block metadata server from docker ns and non-root

and manage keys for internal services and the compose app

Author: joecorall

README.md

@@ -35,9 +35,13 @@ Deploy a docker compose project to a Google Cloud Compute Instance.
 | [google_project_iam_member.gce-suspend](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.log](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.stackdriver](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
+| [google_service_account.app](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
 | [google_service_account.cloud-compose](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_service_account.internal-services](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
 | [google_service_account.ppb](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_service_account_iam_member.app-keys](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_member) | resource |
 | [google_service_account_iam_member.gsa-user](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_member) | resource |
+| [google_service_account_iam_member.internal-services-keys](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_member) | resource |
 | [google_service_account_iam_member.token-creator](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_member) | resource |
 | [cloudinit_config.ci](https://registry.terraform.io/providers/hashicorp/cloudinit/latest/docs/data-sources/config) | data source |
 | [google_project_iam_custom_role.gce-start](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project_iam_custom_role) | data source |
@@ -68,9 +72,10 @@ Deploy a docker compose project to a Google Cloud Compute Instance.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_gsaEmail"></a> [gsaEmail](#output\_gsaEmail) | n/a |
-| <a name="output_gsaId"></a> [gsaId](#output\_gsaId) | n/a |
+| <a name="output_appGsa"></a> [appGsa](#output\_appGsa) | The Google Service Account the app can leverage to auth to other Google services |
+| <a name="output_instanceGsa"></a> [instanceGsa](#output\_instanceGsa) | The Google Service Account the compute instance runs as |
 | <a name="output_instance_id"></a> [instance\_id](#output\_instance\_id) | n/a |
 | <a name="output_name"></a> [name](#output\_name) | n/a |
+| <a name="output_serviceGsa"></a> [serviceGsa](#output\_serviceGsa) | The Google Service Account internal services that manage the VM runs as |
 | <a name="output_zone"></a> [zone](#output\_zone) | n/a |
 <!-- END_TF_DOCS -->

main.tf

@@ -63,13 +63,6 @@ resource "google_service_account_iam_member" "token-creator" {
   member             = "serviceAccount:${google_service_account.cloud-compose.email}"
 }
 
-# push metrics to GCP
-resource "google_project_iam_member" "stackdriver" {
-  project = var.project_id
-  role    = "roles/monitoring.metricWriter"
-  member  = "serviceAccount:${google_service_account.cloud-compose.email}"
-}
-
 # push logs to GCP
 resource "google_project_iam_member" "log" {
   project = var.project_id
@@ -171,10 +164,50 @@ data "google_project_iam_custom_role" "gce-suspend" {
   project = var.project_id
   role_id = "suspendVM"
 }
+
+
+# =============================================================================
+# LIBOPS ADMIN SERVICES IDENTITY
+# =============================================================================
+
+resource "google_service_account" "internal-services" {
+  account_id = format("internal-services-%s", var.name)
+  project    = var.project_id
+}
+
+resource "google_service_account_iam_member" "internal-services-keys" {
+  service_account_id = google_service_account.internal-services.id
+  role               = "roles/iam.serviceAccountKeyAdmin"
+  member             = "serviceAccount:${google_service_account.cloud-compose.email}"
+}
+
+# push metrics to GCP
+resource "google_project_iam_member" "stackdriver" {
+  project = var.project_id
+  role    = "roles/monitoring.metricWriter"
+  member  = "serviceAccount:${google_service_account.internal-services.email}"
+}
+
+# suspend the GCP instance
 resource "google_project_iam_member" "gce-suspend" {
   project = var.project_id
   role    = data.google_project_iam_custom_role.gce-suspend.name
-  member  = "serviceAccount:${google_service_account.cloud-compose.email}"
+  member  = "serviceAccount:${google_service_account.internal-services.email}"
+}
+
+# =============================================================================
+# DOCKER COMPOSE APP IDENTITY
+# =============================================================================
+
+resource "google_service_account" "app" {
+  account_id = var.name
+  project    = var.project_id
+}
+
+resource "google_service_account_iam_member" "app-keys" {
+  service_account_id = google_service_account.app.id
+  role               = "roles/iam.serviceAccountKeyAdmin"
+  member             = "serviceAccount:${google_service_account.cloud-compose.email}"
 }
 
 # =============================================================================

outputs.tf

@@ -10,10 +10,30 @@ output "instance_id" {
   value = google_compute_instance.cloud-compose.instance_id
 }
 
-output "gsaEmail" {
-  value = google_service_account.cloud-compose.email
+
+output "instanceGsa" {
+  value = {
+    email : google_service_account.cloud-compose.email,
+    id : google_service_account.cloud-compose.id,
+    name : google_service_account.cloud-compose.name,
+  }
+  description = "The Google Service Account the compute instance runs as"
+}
+
+output "serviceGsa" {
+  value = {
+    email : google_service_account.internal-services.email,
+    id : google_service_account.internal-services.id,
+    name : google_service_account.internal-services.name,
+  }
+  description = "The Google Service Account internal services that manage the VM runs as"
 }
 
-output "gsaId" {
-  value = google_service_account.cloud-compose.id
+output "appGsa" {
+  value = {
+    email : google_service_account.app.email,
+    id : google_service_account.app.id,
+    name : google_service_account.app.name,
+  }
+  description = "The Google Service Account the app can leverage to auth to other Google services"
 }

rootfs/etc/libops/docker-compose.yaml

@@ -2,7 +2,7 @@ networks:
   internal:
 services:
   libops-lightsout:
-    image: ghcr.io/libops/lightsout:main@sha256:b61680d4c2ad03f9cfe1f47341eec128df8782a453bcfd708068a6d5c8877a02
+    image: ghcr.io/libops/lightsout:main@sha256:4d38ac380c86514d72efbcce0af9ea8ffd7ff86e97abea3d0b3c946cf204eaae
     ports:
       - "8808:8808"
     networks:
@@ -13,9 +13,11 @@ services:
       GCP_PROJECT: ${GCP_PROJECT}
       GCP_ZONE: ${GCP_ZONE}
       GCP_INSTANCE_NAME: ${GCP_INSTANCE_NAME}
+      GOOGLE_APPLICATION_CREDENTIALS: /app/GOOGLE_APPLICATION_CREDENTIALS
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - /mnt/disks/data:/mnt/disks/data
+      - ./GOOGLE_APPLICATION_CREDENTIALS:/app/GOOGLE_APPLICATION_CREDENTIALS:r
   libops-cadvisor:
     image: ghcr.io/google/cadvisor:v0.53.0@sha256:c3770bd6fc6c6a9cb2b47143e6b3cc3fdd9d20a8453dffbb7e09a145e7e0c4e4
     command:
@@ -45,5 +47,8 @@ services:
       GCP_ZONE: ${GCP_ZONE}
       GCP_INSTANCE_NAME: ${GCP_INSTANCE_NAME}
       CADVISOR_HOST: "libops-cadvisor:8080"
+      GOOGLE_APPLICATION_CREDENTIALS: /app/GOOGLE_APPLICATION_CREDENTIALS
+    volumes:
+      - ./GOOGLE_APPLICATION_CREDENTIALS:/app/GOOGLE_APPLICATION_CREDENTIALS:r
     depends_on:
       - libops-cadvisor

rootfs/etc/systemd/system/cloud-compose.service

@@ -8,6 +8,7 @@ StartLimitBurst=3
 [Service]
 Environment="HOME=/home/cloud-compose"
 WorkingDirectory=/mnt/disks/data/compose
+ExecStartPre=-/bin/bash /home/cloud-compose/rotate-keys-app.sh
 ExecStart=/mnt/disks/data/up
 ExecStop=/mnt/disks/data/down
 Restart=on-failure

rootfs/etc/systemd/system/internal-services.service

@@ -7,7 +7,9 @@ StartLimitBurst=3
 
 [Service]
 Environment="HOME=/home/cloud-compose"
-WorkingDirectory=/etc/libops
+WorkingDirectory=/mnt/disks/data/libops
+ExecStartPre=/bin/bash /home/cloud-compose/rotate-keys-internal.sh
+ExecStartPre=/usr/bin/test -f /mnt/disks/data/libops/GOOGLE_APPLICATION_CREDENTIALS
 ExecStart=/usr/bin/docker compose up
 ExecStop=/usr/bin/docker compose down
 Restart=on-failure

rootfs/home/cloud-compose/cron.sh

@@ -4,7 +4,11 @@ set -eou pipefail
 
 echo "Running daily cron"
 
-export DIR=/etc/libops
-bash /home/cloud-compose/rollout.sh
+pushd /home/cloud-compose
+
+bash rotate-keys-internal.sh
+bash rotate-keys-app.sh
 
 /usr/bin/docker system prune -af
+
+popd

rootfs/home/cloud-compose/host-init.sh

@@ -7,6 +7,13 @@ cleanup() {
   popd
 }
 
+# make sure out internal services dir exists
+DIR=/mnt/disks/data/libops
+if [ ! -d "$DIR" ]; then
+  mkdir "$DIR"
+fi
+cp /etc/libops/docker-compose.yaml /mnt/disks/data/libops
+
 pushd /home/cloud-compose
 
 trap cleanup EXIT
@@ -22,7 +29,11 @@ curl -sf \
 echo "HOME=/home/cloud-compose" > env.tmp
 for K in $(jq -r '.instance.attributes | keys | .[]' tmp.attr | grep -E '(DOCKER|GCP|LIBOPS)'); do
   V=$(jq -r .instance.attributes."$K" tmp.attr)
-  echo "$K=\"$V\"" >> env.tmp
+  if [[ "$V" =~ [[:space:]\$\`\\\"\'\(\)\{\}\[\]\|\&\;\<\>\*\?] ]]; then
+    echo "$K=\"$V\"" >> env.tmp
+  else
+    echo "$K=$V" >> env.tmp
+  fi
 done
 
 {
@@ -31,12 +42,13 @@ done
 } >> env.tmp
 
 # shellcheck disable=SC1091
-source env.tmp
+. ./env.tmp
+
 echo "SITE_DOCKER_REGISTRY=us-docker.pkg.dev/${GCP_PROJECT}/private" >> env.tmp
 
 if ! diff <(md5sum env.tmp) <(md5sum env); then
   mv env.tmp env
-  cp env /etc/libops/.env
+  cp env /mnt/disks/data/compose/.env
   if [ -d /mnt/disks/data/compose ]; then
     cp env /mnt/disks/data/compose/.env
   fi

rootfs/home/cloud-compose/init-app.sh

@@ -3,10 +3,9 @@
 set -eou pipefail
 
 # shellcheck disable=SC1091
-source /home/cloud-compose/env
-export HOME
+. /home/cloud-compose/env
 
-DIR=${DIR:-/mnt/disks/data/compose}
+export DIR=${DIR:-/mnt/disks/data/compose}
 
 if [ ! -d "$DIR" ]; then
   git clone -b "$DOCKER_COMPOSE_BRANCH" "$DOCKER_COMPOSE_REPO" "$DIR"
@@ -20,7 +19,6 @@ git pull origin "$DOCKER_COMPOSE_BRANCH" || echo "Unable to git pull"
 # run the docker compose init command if it exists
 /mnt/disks/data/init
 
-export DIR
 bash /home/cloud-compose/rollout.sh
 
 chgrp developers /mnt/disks/data/compose

rootfs/home/cloud-compose/rotate-keys-app.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+set -eou pipefail
+
+pushd /home/cloud-compose
+
+# shellcheck disable=SC1091
+. ./env
+
+if [ -d /mnt/disks/data/compose/secrets ]; then
+  exit 0
+fi
+
+bash rotate-keys.sh \
+    "$GCP_INSTANCE_NAME@$GCP_PROJECT.iam.gserviceaccount.com" \
+    "$GCP_PROJECT" \
+    /mnt/disks/data/compose/secrets/GOOGLE_APPLICATION_CREDENTIALS
+
+popd