diff --git a/modules/project_cleanup/README.md b/modules/project_cleanup/README.md index 8d11c9c1..8a48e23a 100644 --- a/modules/project_cleanup/README.md +++ b/modules/project_cleanup/README.md @@ -15,6 +15,7 @@ The following services must be enabled on the project housing the cleanup functi - Cloud Functions (`cloudfunctions.googleapis.com`) - Cloud Scheduler (`cloudscheduler.googleapis.com`) - Cloud Resource Manager (`cloudresourcemanager.googleapis.com`) +- Compute Engine API (`compute.googleapis.com`) ## Inputs diff --git a/modules/project_cleanup/function_source/main.go b/modules/project_cleanup/function_source/main.go index 734e5a42..eaa492b2 100644 --- a/modules/project_cleanup/function_source/main.go +++ b/modules/project_cleanup/function_source/main.go @@ -31,6 +31,7 @@ import ( "golang.org/x/oauth2/google" "google.golang.org/api/cloudresourcemanager/v1" cloudresourcemanager2 "google.golang.org/api/cloudresourcemanager/v2" + "google.golang.org/api/compute/v1" "google.golang.org/api/googleapi" "google.golang.org/api/servicemanagement/v1" ) @@ -203,12 +204,22 @@ func getFolderServiceOrTerminateExecution(client *http.Client) *cloudresourceman logger.Println("Try to get Folders Service") cloudResourceManagerService, err := cloudresourcemanager2.New(client) if err != nil { - logger.Fatalf("Fail to get Folders Servicewith error [%s], terminate execution", err.Error()) + logger.Fatalf("Fail to get Folders Service with error [%s], terminate execution", err.Error()) } logger.Println("Got Folders Service") return cloudResourceManagerService.Folders } +func getFirewallPoliciesServiceOrTerminateExecution(client *http.Client) *compute.FirewallPoliciesService { + logger.Println("Try to get Firewall Policies Service") + computeService, err := compute.New(client) + if err != nil { + logger.Fatalf("Fail to get Firewall Policies Service with error [%s], terminate execution", err.Error()) + } + logger.Println("Got Firewall Policies Service") + return computeService.FirewallPolicies +} + func initializeGoogleClient(ctx context.Context) *http.Client { logger.Println("Try to initialize Google client") client, err := google.DefaultClient(ctx, cloudresourcemanager.CloudPlatformScope) @@ -223,6 +234,7 @@ func invoke(ctx context.Context) { client := initializeGoogleClient(ctx) cloudResourceManagerService := getResourceManagerServiceOrTerminateExecution(client) folderService := getFolderServiceOrTerminateExecution(client) + firewallPoliciesService := getFirewallPoliciesServiceOrTerminateExecution(client) endpointService := getServiceManagementServiceOrTerminateExecution(client) removeLien := func(name string) { @@ -235,6 +247,27 @@ func invoke(ctx context.Context) { } } + removeFirewallPolicies := func(folder string) { + logger.Printf("Try to remove Firewall Policies from folder [%s]", folder) + firewallPolicyList, err := firewallPoliciesService.List().ParentId(folder).Context(ctx).Do() + if err != nil { + logger.Printf("Fail to list Firewall Policies from folder [%s], error [%s]", folder, err.Error()) + return + } + for _, policy := range firewallPolicyList.Items { + for _, association := range policy.Associations { + _, err := firewallPoliciesService.RemoveAssociation(policy.Name).Name(association.Name).Context(ctx).Do() + if err != nil { + logger.Printf("Fail to Remove Association for Firewall Policies from folder [%s], error [%s]", folder, err.Error()) + } + } + _, err := firewallPoliciesService.Delete(policy.Name).Context(ctx).Do() + if err != nil { + logger.Printf("Fail to delete Firewall Policy [%s] from folder [%s], error [%s]", policy.Name, folder, err.Error()) + } + } + } + removeProjectById := func(projectId string) error { _, err := cloudResourceManagerService.Projects.Delete(projectId).Context(ctx).Do() return err @@ -312,6 +345,7 @@ func invoke(ctx context.Context) { removeFolder := func(folder *cloudresourcemanager2.Folder) { folderId := folder.Name + removeFirewallPolicies(folderId) logger.Printf("Try to delete folder with id [%s]", folderId) _, err := folderService.Delete(folderId).Do() if err != nil { diff --git a/modules/project_cleanup/main.tf b/modules/project_cleanup/main.tf index 951d6959..1f454123 100644 --- a/modules/project_cleanup/main.tf +++ b/modules/project_cleanup/main.tf @@ -29,7 +29,10 @@ resource "google_organization_iam_member" "main" { "roles/resourcemanager.projectDeleter", "roles/resourcemanager.folderEditor", "roles/resourcemanager.lienModifier", - "roles/owner" + "roles/serviceusage.serviceUsageAdmin", + "roles/compute.orgSecurityResourceAdmin", + "roles/compute.orgSecurityPolicyAdmin", + "roles/viewer" ]) member = "serviceAccount:${google_service_account.project_cleaner_function.email}"