feat: add org policies to confidential computing example

examples/confidential_computing/README.md

@@ -2,7 +2,10 @@
 
 This is an example of a vm creation with confidential computing,
 encrypted disk using a multiregion (US by default) Cloud HSM key
-and a custom service account with cloud-platform scope.
+and a custom service account with cloud-platform scope. It also
+creates org policies enforcing the use of CMEK encrypted instances
+and confidential computing to all newly created VMs within the project.
+Note: existing VM instances won't be affected by the new org policy.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs

examples/confidential_computing/org_policies.tf

@@ -0,0 +1,39 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "confidential-computing-org-policy" {
+  source  = "terraform-google-modules/org-policy/google"
+  version = "~> 5.1"
+
+  project_id       = var.project_id
+  policy_for       = "project"
+  constraint       = "constraints/compute.restrictNonConfidentialComputing"
+  policy_type      = "list"
+  deny             = ["compute.googleapis.com"]
+  deny_list_length = 1
+}
+
+module "enforce-cmek-org-policy" {
+  source  = "terraform-google-modules/org-policy/google"
+  version = "~> 5.3"
+
+  project_id       = var.project_id
+  policy_for       = "project"
+  constraint       = "constraints/gcp.restrictNonCmekServices"
+  policy_type      = "list"
+  deny             = ["compute.googleapis.com"]
+  deny_list_length = 1
+}

test/integration/confidential_compute_instance/confidential_compute_instance_test.go

@@ -49,6 +49,17 @@ func TestConfidentialInstanceTemplate(t *testing.T) {
 		assert.Len(disks, 1)
 		defaultSuffix := confCompInst.GetStringOutput("suffix")
 		assert.Equal(fmt.Sprintf("projects/%s/locations/us/keyRings/key-ring-test-%s/cryptoKeys/key-test-%s/cryptoKeyVersions/1", projectId, defaultSuffix, defaultSuffix), disks[0].Get("diskEncryptionKey").Get("kmsKeyName").String())
+
+		org_policy_cmek_constraint := gcloud.Runf(t, "resource-manager org-policies list --project=%s --format=json --filter constraint='constraints/gcp.restrictNonCmekServices'", projectId).Array()
+		assert.Len(org_policy_cmek_constraint, 1)
+		cmek_denied_values_list := org_policy_cmek_constraint[0].Get("listPolicy.deniedValues").Array()
+		assert.Len(cmek_denied_values_list, 1)
+		assert.Equal("compute.googleapis.com", cmek_denied_values_list[0].String())
+		org_policy_confidential_constraint := gcloud.Runf(t, "resource-manager org-policies list --project=%s --format=json --filter constraint='constraints/compute.restrictNonConfidentialComputing'", projectId).Array()
+		assert.Len(org_policy_confidential_constraint, 1)
+		cc_denied_values_list := org_policy_confidential_constraint[0].Get("listPolicy.deniedValues").Array()
+		assert.Len(cc_denied_values_list, 1)
+		assert.Equal("compute.googleapis.com", cc_denied_values_list[0].String())
 	})
 	confCompInst.Test()
 }

test/setup/iam.tf

@@ -38,6 +38,12 @@ resource "google_project_iam_member" "ci_vm_account" {
   member  = "serviceAccount:${google_service_account.ci_vm_account.email}"
 }
 
+resource "google_organization_iam_member" "ci_vm_account_organization" {
+  org_id = var.org_id
+  role   = "roles/orgpolicy.policyAdmin"
+  member = "serviceAccount:${google_service_account.ci_vm_account.email}"
+}
+
 resource "google_service_account_key" "ci_vm_account" {
   service_account_id = google_service_account.ci_vm_account.id
 }