2023-01-27 01:05:19 -08:00
# Shielded folder
2023-02-06 12:34:29 -08:00
This blueprint implements an opinionated folder configuration according to GCP best practices. Configurations set at the folder level would be beneficial to host workloads inheriting constraints from the folder they belong to.
2023-01-27 01:05:19 -08:00
2023-02-06 12:33:04 -08:00
In this blueprint, a folder will be created setting following features:
2023-02-05 13:41:57 -08:00
2023-01-27 01:05:19 -08:00
- Organizational policies
2023-02-01 08:34:31 -08:00
- Hierarchical firewall rules
2023-01-30 14:32:13 -08:00
- Cloud KMS
2023-01-27 01:05:19 -08:00
- VPC-SC
2023-01-31 15:50:22 -08:00
Within the folder, the following projects will be created:
2023-02-05 13:41:57 -08:00
2023-01-30 14:32:13 -08:00
- 'audit-logs' where Audit Logs sink will be created
- 'sec-core' where Cloud KMS and Cloud Secret manager will be configured
2023-01-27 01:05:19 -08:00
2023-01-30 14:32:13 -08:00
The following diagram is a high-level reference of the resources created and managed here:
2023-01-31 13:35:48 -08:00
## Design overview and choices
2023-01-30 14:32:13 -08:00
Despite its simplicity, this blueprint implements the basics of a design that we've seen working well for various customers.
The approach adapts to different high-level requirements:
2023-02-05 13:41:57 -08:00
2023-01-30 14:32:13 -08:00
- IAM roles inheritance
- Organizational policies
- Audit log sink
- VPC Service Control
- Cloud KMS
2023-01-31 13:35:48 -08:00
## Project structure
2023-02-05 13:41:57 -08:00
2023-01-30 14:32:13 -08:00
The Shielded Folder blueprint is designed to rely on several projects:
2023-02-05 13:41:57 -08:00
2023-01-30 14:32:13 -08:00
- `audit-log` : to host Audit logging buckets and Audit log sync to GCS, BigQuery or PubSub
2023-01-31 15:50:22 -08:00
- `sec-core` : to host security-related resources such as Cloud KMS and Cloud Secrets Manager
2023-01-30 14:32:13 -08:00
This separation into projects allows adhering to the least-privilege principle by using project-level roles.
2023-01-31 13:35:48 -08:00
## User groups
2023-02-05 13:41:57 -08:00
2023-01-31 15:50:22 -08:00
User groups provide a stable frame of reference that allows decoupling the final set of permissions from the stage where entities and resources are created, and their IAM bindings are defined.
2023-01-30 14:32:13 -08:00
2023-02-06 12:33:04 -08:00
We use groups to control access to resources:
2023-02-05 13:41:57 -08:00
2023-06-21 02:51:32 -07:00
- `gcp-data-engineers` : They handle and run workloads on the `workload` subfolder. They have editor access to all resources in the `workload` folder in order to troubleshoot possible issues within the workload. This team can also impersonate any service account in the workload folder.
- `gcp-data-security` : They handle security configurations for the shielded folder. They have owner access to the `audit-log` and `sec-core` projects.
2023-01-30 14:32:13 -08:00
2023-01-31 13:35:48 -08:00
## Encryption
2023-02-05 13:41:57 -08:00
2023-01-31 15:50:22 -08:00
The blueprint supports the configuration of an instance of Cloud KMS to handle encryption on the resources. The encryption is disabled by default, but you can enable it by configuring the `enable_features.encryption` variable.
2023-01-30 14:32:13 -08:00
2023-01-31 15:50:22 -08:00
The script will create keys to encrypt log sink buckets/datasets/topics in the specified regions. Configuring the `kms_keys` variable, you can create additional KMS keys needed by your workload.
2023-01-30 14:32:13 -08:00
2023-01-31 15:26:57 -08:00
## Customizations
2023-02-03 21:24:35 -08:00
### Organization policy
2023-02-05 13:41:57 -08:00
You can configure the Organization policies enforced on the folder editing yaml files in the [org-policies ](./data/org-policies/ ) folder. An opinionated list of policies that we suggest enforcing is listed.
2023-02-03 21:24:35 -08:00
Some additional Organization policy constraints you may want to evaluate adding:
2023-02-05 13:41:57 -08:00
- `constraints/gcp.resourceLocations` : to define the locations where location-based GCP resources can be created.
- `constraints/gcp.restrictCmekCryptoKeyProjects` : to define which projects may be used to supply Customer-Managed Encryption Keys (CMEK) when creating resources.
2023-02-03 21:24:35 -08:00
2023-01-31 15:26:57 -08:00
### VPC Service Control
2023-02-05 13:41:57 -08:00
2023-01-31 15:50:22 -08:00
VPC Service Control is configured to have a Perimeter containing all projects within the folder. Additional projects you may add to the folder won't be automatically added to the perimeter, and a new `terraform apply` is needed to add the project to the perimeter.
2023-01-31 15:26:57 -08:00
The VPC SC configuration is set to dry-run mode, but switching to enforced mode is a simple operation involving modifying a few lines of code highlighted by ad-hoc comments.
2023-02-05 13:41:57 -08:00
Access level rules are not defined. Before moving the configuration to enforced mode, configure access policies to continue accessing resources from outside of the perimeter.
2023-01-31 15:26:57 -08:00
2023-01-31 15:50:22 -08:00
An access level based on the network range you are using to reach the console (e.g. Proxy IP, Internet connection, ...) is suggested. Example:
2023-01-31 15:26:57 -08:00
2023-02-06 05:58:40 -08:00
```tfvars
2023-01-31 15:26:57 -08:00
vpc_sc_access_levels = {
users = {
conditions = [
{ members = ["user:user1@example.com"] }
]
}
}
```
2023-01-31 15:50:22 -08:00
Alternatively, you can configure an access level based on the identity that needs to reach resources from outside the perimeter.
2023-01-31 15:26:57 -08:00
2023-02-06 05:58:40 -08:00
```tfvars
2023-01-31 15:26:57 -08:00
vpc_sc_access_levels = {
users = {
conditions = [
{ ip_subnetworks = ["101.101.101.0/24"] }
]
}
}
```
2023-01-31 13:35:48 -08:00
## How to run this script
2023-02-05 13:41:57 -08:00
2023-01-31 15:50:22 -08:00
To deploy this blueprint in your GCP organization, you will need
2023-02-05 13:41:57 -08:00
2023-01-30 14:32:13 -08:00
- a folder or organization where resources will be created
- a billing account that will be associated with the new projects
2023-06-23 06:52:08 -07:00
The Shielded Folder blueprint is meant to be executed by a Service Account having this minimal set of permission:
2023-02-05 13:41:57 -08:00
2023-06-23 06:52:08 -07:00
- **Billing account**
2023-01-30 14:32:13 -08:00
- `roles/billing.user`
2023-06-23 06:52:08 -07:00
- **Organization level**:
- `roles/logging.configWriter`
2023-01-30 14:32:13 -08:00
- `roles/resourcemanager.folderAdmin`
2023-06-23 06:52:08 -07:00
- `roles/compute.orgFirewallPolicyAdmin`
2023-01-30 14:32:13 -08:00
- `roles/resourcemanager.projectCreator`
2023-06-23 06:52:08 -07:00
- `roles/orgpolicy.policyAdmin`
2023-01-30 14:32:13 -08:00
2023-06-23 06:52:08 -07:00
The shielded Folder blueprint assumes [groups described ](#user-groups ) are created in your GCP organization. Please create them from the [https://admin.google.com/][Google Admin] console.
2023-01-30 14:32:13 -08:00
2023-06-23 06:52:08 -07:00
### Variable configuration
2023-02-05 13:41:57 -08:00
2023-02-06 12:33:04 -08:00
There are several sets of variables you will need to fill in:
2023-02-05 13:41:57 -08:00
2023-02-06 12:33:04 -08:00
```tfvars
2023-02-06 05:58:40 -08:00
access_policy_config = {
access_policy_create = {
parent = "organizations/1234567890123"
title = "ShieldedMVP"
}
}
folder_config = {
folder_create = {
display_name = "ShieldedMVP"
parent = "organizations/1234567890123"
}
}
2023-01-30 14:32:13 -08:00
organization = {
domain = "example.com"
2023-02-06 05:58:40 -08:00
id = "1122334455"
2023-01-30 14:32:13 -08:00
}
prefix = "prefix"
2023-02-06 12:33:04 -08:00
project_config = {
billing_account_id = "123456-123456-123456"
2023-02-06 05:58:40 -08:00
}
2023-01-30 14:32:13 -08:00
```
2023-01-31 13:35:48 -08:00
### Deploying the blueprint
2023-02-05 13:41:57 -08:00
2023-01-30 14:32:13 -08:00
Once the configuration is complete, run the project factory by running
```bash
terraform init
terraform apply
```
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
2023-02-06 05:58:40 -08:00
| [access_policy_config ](variables.tf#L17 ) | Provide 'access_policy_create' values if a folder scoped Access Policy creation is needed, uses existing 'policy_name' otherwise. Parent is in 'organizations/123456' format. Policy will be created scoped to the folder. | < code title = "object({ policy_name = optional(string, null) access_policy_create = optional(object({ parent = string title = string }), null) })" > object({…}) </ code > | ✓ | |
| [folder_config ](variables.tf#L49 ) | Provide 'folder_create' values if folder creation is needed, uses existing 'folder_id' otherwise. Parent is in 'folders/nnn' or 'organizations/nnn' format. | < code title = "object({ folder_id = optional(string, null) folder_create = optional(object({ display_name = string parent = string }), null) })" > object({…}) </ code > | ✓ | |
2023-08-20 00:44:20 -07:00
| [organization ](variables.tf#L129 ) | Organization details. | < code title = "object({ domain = string id = string })" > object({…}) </ code > | ✓ | |
| [prefix ](variables.tf#L137 ) | Prefix used for resources that need unique names. | < code > string</ code > | ✓ | |
| [project_config ](variables.tf#L142 ) | Provide 'billing_account_id' value if project creation is needed, uses existing 'project_ids' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | < code title = "object({ billing_account_id = optional(string, null) project_ids = optional(object({ sec-core = string audit-logs = string }), { sec-core = "sec-core" audit-logs = "audit-logs" } ) })" > object({…}) </ code > | ✓ | |
2023-02-06 05:58:40 -08:00
| [data_dir ](variables.tf#L29 ) | Relative path for the folder storing configuration data. | < code > string</ code > | | < code > " data" </ code > |
| [enable_features ](variables.tf#L35 ) | Flag to enable features on the solution. | < code title = "object({ encryption = optional(bool, false) log_sink = optional(bool, true) vpc_sc = optional(bool, true) })" > object({…}) </ code > | | < code title = "{ encryption = false log_sink = true vpc_sc = true }" > {…} </ code > |
2023-02-07 04:57:26 -08:00
| [groups ](variables.tf#L65 ) | User groups. | < code title = "object({ workload-engineers = optional(string, "gcp-data-engineers") workload-security = optional(string, "gcp-data-security") })" > object({…}) </ code > | | < code > {} </ code > |
2023-08-20 00:44:20 -07:00
| [kms_keys ](variables.tf#L75 ) | KMS keys to create, keyed by name. | < code title = "map(object({ iam = optional(map(list(string)), {}) iam_bindings_additive = optional(map(map(any)), {}) labels = optional(map(string), {}) locations = optional(list(string), ["global", "europe", "europe-west1"]) rotation_period = optional(string, "7776000s") }))" > map( object({…})) </ code > | | < code > {} </ code > |
| [log_locations ](variables.tf#L87 ) | Optional locations for GCS, BigQuery, and logging buckets created here. | < code title = "object({ bq = optional(string, "europe") storage = optional(string, "europe") logging = optional(string, "global") pubsub = optional(string, "global") })" > object({…}) </ code > | | < code title = "{ bq = "europe" storage = "europe" logging = "global" pubsub = null }" > {…} </ code > |
| [log_sinks ](variables.tf#L104 ) | Org-level log sinks, in name => {type, filter} format. | < code title = "map(object({ filter = string type = string }))" > map( object({…})) </ code > | | < code title = "{ audit-logs = { filter = "logName:\"/logs/cloudaudit.googleapis.com%2Factivity\" OR logName:\"/logs/cloudaudit.googleapis.com%2Fsystem_event\"" type = "bigquery" } vpc-sc = { filter = "protoPayload.metadata.@type=\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\"" type = "bigquery" } }" > {…} </ code > |
| [vpc_sc_access_levels ](variables.tf#L162 ) | VPC SC access level definitions. | < code title = "map(object({ combining_function = optional(string) conditions = optional(list(object({ device_policy = optional(object({ allowed_device_management_levels = optional(list(string)) allowed_encryption_statuses = optional(list(string)) require_admin_approval = bool require_corp_owned = bool require_screen_lock = optional(bool) os_constraints = optional(list(object({ os_type = string minimum_version = optional(string) require_verified_chrome_os = optional(bool) }))) })) ip_subnetworks = optional(list(string), []) members = optional(list(string), []) negate = optional(bool) regions = optional(list(string), []) required_access_levels = optional(list(string), []) })), []) description = optional(string) }))" > map( object({…})) </ code > | | < code > {} </ code > |
| [vpc_sc_egress_policies ](variables.tf#L191 ) | VPC SC egress policy definitions. | < code title = "map(object({ from = object({ identity_type = optional(string, "ANY_IDENTITY") identities = optional(list(string)) }) to = object({ operations = optional(list(object({ method_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) resource_type_external = optional(bool, false) }) }))" > map( object({…})) </ code > | | < code > {} </ code > |
| [vpc_sc_ingress_policies ](variables.tf#L211 ) | VPC SC ingress policy definitions. | < code title = "map(object({ from = object({ access_levels = optional(list(string), []) identity_type = optional(string) identities = optional(list(string)) resources = optional(list(string), []) }) to = object({ operations = optional(list(object({ method_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) }) }))" > map( object({…})) </ code > | | < code > {} </ code > |
2023-01-30 14:32:13 -08:00
2023-01-31 15:50:22 -08:00
## Outputs
| name | description | sensitive |
|---|---|:---:|
| [folders ](outputs.tf#L15 ) | Folders id. | |
| [folders_sink_writer_identities ](outputs.tf#L23 ) | Folders id. | |
2023-05-05 00:54:57 -07:00
| [kms_keys ](outputs.tf#L31 ) | Cloud KMS encryption keys created. | |
2023-01-30 14:32:13 -08:00
<!-- END TFDOC -->
2023-02-10 08:04:55 -08:00
## Test
```hcl
module "test" {
source = "./fabric/blueprints/data-solutions/shielded-folder"
data_dir = "./fabric/blueprints/data-solutions/shielded-folder/data"
access_policy_config = {
access_policy_create = {
parent = "organizations/1234567890123"
title = "ShieldedMVP"
}
}
folder_config = {
folder_create = {
display_name = "ShieldedMVP"
parent = "organizations/1234567890123"
}
}
organization = {
domain = "example.com"
id = "1122334455"
}
prefix = "prefix"
project_config = {
billing_account_id = "123456-123456-123456"
}
}
2023-08-09 04:23:07 -07:00
# tftest modules=7 resources=38
2023-02-10 08:04:55 -08:00
```
