1. Using gcp organizations with oslogin

    TypeScript

    To manage GCP organizations and use OS Login features via Pulumi, we will use the Google Cloud Platform (GCP) provider for Pulumi. OS Login is a feature that allows for centralized user management and provides a way to manage SSH access to Google Compute Engine instances. By using OS Login, you can associate SSH public keys with your Google account and gain OS-level logon access to instances without having to manage individual SSH keys.

    Before we start writing our program, it's important to ensure you have Pulumi and the GCP CLI configured on your local machine. You must have authenticated access to your Google Cloud project and have permissions to create and manage resources within the organization.

    In our TypeScript program, we will:

    1. Enable the necessary GCP services required for OS Login.
    2. Manage an example resource like a GCP project to which we will apply organization policies.
    3. Set up an OS Login SSH public key which will be associated with an IAM user.

    For instance, we could create a new GCP project within an organization, apply organization policies for OS Login, and add an SSH key for a user. Here's how we'd do it:

    import * as gcp from "@pulumi/gcp"; const projectName = "example-project"; const orgId = "example-org-id"; // Replace with your Organization ID const billingAccountId = "example-billing-account-id"; // Replace with your Billing Account ID // Create a new GCP project const project = new gcp.organizations.Project(projectName, { orgId: orgId, projectId: projectName, name: projectName, billingAccount: billingAccountId, }); // Enable OS Login at the organization level or folder level by setting the organization policy const enableOsLoginPolicy = new gcp.organizations.Policy("enableOsLoginPolicy", { orgId: orgId, constraint: "constraints/compute.enableOsLogin", booleanPolicy: { enforced: true, }, }); // Add an SSH public key for OS Login, associating it with a user const user = "user@example.com"; // Replace with the email address of the IAM user const sshPublicKey = new gcp.oslogin.SshPublicKey("userSshPublicKey", { // You will need to replace the 'key' property with your own SSH public key content. key: "ssh-rsa AAAAB3Nza... user@example.com", user: user, }); export const projectId = project.projectId; export const userSshPublicKeyFingerprint = sshPublicKey.fingerprint;

    This program does the following:

    • Defines variables for the project name, organization ID, and billing account ID.
    • Creates a new GCP project within an organization with a specified name and billing account.
    • Applies an organization policy constraint to enable OS Login feature.
    • Adds an SSH public key to a specified user's OS Login profile.

    When you run this program with Pulumi, it will create the resources defined within your GCP account. After deploying this Pulumi stack, the project will have OS Login enabled, meaning users will use their Google credentials for SSH access, and the specified user will have their SSH key registered with OS Login.

    Make sure to replace the placeholders like example-org-id, example-billing-account-id, and the SSH public key content with actual values that correspond to your GCP setup.

    To apply and deploy these resources, you would navigate to your Pulumi project directory in the terminal and use the Pulumi CLI:

    pulumi up

    After confirming the preview looks correct, you proceed with the update. On completion, Pulumi will output the projectId and userSshPublicKeyFingerprint if you want to reference them later, such as for troubleshooting or auditing purposes.