Add role to create GCP instance. Add new line at end of file.

Signed-off-by: Avery Blanchard <[email protected]>

keylime-ansible-gcp/README.md

@@ -1,7 +1,5 @@
 # Ansible Keylime for Google Cloud
-Ansible role to deploy [Keylime](https://github.com/keylime/keylime) with the [rust agent](https://github.com/keylime/rust-keylime) against a Virtualized TPM.
-
-This role is currently configured to work with a Fedora 35 instance on Google Cloud with the vTPM enabled. 
+Ansible role to deploy a Fedora 35 instance on the Google Cloud Platform with [Keylime](https://github.com/keylime/keylime) and the [rust agent](https://github.com/keylime/rust-keylime) against a Virtualized TPM.
 
 Contributions are welcome, should anyone wish to have this role provision other Linux distributions.
 
@@ -10,11 +8,29 @@ For details on using Keylime, please consult the
 
 For details on the Rust agent, please consult the [repository](https://github.com/keylime/rust-keylime).
 
+## Configuration
+1.  Install dependecies for the Ansible - GCP module 
+`$ pip3 install requests google-auth`
+2. [Create a GCP service account](https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount) for ansible's use.
+3. [Create and download keys linked to this service account](https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts&zippy=%2Cservice-accounts)
+4. Add path to ssh key to ansible config (/etc/ansible/ansible.conf) \
+Note: the ssh private key is in the downloaded file. Extract it, place it in its own file, set adequate permissions, and add the path to this newly created file to the ansible config. \
+Example:\
+[defaults] \
+private_key_file = /home/user/my_key
+
+5. Set environment variables \
+`$ export GCP_PROJECT="<name of GCP project>"` \
+`$ export GCP_CRED_KIND="serviceaccount"`\
+`$ export GCP_CRED_FILE="<path to your service account key file>"` \
+`$ export GCP_ZONE="<zone for GCP instance>"` \
+`$ export GCP_REGION="<region for GCP instance>"` 
+
 ## Usage
-Run the playbook against your target remote host(s). Note: the hosts must have the vTPM enabled in the Google Cloud Console. 
+Run the playbook to create and set up an instance. 
 
 ```bash
-ansible-playbook -i your_hosts playbook.yml
+ansible-playbook playbook.yml
 ```
 ## Getting started with Keylime 
 The best way to get started is to read the [Keylime

keylime-ansible-gcp/playbook.yml

@@ -1,5 +1,20 @@
 ---
-- hosts: all
+- hosts: localhost 
+  roles: 
+    - create-gcp
+  gather_facts: no
+  connection: local
+  vars:
+    - gcp_project: "{{ lookup('ansible.builtin.env','GCP_PROJECT') }}"
+    - gcp_cred_kind: "{{ lookup('ansible.builtin.env','GCP_CRED_KIND') }}"
+    - gcp_cred_file: "{{ lookup('ansible.builtin.env','GCP_CRED_FILE') }}"
+    - zone: "{{ lookup('ansible.builtin.env','GCP_ZONE') }}"
+    - region: "{{ lookup('ansible.builtin.env','GCP_REGION') }}"
+  post_tasks:
+    - name: Wait to SSH into instance
+      wait_for: delay=5 sleep=5 host={{ address.address }} port=22 state=started timeout=100
+
+- hosts: gcp_instance
   become: true
   become_user: root
   pre_tasks:
@@ -19,4 +34,4 @@
         name: libselinux-python3
         state: present
   roles:
-    - keylime-gcp
+    - keylime-gcp    

keylime-ansible-gcp/roles/create-gcp/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+# defaults file for ansible-keylime

keylime-ansible-gcp/roles/create-gcp/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+# handlers file for ansible-keylime
+#- name: restart apache
+#  command: service https restart
+#  args:
+#    warn: no

keylime-ansible-gcp/roles/create-gcp/meta/main.yml

@@ -0,0 +1,12 @@
+---
+galaxy_info:
+  author: Avery Blanchard
+  description: Keylime GCP
+  company: Red Hat
+  min_ansible_version: 2.9
+  platforms:
+    - name: Fedora
+      versions:
+        - 35
+  galaxy_tags: []
+dependencies: []

keylime-ansible-gcp/roles/create-gcp/tasks/gcp.yml

@@ -0,0 +1,67 @@
+- name: Create disk mapped from Fedora image
+  google.cloud.gcp_compute_disk:
+    name: disk-instance
+    size_gb: 50
+    source_image: /projects/fedora-cloud/global/images/fedora-cloud-base-gcp-35-1-2-x86-64
+    zone: "{{ zone }}"
+    project: "{{ gcp_project }}"
+    auth_kind: "{{ gcp_cred_kind }}"
+    service_account_file: "{{ gcp_cred_file }}"
+    scopes:
+      - https://www.googleapis.com/auth/compute
+    state: present
+  register: disk
+
+- name: Create IPv4 public instance address 
+  google.cloud.gcp_compute_address:
+    name: address-instance
+    region: "{{ region }}"
+    project: "{{ gcp_project }}"
+    auth_kind: "{{ gcp_cred_kind }}"
+    service_account_file: "{{ gcp_cred_file }}"
+    scopes:
+      - https://www.googleapis.com/auth/compute
+    state: present
+  register: address
+
+- name: Create the Fedora instance
+  google.cloud.gcp_compute_instance:
+    name: test
+    machine_type: e2-medium
+    disks:
+    - auto_delete: 'true'
+      boot: 'true'
+      source: "{{ disk }}"
+    shielded_instance_config:
+      enable_integrity_monitoring: 'no'
+      enable_secure_boot: 'no'
+      enable_vtpm: 'yes'
+    network_interfaces:
+    - network: null
+      access_configs:
+      - name: External NAT
+        nat_ip: "{{ address }}"
+        type: ONE_TO_ONE_NAT
+    zone: "{{ zone }}"
+    project: "{{ gcp_project }}"
+    auth_kind: "{{ gcp_cred_kind }}"
+    service_account_file: "{{ gcp_cred_file }}"
+    service_accounts:
+    - email: '[email protected]'
+      scopes: 
+        - https://www.googleapis.com/auth/devstorage.read_only
+        - https://www.googleapis.com/auth/logging.write
+        - https://www.googleapis.com/auth/monitoring.write
+        - https://www.googleapis.com/auth/service.management.readonly
+        - https://www.googleapis.com/auth/servicecontrol
+        - https://www.googleapis.com/auth/trace.append
+    state: present
+
+- name: Add new GCP instance to hosts
+  add_host: 
+    hostname: "{{ address.address }}"
+    groups: gcp_instance
+
+- name: Show instance details
+  debug:
+    msg: "New GCP instance accessible at {{ address.address }}."  

keylime-ansible-gcp/roles/create-gcp/tasks/main.yml

@@ -0,0 +1 @@
+- include: gcp.yml

keylime-ansible-gcp/roles/create-gcp/vars/main.yml

@@ -0,0 +1,4 @@
+---
+# Section for vars
+shell_profiles:
+  - .bash_profile  

keylime-ansible-gcp/roles/keylime-gcp/tasks/keylime.yml

@@ -36,4 +36,4 @@
     path: /etc/keylime.conf
     regexp: '^tpm_hash_alg'
     line: tpm_hash_alg = sha256
-  changed_when: false
+  changed_when: false  

keylime-ansible-gcp/roles/keylime-gcp/tasks/main.yml

@@ -2,4 +2,4 @@
 - include: git-repos.yml
 - include: keylime.yml
 - include: rust-install.yml
-- include: rust-keylime.yml
+- include: rust-keylime.yml

keylime-ansible-gcp/roles/keylime-gcp/tasks/packages.yml

@@ -71,5 +71,6 @@
         - openssl-devel 
         - zeromq-devel
         - libarchive-devel 
+        - cargo
 
-      state: latest
+      state: latest      

keylime-ansible-gcp/roles/keylime-gcp/tasks/rust-install.yml

@@ -6,4 +6,4 @@
   shell: "source $HOME/.cargo/env"
   args:
     chdir: /root/
-  changed_when: false
+  changed_when: false  

keylime-ansible-gcp/roles/keylime-gcp/tasks/rust-keylime.yml

@@ -4,6 +4,12 @@
     chdir: /root/rust-keylime
   changed_when: false
 
+- name: Run Cargo build
+  shell: "cargo build"
+  args:
+    chdir: /root/rust-keylime
+  changed_when: false
+
 - name: Set TPM2TOOLS_TCTI environment variable
   lineinfile:
     dest: /etc/environment

keylime-ansible-gcp/roles/keylime-gcp/vars/main.yml

@@ -45,4 +45,4 @@ cargo_packages:
 # Kernel resource manager
 os_environment:
   - key: TPM2TOOLS_TCTI
-    value : "device:/dev/tpmrm0"
+    value : "device:/dev/tpmrm0"    

keylime-ansible-gcp/tests/inventory

@@ -1,2 +1 @@
 localhost
-