Fixes
This commit is contained in:
lcaggio
parent
1e4499c8ab
commit
d68bb4b320
|
|
@ -66,6 +66,6 @@ This [blueprint](./vertex-mlops/) implements the infrastructure required to have
|
|||
### Shielded Folder
|
||||
|
||||
<a href="./shielded-folder/" title="Shielded Folder"><img src="./shielded-folder/images/overview_diagram.png" align="left" width="280px"></a>
|
||||
This [blueprint](./shielded-folder/) implements an opinionated Folder configuration to implement GCP best practices. Configurations implemented on the folder would be beneficial to host Workloads inheriting constraints from the folder they belong to.
|
||||
This [blueprint](./shielded-folder/) implements an opinionated folder configuration according to GCP best practices. Configurations implemented on the folder would be beneficial to host workloads inheriting constraints from the folder they belong to.
|
||||
|
||||
<br clear="left">
|
||||
<br clear="left">
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
# Shielded folder
|
||||
|
||||
This blueprint implements an opinionated folder configuration to implement GCP best practices. Configurations implemented on the folder would be beneficial to host Workloads inheriting constraints from the folder they belong to.
|
||||
This blueprint implements an opinionated folder configuration according to GCP best practices. Configurations at the folder level would be beneficial to host workloads inheriting constraints from the folder they belong to.
|
||||
|
||||
In this blueprint, a folder will be created implementing the following features:
|
||||
In this blueprint, a folder will be created setting following features:
|
||||
|
||||
- Organizational policies
|
||||
- Hierarchical firewall rules
|
||||
|
|
@ -43,7 +43,7 @@ This separation into projects allows adhering to the least-privilege principle b
|
|||
|
||||
User groups provide a stable frame of reference that allows decoupling the final set of permissions from the stage where entities and resources are created, and their IAM bindings are defined.
|
||||
|
||||
We use three groups to control access to resources:
|
||||
We use groups to control access to resources:
|
||||
|
||||
- `data-engineers`: They handle and run workloads on the `workload` subfolder. They have editor access to all resources in the `workload` folder in order to troubleshoot possible issues within the workload. This team can also impersonate any service account in the workload folder.
|
||||
- `data-security`: They handle security configurations for the shielded folder. They have owner access to the `audit-log` and `sec-core` projects.
|
||||
|
|
@ -116,9 +116,9 @@ The shielded Folfer blueprint assumes [groups described](#user-groups) are creat
|
|||
|
||||
### Variable configuration PIPPO
|
||||
|
||||
There are three sets of variables you will need to fill in:
|
||||
There are several sets of variables you will need to fill in:
|
||||
|
||||
```hcl
|
||||
```tfvars
|
||||
access_policy_config = {
|
||||
access_policy_create = {
|
||||
parent = "organizations/1234567890123"
|
||||
|
|
@ -136,10 +136,9 @@ organization = {
|
|||
id = "1122334455"
|
||||
}
|
||||
prefix = "prefix"
|
||||
project_config_2 = {
|
||||
billing_account_id = "123456-123456-123456"
|
||||
project_config = {
|
||||
billing_account_id = "123456-123456-123456"
|
||||
}
|
||||
# tftest modules=8 resources=35
|
||||
```
|
||||
|
||||
### Deploying the blueprint
|
||||
|
|
@ -159,17 +158,17 @@ terraform apply
|
|||
| [access_policy_config](variables.tf#L17) | Provide 'access_policy_create' values if a folder scoped Access Policy creation is needed, uses existing 'policy_name' otherwise. Parent is in 'organizations/123456' format. Policy will be created scoped to the folder. | <code title="object({ policy_name = optional(string, null) access_policy_create = optional(object({ parent = string title = string }), null) })">object({…})</code> | ✓ | |
|
||||
| [folder_config](variables.tf#L49) | Provide 'folder_create' values if folder creation is needed, uses existing 'folder_id' otherwise. Parent is in 'folders/nnn' or 'organizations/nnn' format. | <code title="object({ folder_id = optional(string, null) folder_create = optional(object({ display_name = string parent = string }), null) })">object({…})</code> | ✓ | |
|
||||
| [organization](variables.tf#L124) | Organization details. | <code title="object({ domain = string id = string })">object({…})</code> | ✓ | |
|
||||
| [prefix](variables.tf#L132) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | |
|
||||
| [project_config](variables.tf#L141) | Provide 'billing_account_id' value if project creation is needed, uses existing 'projects_id' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | <code title="object({ billing_account_id = optional(string, null) project_ids = optional(object({ sec-core = string audit-logs = string }), { sec-core = "sec-core" audit-logs = "audit-logs" } ) })">object({…})</code> | ✓ | |
|
||||
| [prefix](variables.tf#L132) | Prefix used for resources that need unique names. | <code>string</code> | ✓ | |
|
||||
| [project_config](variables.tf#L137) | Provide 'billing_account_id' value if project creation is needed, uses existing 'project_ids' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | <code title="object({ billing_account_id = optional(string, null) project_ids = optional(object({ sec-core = string audit-logs = string }), { sec-core = "sec-core" audit-logs = "audit-logs" } ) })">object({…})</code> | ✓ | |
|
||||
| [data_dir](variables.tf#L29) | Relative path for the folder storing configuration data. | <code>string</code> | | <code>"data"</code> |
|
||||
| [enable_features](variables.tf#L35) | Flag to enable features on the solution. | <code title="object({ encryption = optional(bool, false) log_sink = optional(bool, true) vpc_sc = optional(bool, true) })">object({…})</code> | | <code title="{ encryption = false log_sink = true vpc_sc = true }">{…}</code> |
|
||||
| [groups](variables.tf#L61) | User groups. | <code title="object({ workload-engineers = optional(string, "gcp-data-engineers") workload-security = optional(string, "gcp-data-security") })">object({…})</code> | | <code>{}</code> |
|
||||
| [kms_keys](variables.tf#L71) | KMS keys to create, keyed by name. | <code title="map(object({ iam = optional(map(list(string)), {}) labels = optional(map(string), {}) locations = optional(list(string), ["global", "europe", "europe-west1"]) rotation_period = optional(string, "7776000s") }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [log_locations](variables.tf#L82) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object({ bq = optional(string, "europe") storage = optional(string, "europe") logging = optional(string, "global") pubsub = optional(string, "global") })">object({…})</code> | | <code title="{ bq = "europe" storage = "europe" logging = "global" pubsub = null }">{…}</code> |
|
||||
| [log_sinks](variables.tf#L99) | Org-level log sinks, in name => {type, filter} format. | <code title="map(object({ filter = string type = string }))">map(object({…}))</code> | | <code title="{ audit-logs = { filter = "logName:\"/logs/cloudaudit.googleapis.com%2Factivity\" OR logName:\"/logs/cloudaudit.googleapis.com%2Fsystem_event\"" type = "bigquery" } vpc-sc = { filter = "protoPayload.metadata.@type=\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\"" type = "bigquery" } }">{…}</code> |
|
||||
| [vpc_sc_access_levels](variables.tf#L157) | VPC SC access level definitions. | <code title="map(object({ combining_function = optional(string) conditions = optional(list(object({ device_policy = optional(object({ allowed_device_management_levels = optional(list(string)) allowed_encryption_statuses = optional(list(string)) require_admin_approval = bool require_corp_owned = bool require_screen_lock = optional(bool) os_constraints = optional(list(object({ os_type = string minimum_version = optional(string) require_verified_chrome_os = optional(bool) }))) })) ip_subnetworks = optional(list(string), []) members = optional(list(string), []) negate = optional(bool) regions = optional(list(string), []) required_access_levels = optional(list(string), []) })), []) description = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [vpc_sc_egress_policies](variables.tf#L186) | VPC SC egress policy defnitions. | <code title="map(object({ from = object({ identity_type = optional(string, "ANY_IDENTITY") identities = optional(list(string)) }) to = object({ operations = optional(list(object({ method_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) resource_type_external = optional(bool, false) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [vpc_sc_ingress_policies](variables.tf#L206) | VPC SC ingress policy defnitions. | <code title="map(object({ from = object({ access_levels = optional(list(string), []) identity_type = optional(string) identities = optional(list(string)) resources = optional(list(string), []) }) to = object({ operations = optional(list(object({ method_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [vpc_sc_access_levels](variables.tf#L153) | VPC SC access level definitions. | <code title="map(object({ combining_function = optional(string) conditions = optional(list(object({ device_policy = optional(object({ allowed_device_management_levels = optional(list(string)) allowed_encryption_statuses = optional(list(string)) require_admin_approval = bool require_corp_owned = bool require_screen_lock = optional(bool) os_constraints = optional(list(object({ os_type = string minimum_version = optional(string) require_verified_chrome_os = optional(bool) }))) })) ip_subnetworks = optional(list(string), []) members = optional(list(string), []) negate = optional(bool) regions = optional(list(string), []) required_access_levels = optional(list(string), []) })), []) description = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [vpc_sc_egress_policies](variables.tf#L182) | VPC SC egress policy defnitions. | <code title="map(object({ from = object({ identity_type = optional(string, "ANY_IDENTITY") identities = optional(list(string)) }) to = object({ operations = optional(list(object({ method_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) resource_type_external = optional(bool, false) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [vpc_sc_ingress_policies](variables.tf#L202) | VPC SC ingress policy defnitions. | <code title="map(object({ from = object({ access_levels = optional(list(string), []) identity_type = optional(string) identities = optional(list(string)) resources = optional(list(string), []) }) to = object({ operations = optional(list(object({ method_selectors = optional(list(string)) service_name = string })), []) resources = optional(list(string)) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
|||
|
|
@ -35,12 +35,12 @@ variable "data_dir" {
|
|||
variable "enable_features" {
|
||||
description = "Flag to enable features on the solution."
|
||||
type = object({
|
||||
encryption = optional(bool, true)
|
||||
encryption = optional(bool, false)
|
||||
log_sink = optional(bool, true)
|
||||
vpc_sc = optional(bool, true)
|
||||
})
|
||||
default = {
|
||||
encryption = true
|
||||
encryption = false
|
||||
log_sink = true
|
||||
vpc_sc = true
|
||||
}
|
||||
|
|
@ -130,16 +130,12 @@ variable "organization" {
|
|||
}
|
||||
|
||||
variable "prefix" {
|
||||
description = "Prefix used for resources that need unique names. Use 9 characters or less."
|
||||
description = "Prefix used for resources that need unique names."
|
||||
type = string
|
||||
validation {
|
||||
condition = try(length(var.prefix), 0) < 10
|
||||
error_message = "Use a maximum of 9 characters for prefix."
|
||||
}
|
||||
}
|
||||
|
||||
variable "project_config" {
|
||||
description = "Provide 'billing_account_id' value if project creation is needed, uses existing 'projects_id' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format."
|
||||
description = "Provide 'billing_account_id' value if project creation is needed, uses existing 'project_ids' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format."
|
||||
type = object({
|
||||
billing_account_id = optional(string, null)
|
||||
project_ids = optional(object({
|
||||
|
|
|
|||
|
|
@ -12,121 +12,22 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# values:
|
||||
# module.folder-workload.google_folder.folder[0]:
|
||||
# display_name: prefix-workload
|
||||
# timeouts: null
|
||||
# module.folder.google_bigquery_dataset_iam_member.bq-sinks-binding["audit-logs"]:
|
||||
# condition: []
|
||||
# role: roles/bigquery.dataEditor
|
||||
# module.folder.google_bigquery_dataset_iam_member.bq-sinks-binding["vpc-sc"]:
|
||||
# condition: []
|
||||
# role: roles/bigquery.dataEditor
|
||||
# module.folder.google_folder.folder[0]:
|
||||
# display_name: ShieldedMVP
|
||||
# parent: organizations/1054601055974
|
||||
# timeouts: null
|
||||
# module.folder.google_folder_iam_binding.authoritative["roles/editor"]:
|
||||
# condition: []
|
||||
# members:
|
||||
# - group:gcp-data-engineers@example.com
|
||||
# role: roles/editor
|
||||
# module.folder.google_logging_folder_sink.sink["audit-logs"]:
|
||||
# description: audit-logs (Terraform-managed).
|
||||
# disabled: false
|
||||
# exclusions: []
|
||||
# filter: logName:"/logs/cloudaudit.googleapis.com%2Factivity" OR logName:"/logs/cloudaudit.googleapis.com%2Fsystem_event"
|
||||
# include_children: true
|
||||
# name: audit-logs
|
||||
# module.folder.google_logging_folder_sink.sink["vpc-sc"]:
|
||||
# description: vpc-sc (Terraform-managed).
|
||||
# disabled: false
|
||||
# exclusions: []
|
||||
# filter: protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"
|
||||
# include_children: true
|
||||
# name: vpc-sc
|
||||
# module.log-export-dataset[0].google_bigquery_dataset.default:
|
||||
# dataset_id: prefix_audit_export
|
||||
# default_encryption_configuration:
|
||||
# - kms_key_name: 'false'
|
||||
# default_partition_expiration_ms: null
|
||||
# default_table_expiration_ms: null
|
||||
# delete_contents_on_destroy: false
|
||||
# description: Terraform managed.
|
||||
# friendly_name: Audit logs export.
|
||||
# location: EU
|
||||
# max_time_travel_hours: null
|
||||
# project: prefix-audit-logs
|
||||
# timeouts: null
|
||||
# module.log-export-project[0].data.google_bigquery_default_service_account.bq_sa[0]:
|
||||
# project: prefix-audit-logs
|
||||
# module.log-export-project[0].data.google_storage_project_service_account.gcs_sa[0]:
|
||||
# project: prefix-audit-logs
|
||||
# user_project: null
|
||||
# module.log-export-project[0].google_project.project[0]:
|
||||
# auto_create_network: false
|
||||
# billing_account: 123456-123456-123456
|
||||
# labels: null
|
||||
# name: prefix-audit-logs
|
||||
# project_id: prefix-audit-logs
|
||||
# skip_delete: false
|
||||
# timeouts: null
|
||||
# module.log-export-project[0].google_project_service.project_services["bigquery.googleapis.com"]:
|
||||
# disable_dependent_services: false
|
||||
# disable_on_destroy: false
|
||||
# project: prefix-audit-logs
|
||||
# service: bigquery.googleapis.com
|
||||
# timeouts: null
|
||||
# module.log-export-project[0].google_project_service.project_services["pubsub.googleapis.com"]:
|
||||
# disable_dependent_services: false
|
||||
# disable_on_destroy: false
|
||||
# project: prefix-audit-logs
|
||||
# service: pubsub.googleapis.com
|
||||
# timeouts: null
|
||||
# module.log-export-project[0].google_project_service.project_services["stackdriver.googleapis.com"]:
|
||||
# disable_dependent_services: false
|
||||
# disable_on_destroy: false
|
||||
# project: prefix-audit-logs
|
||||
# service: stackdriver.googleapis.com
|
||||
# timeouts: null
|
||||
# module.log-export-project[0].google_project_service.project_services["storage.googleapis.com"]:
|
||||
# disable_dependent_services: false
|
||||
# disable_on_destroy: false
|
||||
# project: prefix-audit-logs
|
||||
# service: storage.googleapis.com
|
||||
# timeouts: null
|
||||
# module.log-export-project[0].google_project_service_identity.jit_si["pubsub.googleapis.com"]:
|
||||
# project: prefix-audit-logs
|
||||
# service: pubsub.googleapis.com
|
||||
# timeouts: null
|
||||
# module.vpc-sc[0].google_access_context_manager_access_policy.default[0]:
|
||||
# parent: organizations/1122334455
|
||||
# timeouts: null
|
||||
# title: shielded-folder
|
||||
# module.vpc-sc[0].google_access_context_manager_service_perimeter.regular["shielded"]:
|
||||
# description: null
|
||||
# perimeter_type: PERIMETER_TYPE_REGULAR
|
||||
# spec:
|
||||
# - access_levels: []
|
||||
# egress_policies: []
|
||||
# ingress_policies:
|
||||
# - ingress_from:
|
||||
# - identity_type: null
|
||||
# sources:
|
||||
# - access_level: '*'
|
||||
# resource: null
|
||||
# ingress_to:
|
||||
# - operations:
|
||||
# - method_selectors: []
|
||||
# service_name: '*'
|
||||
# restricted_services: null
|
||||
# vpc_accessible_services:
|
||||
# - allowed_services: null
|
||||
# enable_restriction: true
|
||||
# status: []
|
||||
# timeouts: null
|
||||
# title: shielded
|
||||
# use_explicit_dry_run_spec: true
|
||||
values:
|
||||
module.folder.google_compute_firewall_policy.policy["prefix-fw-policy"]:
|
||||
short_name: prefix-fw-policy
|
||||
module.folder.google_folder.folder[0]:
|
||||
display_name: ShieldedMVP
|
||||
parent: organizations/1234567890123
|
||||
module.log-export-project[0].google_project.project[0]:
|
||||
billing_account: 123456-123456-123456
|
||||
project_id: prefix-audit-logs
|
||||
module.vpc-sc[0].google_access_context_manager_access_policy.default[0]:
|
||||
parent: organizations/1122334455
|
||||
title: shielded-folder
|
||||
module.vpc-sc[0].google_access_context_manager_service_perimeter.regular["shielded"]:
|
||||
description: null
|
||||
perimeter_type: PERIMETER_TYPE_REGULAR
|
||||
title: shielded
|
||||
|
||||
counts:
|
||||
google_access_context_manager_access_policy: 1
|
||||
|
|
@ -134,18 +35,17 @@ counts:
|
|||
google_bigquery_dataset: 1
|
||||
google_bigquery_dataset_iam_member: 2
|
||||
google_bigquery_default_service_account: 1
|
||||
google_compute_firewall_policy: 1
|
||||
google_compute_firewall_policy_rule: 4
|
||||
google_folder: 2
|
||||
google_folder_iam_binding: 2
|
||||
google_kms_crypto_key: 3
|
||||
google_kms_crypto_key_iam_member: 3
|
||||
google_kms_key_ring: 2
|
||||
google_logging_folder_sink: 2
|
||||
google_project: 2
|
||||
google_project_iam_binding: 2
|
||||
google_project_service: 7
|
||||
google_project_service_identity: 2
|
||||
google_org_policy_policy: 12
|
||||
google_project: 1
|
||||
google_project_iam_binding: 1
|
||||
google_project_service: 4
|
||||
google_project_service_identity: 1
|
||||
google_projects: 1
|
||||
google_storage_project_service_account: 1
|
||||
modules: 8
|
||||
resources: 52
|
||||
|
||||
modules: 5
|
||||
resources: 38
|
||||
|
|
|
|||
Loading…
Reference in New Issue