh
Your active configuration is: [cloudshell-22055]
Creating gs://my-unique-bucket-name/...
ServiceException: 409 A Cloud Storage bucket named 'my-unique-bucket-name' already exists. Try another name. Bucket names must be globally unique across all Google Cloud projects, including those outside of your organization.
ERROR: (gcloud.asset.export) code: 403
message: The billing account for the owning project is disabled in state closed
status: PERMISSION_DENIED
AccessDeniedException: 403 admin@guardrails.gcp.zone does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).
cat: './assets/*.json': No such file or directory
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@obriensystems