This repository has been archived by the owner on Oct 20, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 126
/
cloud-init.yml
84 lines (72 loc) · 2.5 KB
/
cloud-init.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#cloud-config
users:
- name: opa
uid: 2000
- name: enforcer
uid: 2001
write_files:
- path: /etc/systemd/system/opa-policy.service
permissions: 0644
owner: root
content: |
[Unit]
Description=OPA policy synchronization
Wants=docker.service
After=network.target docker.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStartPre=/bin/mkdir -p /var/lib/opa
ExecStart=/usr/bin/docker run --rm \
--mount type=bind,source=/var/lib/opa,target=/media/opa \
gcr.io/cloud-builders/gsutil \
cp -r gs://${enforcer_bucket}/policy /media/opa/
- path: /etc/systemd/system/opa-server.service
permissions: 0644
owner: root
content: |
[Unit]
Description=OPA server for Forseti real time enforcer
Wants=opa-policy.service docker.service
After=network.target opa-policy.service
StartLimitInterval=120
StartLimitBurst=5
[Service]
ExecStartPre=/bin/mkdir -p /var/lib/opa
ExecStartPre=-/usr/bin/docker rm opa-server
ExecStart=/usr/bin/docker run --tty -u 2000 --name=opa-server \
-v /var/lib/opa/policy:/opt/opa/policy \
openpolicyagent/opa \
run --server /opt/opa/policy
ExecStopPost=-/usr/bin/docker stop opa-server
ExecStopPost=-/usr/bin/docker rm opa-server
Restart=always
RestartSec=5
- path: /etc/systemd/system/enforcer.service
permissions: 0644
owner: root
content: |
[Unit]
Description=Forseti real time policy enforcer
Wants=opa-server.service docker.service
After=opa-server.service docker.service
StartLimitInterval=120
StartLimitBurst=5
[Install]
WantedBy=multi-user.target
[Service]
ExecStart=/usr/bin/docker run --tty --rm -u 2001 --name=enforcer --link=opa-server \
-e PROJECT_ID=${project_id} \
-e SUBSCRIPTION_NAME="${subscription_name}" \
-e OPA_URL="http://opa-server:8181/v1/data" \
-e ENFORCE=true \
-e STACKDRIVER_LOGGING=true \
forsetisecurity/real-time-enforcer
ExecStopPost=-/usr/bin/docker stop enforcer
ExecStopPost=-/usr/bin/docker rm enforcer
Restart=always
RestartSec=5
runcmd:
- systemctl daemon-reload
- systemctl enable enforcer.service
- systemctl start enforcer.service