Add ansible role for GCP

README.md

@@ -1,2 +1,8 @@
-# keylime-cloud-environments
-Setup instructions and scripts for running Keylime in cloud environments
+# Keylime Cloud Environments
+Setup instructions and scripts for running [Keylime](https://github.com/keylime/keylime) in cloud environments. \
+The set up for each cloud environment is located in a seperate directory. For use, follow the instructions found in their respective README. 
+
+## Keylime on Google Cloud
+Ansible role to deploy a Fedora 35 instance on the Google Cloud Platform with [Keylime](https://github.com/keylime/keylime) and the [rust agent](https://github.com/keylime/rust-keylime) against a Virtualized TPM.
+
+See the [README](https://github.com/keylime/keylime-cloud-environments/keylime-ansible-gcp/README.md) for further information on set up and usage. 

keylime-ansible-gcp/README.md

@@ -0,0 +1,45 @@
+# Ansible Keylime for Google Cloud
+Ansible role to deploy a Fedora 35 instance on the Google Cloud Platform with a Virtualized TPM.
+
+Contributions are welcome, should anyone wish to have this role provision other Linux distributions.
+
+For details on using Keylime, please consult the
+[project documentation](https://keylime-docs.readthedocs.io/en/latest/).
+
+For details on the Rust agent, please consult the [repository](https://github.com/keylime/rust-keylime).
+
+## Configuration
+1. [Install ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html). \
+Note: must use Ansible 2.9+
+2. Install dependecies for the Ansible-GCP module \
+`$ pip3 install requests google-auth`
+3. [Create GCP project](https://cloud.google.com/resource-manager/docs/creating-managing-projects)
+4. Enable Compute Engine for this project. \
+To do so, select the naivgation menu (the three bars to the left of the GCP logo), hover over "APIs & Services", click "Dashboard", select "+ ENABLE APIS AND SERVICES", search for "Compute Engine API", select and enable. 
+5. [Create a GCP service account](https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount) for ansible's use. 
+6. [Create and download keys linked to this service account](https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts&zippy=%2Cservice-accounts). Note: download the keys in JSON format.
+7. Create ssh key pair \
+` ssh-keygen -t rsa -f ~/.ssh/gcp_ansible_key` 
+8. Add the ssh public key to the Metadata section of Compute Engine in Google Cloud Platform. (Compute Engine>Settings>Metadata>SSH) \
+`#  cat ~/.ssh/gcp_ansible_key.pub`
+9. Add path to ssh private key to ansible config 
+   1. Create file in the current directory called `ansible.cfg` 
+   2. Indicate the path to your GCP SSH private key in this file. Example:
+```
+[defaults] 
+private_key_file = /home/.ssh/gcp_ansible_key
+```
+10. Run the script to set up the environment. 
+```
+./set_env_var.sh --help
+Warning: this script parses the GCP service account credential file for the email and project ID.
+Usage: ./set_env_var.sh <path to JSON cred file> <GCP region> <GCP zone>
+```
+## Usage
+Run the playbook to create an instance with vTPM. 
+
+```bash
+ansible-playbook create_gcp_instance.yml
+```
+## Keylime Installation 
+To deploy keylime on this new VM against the vTPM, use this [ansible-keylime role](https://github.com/keylime/ansible-keylime)

keylime-ansible-gcp/create_gcp_instance.yml

@@ -0,0 +1,76 @@
+---
+- hosts: localhost 
+  gather_facts: no
+  connection: local
+  vars:
+    - gcp_project: "{{ lookup('ansible.builtin.env','GCP_PROJECT') }}"
+    - gcp_cred_kind: "{{ lookup('ansible.builtin.env','GCP_CRED_KIND') }}"
+    - gcp_cred_file: "{{ lookup('ansible.builtin.env','GCP_CRED_FILE') }}"
+    - gcp_cred_email: "{{ lookup('ansible.builtin.env','GCP_CRED_EMAIL') }}"
+    - zone: "{{ lookup('ansible.builtin.env','GCP_ZONE') }}"
+    - region: "{{ lookup('ansible.builtin.env','GCP_REGION') }}"
+  tasks:
+    - name: Create disk mapped from Fedora image
+      google.cloud.gcp_compute_disk:
+        name: disk-instance
+        size_gb: 50
+        source_image: /projects/fedora-cloud/global/images/fedora-cloud-base-gcp-35-1-2-x86-64
+        zone: "{{ zone }}"
+        project: "{{ gcp_project }}"
+        auth_kind: "{{ gcp_cred_kind }}"
+        service_account_file: "{{ gcp_cred_file }}"
+        scopes:
+          - https://www.googleapis.com/auth/compute
+        state: present
+      register: disk
+
+    - name: Create IPv4 public instance address
+      google.cloud.gcp_compute_address:
+        name: address-instance
+        region: "{{ region }}"
+        project: "{{ gcp_project }}"
+        auth_kind: "{{ gcp_cred_kind }}"
+        service_account_file: "{{ gcp_cred_file }}"
+        scopes:
+          - https://www.googleapis.com/auth/compute
+        state: present
+      register: address
+
+    - name: Create the Fedora instance
+      google.cloud.gcp_compute_instance:
+        name: keylime
+        machine_type: e2-medium
+        disks:
+          - auto_delete: 'true'
+            boot: 'true'
+            source: "{{ disk }}"
+        shielded_instance_config:
+          enable_integrity_monitoring: 'no'
+          enable_secure_boot: 'no'
+          enable_vtpm: 'yes'
+        network_interfaces:
+        - network: null
+          access_configs:
+          - name: External NAT
+            nat_ip: "{{ address }}"
+            type: ONE_TO_ONE_NAT
+        zone: "{{ zone }}"
+        project: "{{ gcp_project }}"
+        auth_kind: "{{ gcp_cred_kind }}"
+        service_account_file: "{{ gcp_cred_file }}"
+        service_accounts:
+        - email: "{{ gcp_cred_email }}"
+          scopes:
+            - https://www.googleapis.com/auth/devstorage.read_only
+            - https://www.googleapis.com/auth/logging.write
+            - https://www.googleapis.com/auth/monitoring.write
+            - https://www.googleapis.com/auth/service.management.readonly
+            - https://www.googleapis.com/auth/servicecontrol
+            - https://www.googleapis.com/auth/trace.append
+        state: present
+        status: RUNNING
+
+    - name: Show instance details
+      debug:
+        msg: "New GCP instance accessible at {{ address.address }}."
+

keylime-ansible-gcp/set_env_var.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+usage() {
+	echo "Warning: this script parses the GCP service account credential file for the email and project ID."
+        echo "Usage: ./set_env_var.sh <path to JSON cred file> <GCP region> <GCP zone>"
+}
+if [[ ($# -ne 3) || ($@ == "--help") || ($@ == "-h") ]]
+then
+        usage
+        exit 1
+fi
+echo "Warning: this script parses the GCP service account credential file for the email and project ID."
+sleep 5
+export GCP_REGION="$2"
+echo "GCP REGION is set to $GCP_REGION"
+export GCP_ZONE="$3"
+echo "GCP ZONE is set to $GCP_ZONE"
+export GCP_CRED_FILE="$1"
+echo "GCP CRED FILE is set to $GCP_CRED_FILE"
+export GCP_PROJECT="$(sed -e 's/^"//' -e 's/"$//' <<< "$(jq .project_id $1)")"
+echo "GCP PROJECT is set to $GCP_PROJECT"
+export GCP_CRED_KIND="serviceaccount"
+echo "GCP CRED KIND is set to $GCP_CRED_KIND"
+export GCP_CRED_EMAIL="$(sed -e 's/^"//' -e 's/"$//' <<< "$(jq .client_email $1)")"
+echo "GCP CRED EMAIL is set to $GCP_CRED_EMAIL"
+echo "Launching shell with environment variables"
+$SHELL