Fixes
This commit is contained in:
parent
39ffdcf184
commit
1e4499c8ab
|
@ -75,7 +75,7 @@ Access level rules are not defined. Before moving the configuration to enforced
|
||||||
|
|
||||||
An access level based on the network range you are using to reach the console (e.g. Proxy IP, Internet connection, ...) is suggested. Example:
|
An access level based on the network range you are using to reach the console (e.g. Proxy IP, Internet connection, ...) is suggested. Example:
|
||||||
|
|
||||||
```hcl
|
```tfvars
|
||||||
vpc_sc_access_levels = {
|
vpc_sc_access_levels = {
|
||||||
users = {
|
users = {
|
||||||
conditions = [
|
conditions = [
|
||||||
|
@ -87,7 +87,7 @@ vpc_sc_access_levels = {
|
||||||
|
|
||||||
Alternatively, you can configure an access level based on the identity that needs to reach resources from outside the perimeter.
|
Alternatively, you can configure an access level based on the identity that needs to reach resources from outside the perimeter.
|
||||||
|
|
||||||
```hcl
|
```tfvars
|
||||||
vpc_sc_access_levels = {
|
vpc_sc_access_levels = {
|
||||||
users = {
|
users = {
|
||||||
conditions = [
|
conditions = [
|
||||||
|
@ -114,16 +114,32 @@ The Shielded Folder blueprint is meant to be executed by a Service Account (or a
|
||||||
|
|
||||||
The shielded Folfer blueprint assumes [groups described](#user-groups) are created in your GCP organization.
|
The shielded Folfer blueprint assumes [groups described](#user-groups) are created in your GCP organization.
|
||||||
|
|
||||||
### Variable configuration
|
### Variable configuration PIPPO
|
||||||
|
|
||||||
There are three sets of variables you will need to fill in:
|
There are three sets of variables you will need to fill in:
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
|
access_policy_config = {
|
||||||
|
access_policy_create = {
|
||||||
|
parent = "organizations/1234567890123"
|
||||||
|
title = "ShieldedMVP"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
folder_config = {
|
||||||
|
folder_create = {
|
||||||
|
display_name = "ShieldedMVP"
|
||||||
|
parent = "organizations/1234567890123"
|
||||||
|
}
|
||||||
|
}
|
||||||
organization = {
|
organization = {
|
||||||
id = "12345678"
|
|
||||||
domain = "example.com"
|
domain = "example.com"
|
||||||
|
id = "1122334455"
|
||||||
}
|
}
|
||||||
prefix = "prefix"
|
prefix = "prefix"
|
||||||
|
project_config_2 = {
|
||||||
|
billing_account_id = "123456-123456-123456"
|
||||||
|
}
|
||||||
|
# tftest modules=8 resources=35
|
||||||
```
|
```
|
||||||
|
|
||||||
### Deploying the blueprint
|
### Deploying the blueprint
|
||||||
|
@ -140,23 +156,20 @@ terraform apply
|
||||||
|
|
||||||
| name | description | type | required | default |
|
| name | description | type | required | default |
|
||||||
|---|---|:---:|:---:|:---:|
|
|---|---|:---:|:---:|:---:|
|
||||||
| [organization](variables.tf#L129) | Organization details. | <code title="object({ domain = string id = string })">object({…})</code> | ✓ | |
|
| [access_policy_config](variables.tf#L17) | Provide 'access_policy_create' values if a folder scoped Access Policy creation is needed, uses existing 'policy_name' otherwise. Parent is in 'organizations/123456' format. Policy will be created scoped to the folder. | <code title="object({ policy_name = optional(string, null) access_policy_create = optional(object({ parent = string title = string }), null) })">object({…})</code> | ✓ | |
|
||||||
| [prefix](variables.tf#L137) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | |
|
| [folder_config](variables.tf#L49) | Provide 'folder_create' values if folder creation is needed, uses existing 'folder_id' otherwise. Parent is in 'folders/nnn' or 'organizations/nnn' format. | <code title="object({ folder_id = optional(string, null) folder_create = optional(object({ display_name = string parent = string }), null) })">object({…})</code> | ✓ | |
|
||||||
| [access_policy](variables.tf#L17) | Access Policy name, set to null if creating one. | <code>string</code> | | <code>null</code> |
|
| [organization](variables.tf#L124) | Organization details. | <code title="object({ domain = string id = string })">object({…})</code> | ✓ | |
|
||||||
| [access_policy_create](variables.tf#L23) | Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format. | <code title="object({ parent = string title = string scopes = optional(list(string)) })">object({…})</code> | | <code>null</code> |
|
| [prefix](variables.tf#L132) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | |
|
||||||
| [data_dir](variables.tf#L33) | Relative path for the folder storing configuration data. | <code>string</code> | | <code>"data"</code> |
|
| [project_config](variables.tf#L141) | Provide 'billing_account_id' value if project creation is needed, uses existing 'projects_id' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | <code title="object({ billing_account_id = optional(string, null) project_ids = optional(object({ sec-core = string audit-logs = string }), { sec-core = "sec-core" audit-logs = "audit-logs" } ) })">object({…})</code> | ✓ | |
|
||||||
| [enable_features](variables.tf#L39) | Flag to enable features on the solution. | <code title="object({ encryption = bool log_sink = bool vpc_sc = bool })">object({…})</code> | | <code title="{ encryption = false log_sink = true vpc_sc = true }">{…}</code> |
|
| [data_dir](variables.tf#L29) | Relative path for the folder storing configuration data. | <code>string</code> | | <code>"data"</code> |
|
||||||
| [folder_create](variables.tf#L52) | Provide values if folder creation is needed, uses existing folder if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | <code title="object({ display_name = string parent = string })">object({…})</code> | | <code>null</code> |
|
| [enable_features](variables.tf#L35) | Flag to enable features on the solution. | <code title="object({ encryption = optional(bool, false) log_sink = optional(bool, true) vpc_sc = optional(bool, true) })">object({…})</code> | | <code title="{ encryption = false log_sink = true vpc_sc = true }">{…}</code> |
|
||||||
| [folder_id](variables.tf#L61) | Folder ID in case you use folder_create=null. | <code>string</code> | | <code>null</code> |
|
| [groups](variables.tf#L61) | User groups. | <code title="object({ workload-engineers = optional(string, "gcp-data-engineers") workload-security = optional(string, "gcp-data-security") })">object({…})</code> | | <code>{}</code> |
|
||||||
| [groups](variables.tf#L67) | User groups. | <code>map(string)</code> | | <code title="{ workload-engineers = "gcp-data-engineers" workload-security = "gcp-data-security" }">{…}</code> |
|
| [kms_keys](variables.tf#L71) | KMS keys to create, keyed by name. | <code title="map(object({ iam = optional(map(list(string)), {}) labels = optional(map(string), {}) locations = optional(list(string), ["global", "europe", "europe-west1"]) rotation_period = optional(string, "7776000s") }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [kms_keys](variables.tf#L76) | KMS keys to create, keyed by name. | <code title="map(object({ iam = optional(map(list(string)), {}) labels = optional(map(string), {}) locations = optional(list(string), ["global", "europe", "europe-west1"]) rotation_period = optional(string, "7776000s") }))">map(object({…}))</code> | | <code>{}</code> |
|
| [log_locations](variables.tf#L82) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object({ bq = optional(string, "europe") storage = optional(string, "europe") logging = optional(string, "global") pubsub = optional(string, "global") })">object({…})</code> | | <code title="{ bq = "europe" storage = "europe" logging = "global" pubsub = null }">{…}</code> |
|
||||||
| [log_locations](variables.tf#L87) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object({ bq = optional(string, "europe") storage = optional(string, "europe") logging = optional(string, "global") pubsub = optional(string, "global") })">object({…})</code> | | <code title="{ bq = "europe" storage = "europe" logging = "global" pubsub = null }">{…}</code> |
|
| [log_sinks](variables.tf#L99) | Org-level log sinks, in name => {type, filter} format. | <code title="map(object({ filter = string type = string }))">map(object({…}))</code> | | <code title="{ audit-logs = { filter = "logName:\"/logs/cloudaudit.googleapis.com%2Factivity\" OR logName:\"/logs/cloudaudit.googleapis.com%2Fsystem_event\"" type = "bigquery" } vpc-sc = { filter = "protoPayload.metadata.@type=\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\"" type = "bigquery" } }">{…}</code> |
|
||||||
| [log_sinks](variables.tf#L104) | Org-level log sinks, in name => {type, filter} format. | <code title="map(object({ filter = string type = string }))">map(object({…}))</code> | | <code title="{ audit-logs = { filter = "logName:\"/logs/cloudaudit.googleapis.com%2Factivity\" OR logName:\"/logs/cloudaudit.googleapis.com%2Fsystem_event\"" type = "bigquery" } vpc-sc = { filter = "protoPayload.metadata.@type=\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\"" type = "bigquery" } }">{…}</code> |
|
| [vpc_sc_access_levels](variables.tf#L157) | VPC SC access level definitions. | <code title="map(object({ combining_function = optional(string) conditions = optional(list(object({ device_policy = optional(object({ allowed_device_management_levels = optional(list(string)) allowed_encryption_statuses = optional(list(string)) require_admin_approval = bool require_corp_owned = bool require_screen_lock = optional(bool) os_constraints = optional(list(object({ os_type = string minimum_version = optional(string) require_verified_chrome_os = optional(bool) }))) })) ip_subnetworks = optional(list(string), []) members = optional(list(string), []) negate = optional(bool) regions = optional(list(string), []) required_access_levels = optional(list(string), []) })), []) description = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [projects_create](variables.tf#L147) | Provide values if projects creation is needed, uses existing project if null. Projects will be created in the shielded folder. | <code title="object({ billing_account_id = string })">object({…})</code> | | <code>null</code> |
|
| [vpc_sc_egress_policies](variables.tf#L186) | VPC SC egress policy defnitions. | <code title="map(object({ from = object({ identity_type = optional(string, "ANY_IDENTITY") identities = optional(list(string)) }) to = object({ operations = optional(list(object({ method_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) resource_type_external = optional(bool, false) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [projects_id](variables.tf#L155) | Project id, references existing projects if `projects_create` is null. Projects will be moved into the shielded folder. | <code title="object({ sec-core = string audit-logs = string })">object({…})</code> | | <code>null</code> |
|
| [vpc_sc_ingress_policies](variables.tf#L206) | VPC SC ingress policy defnitions. | <code title="map(object({ from = object({ access_levels = optional(list(string), []) identity_type = optional(string) identities = optional(list(string)) resources = optional(list(string), []) }) to = object({ operations = optional(list(object({ method_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [vpc_sc_access_levels](variables.tf#L164) | VPC SC access level definitions. | <code title="map(object({ combining_function = optional(string) conditions = optional(list(object({ device_policy = optional(object({ allowed_device_management_levels = optional(list(string)) allowed_encryption_statuses = optional(list(string)) require_admin_approval = bool require_corp_owned = bool require_screen_lock = optional(bool) os_constraints = optional(list(object({ os_type = string minimum_version = optional(string) require_verified_chrome_os = optional(bool) }))) })) ip_subnetworks = optional(list(string), []) members = optional(list(string), []) negate = optional(bool) regions = optional(list(string), []) required_access_levels = optional(list(string), []) })), []) description = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
||||||
| [vpc_sc_egress_policies](variables.tf#L193) | VPC SC egress policy defnitions. | <code title="map(object({ from = object({ identity_type = optional(string, "ANY_IDENTITY") identities = optional(list(string)) }) to = object({ operations = optional(list(object({ method_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) resource_type_external = optional(bool, false) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
||||||
| [vpc_sc_ingress_policies](variables.tf#L213) | VPC SC ingress policy defnitions. | <code title="map(object({ from = object({ access_levels = optional(list(string), []) identity_type = optional(string) identities = optional(list(string)) resources = optional(list(string), []) }) to = object({ operations = optional(list(object({ method_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -35,12 +35,12 @@ variable "data_dir" {
|
||||||
variable "enable_features" {
|
variable "enable_features" {
|
||||||
description = "Flag to enable features on the solution."
|
description = "Flag to enable features on the solution."
|
||||||
type = object({
|
type = object({
|
||||||
encryption = optional(bool, false)
|
encryption = optional(bool, true)
|
||||||
log_sink = optional(bool, true)
|
log_sink = optional(bool, true)
|
||||||
vpc_sc = optional(bool, true)
|
vpc_sc = optional(bool, true)
|
||||||
})
|
})
|
||||||
default = {
|
default = {
|
||||||
encryption = false
|
encryption = true
|
||||||
log_sink = true
|
log_sink = true
|
||||||
vpc_sc = true
|
vpc_sc = true
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,13 +0,0 @@
|
||||||
data_dir = null
|
|
||||||
folder_create = {
|
|
||||||
display_name = "ShieldedMVP"
|
|
||||||
parent = "organizations/1054601055974"
|
|
||||||
}
|
|
||||||
organization = {
|
|
||||||
domain = "example.com"
|
|
||||||
id = "1122334455"
|
|
||||||
}
|
|
||||||
prefix = "prefix"
|
|
||||||
projects_create = {
|
|
||||||
billing_account_id = "123456-123456-123456"
|
|
||||||
}
|
|
|
@ -0,0 +1,20 @@
|
||||||
|
access_policy_config = {
|
||||||
|
access_policy_create = {
|
||||||
|
parent = "organizations/1234567890123"
|
||||||
|
title = "ShieldedMVP"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
folder_config = {
|
||||||
|
folder_create = {
|
||||||
|
display_name = "ShieldedMVP"
|
||||||
|
parent = "organizations/1234567890123"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
organization = {
|
||||||
|
domain = "example.com"
|
||||||
|
id = "1122334455"
|
||||||
|
}
|
||||||
|
prefix = "prefix"
|
||||||
|
project_config = {
|
||||||
|
billing_account_id = "123456-123456-123456"
|
||||||
|
}
|
|
@ -136,16 +136,16 @@ counts:
|
||||||
google_bigquery_default_service_account: 1
|
google_bigquery_default_service_account: 1
|
||||||
google_folder: 2
|
google_folder: 2
|
||||||
google_folder_iam_binding: 2
|
google_folder_iam_binding: 2
|
||||||
|
google_kms_crypto_key: 3
|
||||||
|
google_kms_crypto_key_iam_member: 3
|
||||||
|
google_kms_key_ring: 2
|
||||||
google_logging_folder_sink: 2
|
google_logging_folder_sink: 2
|
||||||
google_project: 1
|
google_project: 2
|
||||||
google_project_iam_binding: 1
|
google_project_iam_binding: 2
|
||||||
google_project_service: 4
|
google_project_service: 7
|
||||||
google_project_service_identity: 1
|
google_project_service_identity: 2
|
||||||
google_projects: 1
|
google_projects: 1
|
||||||
google_storage_project_service_account: 1
|
google_storage_project_service_account: 1
|
||||||
modules: 5
|
modules: 8
|
||||||
resources: 21
|
resources: 52
|
||||||
|
|
||||||
outputs:
|
|
||||||
folders: __missing__
|
|
||||||
folders_sink_writer_identities: __missing__
|
|
Loading…
Reference in New Issue