google-deployment-manager

How can I specify to block project-wide SSH keys in Cloud Deployment Manager?

I would like to create an instance of WURFL Microservice Basic from the GCP Marketplace however I'd like to do that programatically so that I can reproduce it if required.

I downloaded the deployment zip file from the above linked page: enter image description here

and unzipped it onto my machine, so here I have the code for creating the WURFL solution:

enter image description here

The file test_config.yaml contains pertinent information about my deployment, I changed the serviceAccount, zone, network, subnetwork and externalIP properties to the values that I need them to have:

imports:
- path: wurfl-microservice-basic.jinja

resources:
- name: wurfl-microservice-basic
  type: wurfl-microservice-basic.jinja
  properties:
    zone: europe-west2-a
    network:
      - sharedresources
    subnetwork:
      - eu-west2
    externalIP:
      - NONE
    serviceAccount: wurflrunner@XXXXX.iam.gserviceaccount.com

I deploy by issuing:

gcloud deployment-manager deployments create \
  wurfl \
  --project xxxxxxx \
  --config test_config.yaml

In order to allow specification of the serviceAccount I had to make some changes to the deployment package.

I added a serviceAccount property to the properties in wurfl-microservice-basic.jinja.schema

properties:
  serviceAccount:
    type: string
    default: stop@gocreateaservieaccount.com
  zone:
    type: string
    x-googleProperty:
      type: GCE_ZONE
  machineType:
    type: string
    default: e2-small
    x-googleProperty:
      type: GCE_MACHINE_TYPE
      zoneProperty: zone
      gceMachineType:
        minCpu: 2
        minRamGb: 1.9990234375
  network:
    type: array
    default: [default]
    minItems: 1
    maxItems: 1
    x-googleProperty:
      type: GCE_NETWORK
      gceNetwork:
        allowSharedVpcs: True
        machineTypeProperty: machineType
  subnetwork:
    type: array
    minItems: 1
    maxItems: 1
    x-googleProperty:
      type: GCE_SUBNETWORK
      zoneProperty: zone
      gceSubnetwork:
        networkProperty: network
  externalIP:
    type: array
    default: [EPHEMERAL]
    minItems: 1
    maxItems: 1
    x-googleProperty:
      type: GCE_EXTERNAL_IP
      gceExternalIp:
        networkProperty: network
        notConfigurable: False
        allowStaticIps: True
  bootDiskType:
    type: string
    default: pd-ssd
    x-googleProperty:
      type: GCE_DISK_TYPE
      zoneProperty: zone
  bootDiskSizeGb:
    type: integer
    default: 20
    minimum: 20
    maximum: 10000
    x-googleProperty:
      type: GCE_DISK_SIZE
      gceDiskSize:
        diskTypeProperty: bootDiskType

In wurfl-microservice-basic.jinja I've added:

{% set serviceAccount = properties["serviceAccount"] %}

and changed:

      serviceAccounts:
        - email: default
          scopes:
            - 'https://www.googleapis.com/auth/cloud.useraccounts.readonly'
            - 'https://www.googleapis.com/auth/devstorage.read_only'
            - 'https://www.googleapis.com/auth/logging.write'
            - 'https://www.googleapis.com/auth/monitoring.write'

to

      serviceAccounts:
        - email: {{ serviceAccount }}
          scopes:
            - 'https://www.googleapis.com/auth/cloud.useraccounts.readonly'
            - 'https://www.googleapis.com/auth/devstorage.read_only'
            - 'https://www.googleapis.com/auth/logging.write'
            - 'https://www.googleapis.com/auth/monitoring.write'

This caused the package to get created successfully. The VM that gets created allows project-wide SSH keys:

enter image description here

I have been informed that that is against company policy, "Block project-wide SSH keys" needs to be on (i.e. checked).

When I made the changes to allow the serviceAccount to be specified it was relatively easy to do because serviceAccount already existed in wurfl-microservice-basic.jinja however the same is not true of the "Block project-wide SSH keys" setting.

Please can someone tell me what changes I need to make to the downloaded deployment package in order to turn on "Block project-wide SSH keys"?

Solution

  • Figured it out. Its part of the metadata of the instance. I changed it in my Cloud Deployment Manager package in vm_instance.py by changing

    def SetMetadataDefaults(metadata):
  """Set default metadata items."""
  # Disable stackdriver monitoring by default.
  items = metadata.setdefault('items', list())
  if not [True for x in items
          if x.get('key', None) == 'google-monitoring-enable']:
    items.append({'key': 'google-monitoring-enable',
                  'value': '0'})
  if not [True for x in items
          if x.get('key', None) == 'google-logging-enable']:
    items.append({'key': 'google-logging-enable',
                  'value': '0'})

    to

    def SetMetadataDefaults(metadata):
  """Set default metadata items."""
  # Disable stackdriver monitoring by default.
  items = metadata.setdefault('items', list())
  if not [True for x in items
          if x.get('key', None) == 'google-monitoring-enable']:
    items.append({'key': 'google-monitoring-enable',
                  'value': '0'})
  if not [True for x in items
          if x.get('key', None) == 'google-logging-enable']:
    items.append({'key': 'google-logging-enable',
                  'value': '0'})
  if not [True for x in items
          if x.get('key', None) == 'block-project-ssh-keys']:
    items.append({'key': 'block-project-ssh-keys',
                  'value': 'TRUE'})

    This was the result

    enter image description here