Skip to content

Instantly share code, notes, and snippets.

@dstecholution

dstecholution/build.log

Created July 18, 2022 16:04
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save dstecholution/b7323e022cfefa61d6bc7ed16bdf51e5 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save dstecholution/b7323e022cfefa61d6bc7ed16bdf51e5 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
build.log
β•·
β”‚ Error: Saved plan is stale
β”‚ 
β”‚ The given plan file can no longer be applied because the state was changed
β”‚ by another operation after the plan was created.
β•΅
Interrupt received.
Please wait for Terraform to exit or data loss may occur.
Gracefully shutting down...
β•·
β”‚ Error: Failed to load plugin schemas
β”‚ 
β”‚ Error while loading schemas for plugin components: Failed to obtain
β”‚ provider schema: Could not load the schema for provider
β”‚ registry.terraform.io/hashicorp/helm: failed to instantiate provider
β”‚ "registry.terraform.io/hashicorp/helm" to obtain schema: Unrecognized
β”‚ remote plugin message:
β”‚ 
β”‚ This usually means that the plugin is either invalid or simply
β”‚ needs to be recompiled to support the latest protocol...
β•΅
β•·
β”‚ Error: Saved plan is stale
β”‚ 
β”‚ The given plan file can no longer be applied because the state was changed
β”‚ by another operation after the plan was created.
β•΅
Initializing modules...
Initializing the backend...
Initializing provider plugins...
- Reusing previous version of hashicorp/tls from the dependency lock file
- Reusing previous version of hashicorp/http from the dependency lock file
- Reusing previous version of hashicorp/random from the dependency lock file
- Reusing previous version of hashicorp/kubernetes from the dependency lock file
- Reusing previous version of hashicorp/helm from the dependency lock file
- Reusing previous version of hashicorp/template from the dependency lock file
- Reusing previous version of hashicorp/google-beta from the dependency lock file
- Reusing previous version of hashicorp/local from the dependency lock file
- Reusing previous version of hashicorp/null from the dependency lock file
- Reusing previous version of hashicorp/google from the dependency lock file
- Using previously-installed hashicorp/http v1.2.0
- Using previously-installed hashicorp/google v3.90.1
- Using previously-installed hashicorp/null v2.1.2
- Using previously-installed hashicorp/tls v2.2.0
- Using previously-installed hashicorp/random v2.3.1
- Using previously-installed hashicorp/kubernetes v1.13.4
- Using previously-installed hashicorp/helm v0.10.6
- Using previously-installed hashicorp/template v2.2.0
- Using previously-installed hashicorp/google-beta v3.90.1
- Using previously-installed hashicorp/local v1.4.0
Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
null_resource.org_id_and_folder_id_are_both_empty[0]: Refreshing state... [id=1754796495663566536]
module.cloudsql.random_password.password: Refreshing state... [id=none]
module.server.random_integer.random_minute: Refreshing state... [id=37]
random_id.random_hash_suffix: Refreshing state... [id=30xwRw]
google_project_service.main[0]: Refreshing state... [id=gcp-wen-automation-prod/admin.googleapis.com]
google_project_service.main[2]: Refreshing state... [id=gcp-wen-automation-prod/bigquery.googleapis.com]
google_project_service.main[13]: Refreshing state... [id=gcp-wen-automation-prod/cloudasset.googleapis.com]
google_project_service.main[7]: Refreshing state... [id=gcp-wen-automation-prod/compute.googleapis.com]
google_project_service.main[16]: Refreshing state... [id=gcp-wen-automation-prod/spanner.googleapis.com]
google_project_service.main[12]: Refreshing state... [id=gcp-wen-automation-prod/logging.googleapis.com]
google_project_service.main[3]: Refreshing state... [id=gcp-wen-automation-prod/cloudbilling.googleapis.com]
google_project_service.main[10]: Refreshing state... [id=gcp-wen-automation-prod/servicemanagement.googleapis.com]
module.server_iam.google_service_account.forseti_server[0]: Refreshing state... [id=projects/gcp-wen-automation-prod/serviceAccounts/forseti-server-gcp-df4c7047@gcp-wen-automation-prod.iam.gserviceaccount.com]
google_project_service.main[9]: Refreshing state... [id=gcp-wen-automation-prod/container.googleapis.com]
google_project_service.main[4]: Refreshing state... [id=gcp-wen-automation-prod/cloudresourcemanager.googleapis.com]
google_project_service.main[8]: Refreshing state... [id=gcp-wen-automation-prod/iam.googleapis.com]
module.client_iam.google_service_account.forseti_client[0]: Refreshing state... [id=projects/gcp-wen-automation-prod/serviceAccounts/forseti-client-gcp-df4c7047@gcp-wen-automation-prod.iam.gserviceaccount.com]
google_project_service.main[11]: Refreshing state... [id=gcp-wen-automation-prod/serviceusage.googleapis.com]
google_project_service.main[1]: Refreshing state... [id=gcp-wen-automation-prod/appengine.googleapis.com]
google_project_service.main[14]: Refreshing state... [id=gcp-wen-automation-prod/storage-api.googleapis.com]
google_project_service.main[15]: Refreshing state... [id=gcp-wen-automation-prod/groupssettings.googleapis.com]
google_project_service.main[6]: Refreshing state... [id=gcp-wen-automation-prod/sqladmin.googleapis.com]
google_project_service.main[5]: Refreshing state... [id=gcp-wen-automation-prod/sql-component.googleapis.com]
module.server_iam.google_project_iam_member.server_roles[0]: Refreshing state... [id=gcp-wen-automation-prod/roles/storage.objectViewer/serviceAccount:forseti-server-gcp-df4c7047@gcp-wen-automation-prod.iam.gserviceaccount.com]
module.server_iam.google_project_iam_member.server_roles[4]: Refreshing state... [id=gcp-wen-automation-prod/roles/iam.serviceAccountTokenCreator/serviceAccount:forseti-server-gcp-df4c7047@gcp-wen-automation-prod.iam.gserviceaccount.com]
module.server_iam.google_project_iam_member.server_roles[1]: Refreshing state... [id=gcp-wen-automation-prod/roles/storage.objectCreator/serviceAccount:forseti-server-gcp-df4c7047@gcp-wen-automation-prod.iam.gserviceaccount.com]
module.server_iam.google_project_iam_member.server_roles[2]: Refreshing state... [id=gcp-wen-automation-prod/roles/cloudsql.client/serviceAccount:forseti-server-gcp-df4c7047@gcp-wen-automation-prod.iam.gserviceaccount.com]
module.server_iam.google_project_iam_member.server_roles[3]: Refreshing state... [id=gcp-wen-automation-prod/roles/logging.logWriter/serviceAccount:forseti-server-gcp-df4c7047@gcp-wen-automation-prod.iam.gserviceaccount.com]
module.client_iam.google_project_iam_member.client_roles[0]: Refreshing state... [id=gcp-wen-automation-prod/roles/storage.objectViewer/serviceAccount:forseti-client-gcp-df4c7047@gcp-wen-automation-prod.iam.gserviceaccount.com]
module.server.null_resource.services-dependency: Refreshing state... [id=4697398817460134874]
module.cloudsql.null_resource.services-dependency: Refreshing state... [id=8003166442830993643]
module.client.null_resource.services-dependency[0]: Refreshing state... [id=4496603424541022172]
module.client_gcs.null_resource.services-dependency[0]: Refreshing state... [id=6855836942801070068]
module.server_gcs.null_resource.services-dependency: Refreshing state... [id=2969718538586866068]
module.client_gcs.google_storage_bucket.client_config[0]: Refreshing state... [id=forseti-client-df4c7047]
module.server_gcs.google_storage_bucket.server_config: Refreshing state... [id=forseti-server-df4c7047]
module.server_gcs.google_storage_bucket.cai_export[0]: Refreshing state... [id=forseti-cai-export-df4c7047]
module.server_rules.google_storage_bucket_object.main[11]: Refreshing state... [id=forseti-server-df4c7047-rules/iam_rules.yaml]
module.server_rules.google_storage_bucket_object.main[6]: Refreshing state... [id=forseti-server-df4c7047-rules/external_project_access_rules.yaml]
module.server_rules.google_storage_bucket_object.main[0]: Refreshing state... [id=forseti-server-df4c7047-rules/audit_logging_rules.yaml]
module.server_rules.google_storage_bucket_object.main[9]: Refreshing state... [id=forseti-server-df4c7047-rules/group_rules.yaml]
module.server_rules.google_storage_bucket_object.main[10]: Refreshing state... [id=forseti-server-df4c7047-rules/groups_settings_rules.yaml]
module.server_rules.google_storage_bucket_object.main[1]: Refreshing state... [id=forseti-server-df4c7047-rules/bigquery_rules.yaml]
module.server_rules.google_storage_bucket_object.main[16]: Refreshing state... [id=forseti-server-df4c7047-rules/kms_rules.yaml]
module.server_rules.google_storage_bucket_object.main[2]: Refreshing state... [id=forseti-server-df4c7047-rules/blacklist_rules.yaml]
module.server_rules.google_storage_bucket_object.main[8]: Refreshing state... [id=forseti-server-df4c7047-rules/forwarding_rules.yaml]
module.server_rules.google_storage_bucket_object.main[13]: Refreshing state... [id=forseti-server-df4c7047-rules/instance_network_interface_rules.yaml]
module.server_rules.google_storage_bucket_object.main[21]: Refreshing state... [id=forseti-server-df4c7047-rules/retention_rules.yaml]
module.server_rules.google_storage_bucket_object.main[22]: Refreshing state... [id=forseti-server-df4c7047-rules/role_rules.yaml]
module.server_rules.google_storage_bucket_object.main[4]: Refreshing state... [id=forseti-server-df4c7047-rules/cloudsql_rules.yaml]
module.server_rules.google_storage_bucket_object.main[15]: Refreshing state... [id=forseti-server-df4c7047-rules/ke_scanner_rules.yaml]
module.server_rules.google_storage_bucket_object.main[20]: Refreshing state... [id=forseti-server-df4c7047-rules/resource_rules.yaml]
module.server_rules.google_storage_bucket_object.main[17]: Refreshing state... [id=forseti-server-df4c7047-rules/lien_rules.yaml]
module.server_rules.google_storage_bucket_object.main[18]: Refreshing state... [id=forseti-server-df4c7047-rules/location_rules.yaml]
module.server_rules.google_storage_bucket_object.main[3]: Refreshing state... [id=forseti-server-df4c7047-rules/bucket_rules.yaml]
module.server_rules.google_storage_bucket_object.main[19]: Refreshing state... [id=forseti-server-df4c7047-rules/log_sink_rules.yaml]
module.server_rules.google_storage_bucket_object.main[14]: Refreshing state... [id=forseti-server-df4c7047-rules/ke_rules.yaml]
module.server_rules.google_storage_bucket_object.main[7]: Refreshing state... [id=forseti-server-df4c7047-rules/firewall_rules.yaml]
module.server_rules.google_storage_bucket_object.main[5]: Refreshing state... [id=forseti-server-df4c7047-rules/enabled_apis_rules.yaml]
module.server_rules.google_storage_bucket_object.main[12]: Refreshing state... [id=forseti-server-df4c7047-rules/iap_rules.yaml]
module.server_rules.google_storage_bucket_object.main[23]: Refreshing state... [id=forseti-server-df4c7047-rules/service_account_key_rules.yaml]
module.server_config.google_storage_bucket_object.forseti_server_config: Refreshing state... [id=forseti-server-df4c7047-configs/forseti_conf_server.yaml]
module.client_config.google_storage_bucket_object.forseti_client_config[0]: Refreshing state... [id=forseti-client-df4c7047-configs/forseti_conf_client.yaml]
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
-/+ destroy and then create replacement

Terraform will perform the following actions:
 # null_resource.org_id_and_folder_id_are_both_empty[0] is tainted, so must be replaced
-/+ resource "null_resource" "org_id_and_folder_id_are_both_empty" {
~ id = "1754796495663566536" -> (known after apply)
}
 # module.client.google_compute_firewall.forseti-client-deny-all[0] will be created
 + resource "google_compute_firewall" "forseti-client-deny-all" {
+ creation_timestamp = (known after apply)
+ destination_ranges = (known after apply)
+ direction = (known after apply)
+ enable_logging = (known after apply)
+ id = (known after apply)
+ name = "forseti-client-deny-all-df4c7047"
+ network = "default"
+ priority = 200
+ project = "gcp-wen-automation-prod"
+ self_link = (known after apply)
+ source_ranges = [
+ "0.0.0.0/0",
]
+ target_service_accounts = [
+ "forseti-client-gcp-df4c7047@gcp-wen-automation-prod.iam.gserviceaccount.com",
]
+ deny {
+ ports = []
+ protocol = "icmp"
}
+ deny {
+ ports = []
+ protocol = "tcp"
}
+ deny {
+ ports = []
+ protocol = "udp"
}
}
 # module.client.google_compute_firewall.forseti-client-ssh-external[0] will be created
 + resource "google_compute_firewall" "forseti-client-ssh-external" {
+ creation_timestamp = (known after apply)
+ destination_ranges = (known after apply)
+ direction = (known after apply)
+ enable_logging = (known after apply)
+ id = (known after apply)
+ name = "forseti-client-ssh-external-df4c7047"
+ network = "default"
+ priority = 100
+ project = "gcp-wen-automation-prod"
+ self_link = (known after apply)
+ source_ranges = [
+ "0.0.0.0/0",
]
+ target_service_accounts = [
+ "forseti-client-gcp-df4c7047@gcp-wen-automation-prod.iam.gserviceaccount.com",
]
+ allow {
+ ports = [
+ "22",
]
+ protocol = "tcp"
}
}
 # module.client.google_compute_instance.forseti-client[0] will be created
 + resource "google_compute_instance" "forseti-client" {
+ allow_stopping_for_update = true
+ can_ip_forward = false
+ cpu_platform = (known after apply)
+ current_status = (known after apply)
+ deletion_protection = false
+ guest_accelerator = (known after apply)
+ id = (known after apply)
+ instance_id = (known after apply)
+ label_fingerprint = (known after apply)
+ machine_type = "n1-standard-2"
+ metadata_fingerprint = (known after apply)
+ metadata_startup_script = <<-EOT
#!/bin/bash
set -eu
# Env variables
USER=ubuntu
USER_HOME=/home/ubuntu
# Ubuntu update.
sudo apt-get update -y
sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade
sudo apt-get update -y
sudo apt-get --assume-yes install google-cloud-sdk git unzip
# Install fluentd if necessary.
if [ -e "/usr/sbin/google-fluentd" ]; then
cd $USER_HOME
curl -sSO https://dl.google.com/cloudagents/install-logging-agent.sh
bash install-logging-agent.sh
fi
# Install Forseti Security.
cd $USER_HOME
rm -rf *forseti*
# Download Forseti source code
git clone --branch v2.25.2 --depth 1 https://github.com/forseti-security/forseti-security
cd forseti-security
# Forseti host dependencies
sudo apt-get install -y $(cat install/dependencies/apt_packages.txt | grep -v "#" | xargs)
# Forseti dependencies
python3 -m pip install -q --upgrade setuptools wheel
python3 -m pip install -q --upgrade -r requirements.txt
# Install Forseti
echo "Installing Forseti"
python3 setup.py install
# Set ownership of the forseti project to $USER
chown -R $USER $USER_HOME/forseti-security
# Store the variables in /etc/profile.d/forseti_environment.sh
# so all the users will have access to them
echo "export FORSETI_HOME=$USER_HOME/forseti-security
export FORSETI_CLIENT_CONFIG=$USER_HOME/forseti-security/configs/forseti_conf_client.yaml
forseti config reset &> /dev/null
" > /etc/profile.d/forseti_environment.sh | sudo sh
# Download client configuration from GCS
gsutil cp gs://forseti-client-df4c7047/configs/forseti_conf_client.yaml $USER_HOME/forseti-security/configs/forseti_conf_client.yaml
EOT
+ min_cpu_platform = (known after apply)
+ name = "forseti-client-vm-df4c7047"
+ project = "gcp-wen-automation-prod"
+ self_link = (known after apply)
+ tags_fingerprint = (known after apply)
+ zone = "us-central1-c"
+ boot_disk {
+ auto_delete = true
+ device_name = (known after apply)
+ disk_encryption_key_sha256 = (known after apply)
+ kms_key_self_link = (known after apply)
+ mode = "READ_WRITE"
+ source = (known after apply)
+ initialize_params {
+ image = "ubuntu-os-cloud/ubuntu-1804-lts"
+ labels = (known after apply)
+ size = (known after apply)
+ type = (known after apply)
}
}
+ confidential_instance_config {
+ enable_confidential_compute = (known after apply)
}
+ network_interface {
+ ipv6_access_type = (known after apply)
+ name = (known after apply)
+ network = (known after apply)
+ network_ip = (known after apply)
+ stack_type = (known after apply)
+ subnetwork = "default"
+ subnetwork_project = "gcp-wen-automation-prod"
+ access_config {
+ nat_ip = (known after apply)
+ network_tier = (known after apply)
}
}
+ reservation_affinity {
+ type = (known after apply)
+ specific_reservation {
+ key = (known after apply)
+ values = (known after apply)
}
}
+ scheduling {
+ automatic_restart = (known after apply)
+ min_node_cpus = (known after apply)
+ on_host_maintenance = (known after apply)
+ preemptible = (known after apply)
+ node_affinities {
+ key = (known after apply)
+ operator = (known after apply)
+ values = (known after apply)
}
}
+ service_account {
+ email = "forseti-client-gcp-df4c7047@gcp-wen-automation-prod.iam.gserviceaccount.com"
+ scopes = [
+ "https://www.googleapis.com/auth/cloud-platform",
]
}
}
 # module.cloudsql.google_sql_database.forseti-db will be created
 + resource "google_sql_database" "forseti-db" {
+ charset = (known after apply)
+ collation = (known after apply)
+ id = (known after apply)
+ instance = "forseti-server-db-df4c7047"
+ name = "forseti_security"
+ project = "gcp-wen-automation-prod"
+ self_link = (known after apply)
}
 # module.cloudsql.google_sql_database_instance.master will be created
 + resource "google_sql_database_instance" "master" {
+ connection_name = (known after apply)
+ database_version = "MYSQL_5_7"
+ deletion_protection = true
+ first_ip_address = (known after apply)
+ id = (known after apply)
+ ip_address = (known after apply)
+ master_instance_name = (known after apply)
+ name = "forseti-server-db-df4c7047"
+ private_ip_address = (known after apply)
+ project = "gcp-wen-automation-prod"
+ public_ip_address = (known after apply)
+ region = "us-central1"
+ self_link = (known after apply)
+ server_ca_cert = (known after apply)
+ service_account_email_address = (known after apply)
+ replica_configuration {
+ ca_certificate = (known after apply)
+ client_certificate = (known after apply)
+ client_key = (known after apply)
+ connect_retry_interval = (known after apply)
+ dump_file_path = (known after apply)
+ failover_target = (known after apply)
+ master_heartbeat_period = (known after apply)
+ password = (sensitive value)
+ ssl_cipher = (known after apply)
+ username = (known after apply)
+ verify_server_certificate = (known after apply)
}
+ settings {
+ activation_policy = "ALWAYS"
+ authorized_gae_applications = (known after apply)
+ availability_type = (known after apply)
+ crash_safe_replication = (known after apply)
+ disk_autoresize = true
+ disk_autoresize_limit = 0
+ disk_size = 25
+ disk_type = (known after apply)
+ pricing_plan = "PER_USE"
+ replication_type = (known after apply)
+ tier = "db-n1-standard-4"
+ user_labels = (known after apply)
+ version = (known after apply)
+ backup_configuration {
+ binary_log_enabled = true
+ enabled = true
+ start_time = (known after apply)
+ transaction_log_retention_days = (known after apply)
+ backup_retention_settings {
+ retained_backups = (known after apply)
+ retention_unit = (known after apply)
}
}
+ database_flags {
+ name = "net_write_timeout"
+ value = "240"
}
+ ip_configuration {
+ ipv4_enabled = true
+ require_ssl = true
}
+ location_preference {
+ zone = "us-central1-c"
}
}
}
 # module.cloudsql.google_sql_user.forseti_user will be created
 + resource "google_sql_user" "forseti_user" {
+ host = "%"
+ id = (known after apply)
+ instance = "forseti-server-db-df4c7047"
+ name = "forseti_security_user"
+ password = (sensitive value)
+ project = "gcp-wen-automation-prod"
}
 # module.server.google_compute_firewall.forseti-server-allow-grpc[0] will be created
 + resource "google_compute_firewall" "forseti-server-allow-grpc" {
+ creation_timestamp = (known after apply)
+ destination_ranges = (known after apply)
+ direction = (known after apply)
+ enable_logging = (known after apply)
+ id = (known after apply)
+ name = "forseti-server-allow-grpc-df4c7047"
+ network = "default"
+ priority = 100
+ project = "gcp-wen-automation-prod"
+ self_link = (known after apply)
+ source_ranges = [
+ "10.128.0.0/9",
]
+ source_service_accounts = [
+ "forseti-client-gcp-df4c7047@gcp-wen-automation-prod.iam.gserviceaccount.com",
]
+ target_service_accounts = [
+ "forseti-server-gcp-df4c7047@gcp-wen-automation-prod.iam.gserviceaccount.com",
]
+ allow {
+ ports = [
+ "50051",
+ "50052",
]
+ protocol = "tcp"
}
}
 # module.server.google_compute_firewall.forseti-server-deny-all[0] will be created
 + resource "google_compute_firewall" "forseti-server-deny-all" {
+ creation_timestamp = (known after apply)
+ destination_ranges = (known after apply)
+ direction = (known after apply)
+ enable_logging = (known after apply)
+ id = (known after apply)
+ name = "forseti-server-deny-all-df4c7047"
+ network = "default"
+ priority = 200
+ project = "gcp-wen-automation-prod"
+ self_link = (known after apply)
+ source_ranges = [
+ "0.0.0.0/0",
]
+ target_service_accounts = [
+ "forseti-server-gcp-df4c7047@gcp-wen-automation-prod.iam.gserviceaccount.com",
]
+ deny {
+ ports = []
+ protocol = "icmp"
}
+ deny {
+ ports = []
+ protocol = "tcp"
}
+ deny {
+ ports = []
+ protocol = "udp"
}
}
 # module.server.google_compute_firewall.forseti-server-ssh-external[0] will be created
 + resource "google_compute_firewall" "forseti-server-ssh-external" {
+ creation_timestamp = (known after apply)
+ destination_ranges = (known after apply)
+ direction = (known after apply)
+ enable_logging = (known after apply)
+ id = (known after apply)
+ name = "forseti-server-ssh-external-df4c7047"
+ network = "default"
+ priority = 100
+ project = "gcp-wen-automation-prod"
+ self_link = (known after apply)
+ source_ranges = [
+ "0.0.0.0/0",
]
+ target_service_accounts = [
+ "forseti-server-gcp-df4c7047@gcp-wen-automation-prod.iam.gserviceaccount.com",
]
+ allow {
+ ports = [
+ "22",
]
+ protocol = "tcp"
}
}
 # module.server.google_compute_instance.forseti-server will be created
 + resource "google_compute_instance" "forseti-server" {
+ allow_stopping_for_update = true
+ can_ip_forward = false
+ cpu_platform = (known after apply)
+ current_status = (known after apply)
+ deletion_protection = false
+ guest_accelerator = (known after apply)
+ id = (known after apply)
+ instance_id = (known after apply)
+ label_fingerprint = (known after apply)
+ machine_type = "n1-standard-8"
+ metadata_fingerprint = (known after apply)
+ metadata_startup_script = <<-EOT
#!/bin/bash
set -eu
# Env variables
USER=ubuntu
USER_HOME=/home/ubuntu
INTERNET_CONNECTION="$(ping -q -w1 -c1 google.com &>/dev/null && echo online || echo offline)"
# Log status of internet connection
if [ $INTERNET_CONNECTION == "offline" ]; then
echo "Forseti Startup - A connection to the internet was not detected."
fi
# forseti_conf_server digest: mmtM4+tiN9Pz9OMNVXBrtIL3K8D+Ko316leZryOvMMM=
# This digest is included in the startup script to rebuild the Forseti server VM
# whenever the server configuration changes.
# Ubuntu update.
echo "Forseti Startup - Updating Ubuntu."
sudo apt-get update -y
sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade
sudo apt-get update -y
sudo apt-get --assume-yes install google-cloud-sdk git unzip
if ! [ -e "/usr/sbin/google-fluentd" ]; then
echo "Forseti Startup - Installing GCP Logging agent."
cd $USER_HOME
curl -sSO https://dl.google.com/cloudagents/install-logging-agent.sh
bash install-logging-agent.sh
fi
# Check whether Cloud SQL proxy is installed.
if [ -z "$(which cloud_sql_proxy)" ]; then
echo "Forseti Startup - Installing GCP Cloud SQL Proxy."
cd $USER_HOME
wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64
sudo mv cloud_sql_proxy.linux.amd64 /usr/local/bin/cloud_sql_proxy
chmod +x /usr/local/bin/cloud_sql_proxy
fi
# Install Forseti Security.
cd $USER_HOME
if [ $INTERNET_CONNECTION == "online" ]; then
rm -rf *forseti*
fi
# Download Forseti source code
echo "Forseti Startup - Cloning Forseti repo."
git clone --branch v2.25.2 --depth 1 https://github.com/forseti-security/forseti-security
cd forseti-security
# Forseti host dependencies
echo "Forseti Startup - Installing Forseti linux dependencies."
sudo apt-get install -y $(cat install/dependencies/apt_packages.txt | grep -v "#" | xargs)
# Forseti dependencies
echo "Forseti Startup - Installing Forseti python dependencies."
python3 -m pip install -q --upgrade setuptools wheel
python3 -m pip install -q --upgrade -r requirements.txt
# Setup Forseti logging
touch /var/log/forseti.log
chown ubuntu:root /var/log/forseti.log
cp $USER_HOME/forseti-security/configs/logging/fluentd/forseti.conf /etc/google-fluentd/config.d/forseti.conf
cp $USER_HOME/forseti-security/configs/logging/logrotate/forseti /etc/logrotate.d/forseti
chmod 644 /etc/logrotate.d/forseti
service google-fluentd restart
logrotate /etc/logrotate.conf
# Change the access level of configs/ rules/ and run_forseti.sh
chmod -R ug+rwx $USER_HOME/forseti-security/configs $USER_HOME/forseti-security/rules $USER_HOME/forseti-security/install/gcp/scripts/run_forseti.sh
# Install Forseti
echo "Forseti Startup - Installing Forseti python package."
python3 setup.py install
# Export variables required by initialize_forseti_services.sh.
export SQL_PORT=3306
export SQL_INSTANCE_CONN_STRING=gcp-wen-automation-prod:us-central1:forseti-server-db-df4c7047
export FORSETI_DB_NAME=forseti_security
export SQL_DB_USER=forseti_security_user
export SQL_DB_PASSWORD=O6amcQbMtUS6dZGC
# Export variables required by run_forseti.sh
export FORSETI_HOME=$USER_HOME/forseti-security
export FORSETI_SERVER_CONF=$USER_HOME/forseti-security/configs/forseti_conf_server.yaml
export POLICY_LIBRARY_HOME=$USER_HOME/policy-library
export POLICY_LIBRARY_SYNC_ENABLED=false
export POLICY_LIBRARY_SYNC_GIT_SYNC_TAG=v3.1.2
export POLICY_LIBRARY_REPOSITORY_BRANCH=master
export POLICY_LIBRARY_REPOSITORY_URL=
export SCANNER_BUCKET=forseti-server-df4c7047
# Store the variables in /etc/profile.d/forseti_environment.sh
# so all the users will have access to them
echo "export FORSETI_HOME=$USER_HOME/forseti-security
export FORSETI_SERVER_CONF=$USER_HOME/forseti-security/configs/forseti_conf_server.yaml
export POLICY_LIBRARY_HOME=$USER_HOME/policy-library
export POLICY_LIBRARY_SYNC_ENABLED=false
export POLICY_LIBRARY_SYNC_GIT_SYNC_TAG=v3.1.2
export POLICY_LIBRARY_REPOSITORY_BRANCH=master
export POLICY_LIBRARY_REPOSITORY_URL=
export SCANNER_BUCKET=forseti-server-df4c7047
" > /etc/profile.d/forseti_environment.sh | sudo sh
# Download server configuration from GCS
echo "Forseti Startup - Downloading Forseti configuration from GCS."
gsutil cp gs://forseti-server-df4c7047/configs/forseti_conf_server.yaml $USER_HOME/forseti-security/configs/forseti_conf_server.yaml
gsutil cp -r gs://forseti-server-df4c7047/rules $USER_HOME/forseti-security/
echo "Number of rules enabled: `ls $USER_HOME/forseti-security/rules/*.yaml &>/dev/null | wc -l`"
# Get Config Validator constraints
sudo mkdir -m 777 -p $USER_HOME/policy-library
if [ "false" == "true" ]; then
# Policy Library Sync
echo "Forseti Startup - Policy Library sync is enabled."
# Install Docker
if [ -z "$(which docker)" ]; then
echo "Forseti Startup - Installing Docker for the Policy Library sync."
sudo apt-get update
sudo apt -y install apt-transport-https ca-certificates curl software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable"
sudo apt update
apt-cache policy docker-ce
sudo apt install -y docker-ce
fi
# Setup local FS
# Note: gsutil is using the -n flag so that once the SSH key is copied locally, it is not overwritten for any subsequent runs of terraform
sudo mkdir -p /etc/git-secret
sudo gsutil cp -n gs://forseti-server-df4c7047/policy_library_sync/* /etc/git-secret/
else
# Download the Newest Config Validator constraints from GCS
echo "Forseti Startup - Copying Policy Library from GCS."
sudo mkdir -m 777 -p $USER_HOME/policy-library/policy-library
gsutil -m rsync -d -r gs://forseti-server-df4c7047/policy-library $USER_HOME/policy-library/policy-library || echo "No policy available, continuing with Forseti installation"
fi
# Enable cloud-profiler in the initialize_forseti_services.sh script
if false; then
pip3 install google-cloud-profiler
sed "/FORSETI_COMMAND+=\" --services/a FORSETI_COMMAND+=\" --enable_profiler\"" -i ./install/gcp/scripts/initialize_forseti_services.sh
fi
# Install mailjet_rest library
if false; then
echo "Forseti Startup - mailjet_rest library is enabled."
pip3 install mailjet_rest
fi
# Start Forseti service depends on vars defined above.
echo "Forseti Startup - Starting services."
bash ./install/gcp/scripts/initialize_forseti_services.sh
systemctl start cloudsqlproxy
if [ "false" == "true" ]; then
systemctl start policy-library-sync
sleep 5
fi
systemctl start config-validator
sleep 5
echo "Forseti Startup - Attempting to update database schema, if necessary."
python3 $USER_HOME/forseti-security/install/gcp/upgrade_tools/db_migrator.py
# Enable and start main Forseti service immediately
echo "Forseti Startup - Enabling and starting Forseti service."
systemctl enable --now forseti
echo "Forseti Startup - Success! The Forseti API server has been enabled and started."
# Increase Open File Limit
if grep -q "ubuntu soft nofile" /etc/security/limits.conf ; then
echo "Ulimit soft nofile already set."
else
echo "ubuntu soft nofile 32768" | sudo tee -a /etc/security/limits.conf
fi
if grep -q "ubuntu hard nofile" /etc/security/limits.conf ; then
echo "Ulimit hard nofile already set."
else
echo "ubuntu hard nofile 32768" | sudo tee -a /etc/security/limits.conf
fi
# Create a Forseti env script
FORSETI_ENV="$(cat << EOF
#!/bin/bash
export PATH=$PATH:/usr/local/bin
# Forseti environment variables
export FORSETI_HOME=$USER_HOME/forseti-security
export FORSETI_SERVER_CONF=$USER_HOME/forseti-security/configs/forseti_conf_server.yaml
export POLICY_LIBRARY_HOME=$USER_HOME/policy-library
export POLICY_LIBRARY_SYNC_ENABLED=false
export POLICY_LIBRARY_SYNC_GIT_SYNC_TAG=v3.1.2
export POLICY_LIBRARY_REPOSITORY_BRANCH=master
export POLICY_LIBRARY_REPOSITORY_URL=
export SCANNER_BUCKET=forseti-server-df4c7047
EOF
)"
echo "$FORSETI_ENV" > $USER_HOME/forseti_env.sh
USER=ubuntu
# Use flock to prevent rerun of the same cron job when the previous job is still running.
# If the lock file does not exist under the tmp directory, it will create the file and put a lock on top of the file.
# When the previous cron job is not finished and the new one is trying to run, it will attempt to acquire the lock
# to the lock file and fail because the file is already locked by the previous process.
# The -n flag in flock will fail the process right away when the process is not able to acquire the lock so we won't
# queue up the jobs.
# If the cron job failed the acquire lock on the process, it will log a warning message to syslog.
(echo "37 */2 * * * (/usr/bin/flock -n $USER_HOME/forseti-security/forseti_cron_runner.lock $USER_HOME/forseti-security/install/gcp/scripts/run_forseti.sh -b forseti-server-df4c7047 || echo '[forseti-security] Warning: New Forseti cron job will not be started, because previous Forseti job is still running.') 2>&1 | logger") | crontab -u $USER -
echo "Forseti Startup - Added the run_forseti.sh to crontab under user $USER."
echo "Forseti Startup - Execution of startup script finished."
EOT
+ min_cpu_platform = (known after apply)
+ name = "forseti-server-vm-df4c7047"
+ project = "gcp-wen-automation-prod"
+ self_link = (known after apply)
+ tags_fingerprint = (known after apply)
+ zone = "us-central1-c"
+ boot_disk {
+ auto_delete = true
+ device_name = (known after apply)
+ disk_encryption_key_sha256 = (known after apply)
+ kms_key_self_link = (known after apply)
+ mode = "READ_WRITE"
+ source = (known after apply)
+ initialize_params {
+ image = "ubuntu-os-cloud/ubuntu-1804-lts"
+ labels = (known after apply)
+ size = 100
+ type = "pd-ssd"
}
}
+ confidential_instance_config {
+ enable_confidential_compute = (known after apply)
}
+ network_interface {
+ ipv6_access_type = (known after apply)
+ name = (known after apply)
+ network = (known after apply)
+ network_ip = (known after apply)
+ stack_type = (known after apply)
+ subnetwork = "default"
+ subnetwork_project = "gcp-wen-automation-prod"
+ access_config {
+ nat_ip = (known after apply)
+ network_tier = (known after apply)
}
}
+ reservation_affinity {
+ type = (known after apply)
+ specific_reservation {
+ key = (known after apply)
+ values = (known after apply)
}
}
+ scheduling {
+ automatic_restart = (known after apply)
+ min_node_cpus = (known after apply)
+ on_host_maintenance = (known after apply)
+ preemptible = (known after apply)
+ node_affinities {
+ key = (known after apply)
+ operator = (known after apply)
+ values = (known after apply)
}
}
+ service_account {
+ email = "forseti-server-gcp-df4c7047@gcp-wen-automation-prod.iam.gserviceaccount.com"
+ scopes = [
+ "https://www.googleapis.com/auth/cloud-platform",
]
}
}
Plan: 11 to add, 0 to change, 1 to destroy.

Changes to Outputs:
+ forseti-client-vm-ip = (known after apply)
+ forseti-cloudsql-connection-name = (known after apply)
+ forseti-cloudsql-instance-ip = (known after apply)
+ forseti-server-vm-ip = (known after apply)
β•·
β”‚ Warning: Deprecated Attribute
β”‚ 
β”‚  with module.client_gcs.google_storage_bucket.client_config,
β”‚  on modules/client_gcs/main.tf line 33, in resource "google_storage_bucket" "client_config":
β”‚  33: bucket_policy_only = true
β”‚ 
β”‚ Please use the uniform_bucket_level_access as this field has been renamed
β”‚ by Google.
β”‚ 
β”‚ (and 5 more similar warnings elsewhere)
β•΅

─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
null_resource.org_id_and_folder_id_are_both_empty[0]: Destroying... [id=1754796495663566536]
null_resource.org_id_and_folder_id_are_both_empty[0]: Destruction complete after 0s
null_resource.org_id_and_folder_id_are_both_empty[0]: Creating...
module.cloudsql.google_sql_database_instance.master: Creating...
module.client.google_compute_firewall.forseti-client-deny-all[0]: Creating...
module.client.google_compute_firewall.forseti-client-ssh-external[0]: Creating...
module.client.google_compute_instance.forseti-client[0]: Creating...
module.server.google_compute_firewall.forseti-server-deny-all[0]: Creating...
module.server.google_compute_firewall.forseti-server-ssh-external[0]: Creating...
module.server.google_compute_instance.forseti-server: Creating...
module.server.google_compute_firewall.forseti-server-allow-grpc[0]: Creating...
β•·
β”‚ Error: Invalid template interpolation value
β”‚ 
β”‚  on main.tf line 25, in resource "null_resource" "org_id_and_folder_id_are_both_empty":
β”‚  25: command = "echo 'composite_root_resources=${var.composite_root_resources} org_id=${var.org_id} folder_id=${var.org_id}' >&2; false"
β”‚  β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚  β”‚ var.composite_root_resources is empty list of string
β”‚ 
β”‚ Cannot include the given value in a string template: string required.
β•΅
β•·
β”‚ Error: Error creating instance: googleapi: Error 400: Invalid value for field 'resource.networkInterfaces[0].subnetwork': 'projects/gcp-wen-automation-prod/regions/us-central1/subnetworks/default'. The referenced subnetwork resource cannot be found., invalid
β”‚ 
β”‚  with module.client.google_compute_instance.forseti-client[0],
β”‚  on modules/client/main.tf line 82, in resource "google_compute_instance" "forseti-client":
β”‚  82: resource "google_compute_instance" "forseti-client" {
β”‚ 
β•΅
β•·
β”‚ Error: Error creating Firewall: googleapi: Error 404: The resource 'projects/gcp-wen-automation-prod/global/networks/default' was not found, notFound
β”‚ 
β”‚  with module.client.google_compute_firewall.forseti-client-deny-all[0],
β”‚  on modules/client/main.tf line 150, in resource "google_compute_firewall" "forseti-client-deny-all":
β”‚  150: resource "google_compute_firewall" "forseti-client-deny-all" {
β”‚ 
β•΅
β•·
β”‚ Error: Error creating Firewall: googleapi: Error 404: The resource 'projects/gcp-wen-automation-prod/global/networks/default' was not found, notFound
β”‚ 
β”‚  with module.client.google_compute_firewall.forseti-client-ssh-external[0],
β”‚  on modules/client/main.tf line 174, in resource "google_compute_firewall" "forseti-client-ssh-external":
β”‚  174: resource "google_compute_firewall" "forseti-client-ssh-external" {
β”‚ 
β•΅
β•·
β”‚ Error: Error, failed to create instance forseti-server-db-df4c7047: googleapi: Error 403: The client is not authorized to make this request., notAuthorized
β”‚ 
β”‚  with module.cloudsql.google_sql_database_instance.master,
β”‚  on modules/cloudsql/main.tf line 64, in resource "google_sql_database_instance" "master":
β”‚  64: resource "google_sql_database_instance" "master" {
β”‚ 
β•΅
β•·
β”‚ Error: Error creating Firewall: googleapi: Error 404: The resource 'projects/gcp-wen-automation-prod/global/networks/default' was not found, notFound
β”‚ 
β”‚  with module.server.google_compute_firewall.forseti-server-deny-all[0],
β”‚  on modules/server/main.tf line 119, in resource "google_compute_firewall" "forseti-server-deny-all":
β”‚  119: resource "google_compute_firewall" "forseti-server-deny-all" {
β”‚ 
β•΅
β•·
β”‚ Error: Error creating Firewall: googleapi: Error 404: The resource 'projects/gcp-wen-automation-prod/global/networks/default' was not found, notFound
β”‚ 
β”‚  with module.server.google_compute_firewall.forseti-server-ssh-external[0],
β”‚  on modules/server/main.tf line 143, in resource "google_compute_firewall" "forseti-server-ssh-external":
β”‚  143: resource "google_compute_firewall" "forseti-server-ssh-external" {
β”‚ 
β•΅
β•·
β”‚ Error: Error creating Firewall: googleapi: Error 404: The resource 'projects/gcp-wen-automation-prod/global/networks/default' was not found, notFound
β”‚ 
β”‚  with module.server.google_compute_firewall.forseti-server-allow-grpc[0],
β”‚  on modules/server/main.tf line 177, in resource "google_compute_firewall" "forseti-server-allow-grpc":
β”‚  177: resource "google_compute_firewall" "forseti-server-allow-grpc" {
β”‚ 
β•΅
β•·
β”‚ Error: Error creating instance: googleapi: Error 400: Invalid value for field 'resource.networkInterfaces[0].subnetwork': 'projects/gcp-wen-automation-prod/regions/us-central1/subnetworks/default'. The referenced subnetwork resource cannot be found., invalid
β”‚ 
β”‚  with module.server.google_compute_instance.forseti-server,
β”‚  on modules/server/main.tf line 225, in resource "google_compute_instance" "forseti-server":
β”‚  225: resource "google_compute_instance" "forseti-server" {
β”‚ 
β•΅
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment