From 4567b788a21d09f521ee1d7082c674174fe2c5e8 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Tue, 8 Feb 2022 11:31:39 +0100 Subject: [PATCH 1/5] add org policy role to cloud admins --- fast/stages/00-bootstrap/IAM.md | 2 +- fast/stages/00-bootstrap/organization.tf | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/fast/stages/00-bootstrap/IAM.md b/fast/stages/00-bootstrap/IAM.md index 1daaeee0..3d4fdbc5 100644 --- a/fast/stages/00-bootstrap/IAM.md +++ b/fast/stages/00-bootstrap/IAM.md @@ -8,7 +8,7 @@ Legend: + additive, conditional. |---|---| |
domain|[roles/browser](https://cloud.google.com/iam/docs/understanding-roles#browser)
[roles/resourcemanager.organizationViewer](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationViewer) | |gcp-network-admins
group|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner)
[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor)
[roles/compute.orgFirewallPolicyAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.orgFirewallPolicyAdmin) +
[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) +| -|gcp-organization-admins
group|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner)
[roles/cloudsupport.admin](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.admin)
[roles/compute.osAdminLogin](https://cloud.google.com/iam/docs/understanding-roles#compute.osAdminLogin)
[roles/compute.osLoginExternalUser](https://cloud.google.com/iam/docs/understanding-roles#compute.osLoginExternalUser)
[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner)
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.organizationAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator)
[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) +| +|gcp-organization-admins
group|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner)
[roles/cloudsupport.admin](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.admin)
[roles/compute.osAdminLogin](https://cloud.google.com/iam/docs/understanding-roles#compute.osAdminLogin)
[roles/compute.osLoginExternalUser](https://cloud.google.com/iam/docs/understanding-roles#compute.osLoginExternalUser)
[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner)
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.organizationAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator)
[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) +
[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +| |gcp-security-admins
group|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner)
[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor)
[roles/iam.securityReviewer](https://cloud.google.com/iam/docs/understanding-roles#iam.securityReviewer)
[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/securitycenter.admin](https://cloud.google.com/iam/docs/understanding-roles#securitycenter.admin)
[roles/accesscontextmanager.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#accesscontextmanager.policyAdmin) +
[roles/iam.organizationRoleAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.organizationRoleAdmin) +
[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +| |gcp-support
group|[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor)
[roles/logging.viewer](https://cloud.google.com/iam/docs/understanding-roles#logging.viewer)
[roles/monitoring.viewer](https://cloud.google.com/iam/docs/understanding-roles#monitoring.viewer) | |prod-bootstrap-0
serviceAccount|[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/resourcemanager.organizationAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator)
[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) +
[roles/iam.organizationRoleAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.organizationRoleAdmin) +| diff --git a/fast/stages/00-bootstrap/organization.tf b/fast/stages/00-bootstrap/organization.tf index 5b8539f6..ea2e4cef 100644 --- a/fast/stages/00-bootstrap/organization.tf +++ b/fast/stages/00-bootstrap/organization.tf @@ -62,7 +62,8 @@ locals { ] "roles/orgpolicy.policyAdmin" = [ module.automation-tf-resman-sa.iam_email, - local.groups_iam.gcp-security-admins + local.groups_iam.gcp-security-admins, + local.groups_iam.gcp-organization-admins ] }, local.billing_org ? { From 02dc9de9b0ea2b2630191f45f546ad443a52420e Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Tue, 8 Feb 2022 13:26:44 +0100 Subject: [PATCH 2/5] make it simpler to switch from/ry run mode (#524) --- fast/stages/02-security/vpc-sc.tf | 194 +++++++++++++++--------------- 1 file changed, 100 insertions(+), 94 deletions(-) diff --git a/fast/stages/02-security/vpc-sc.tf b/fast/stages/02-security/vpc-sc.tf index 855dc1dd..45b99ce2 100644 --- a/fast/stages/02-security/vpc-sc.tf +++ b/fast/stages/02-security/vpc-sc.tf @@ -15,14 +15,8 @@ */ locals { - # compute the number of projects in each perimeter to detect which to create - vpc_sc_counts = { - for k in ["dev", "landing", "prod"] : k => length( - coalesce(try(var.vpc_sc_perimeter_projects[k], null), []) - ) - } # dereference perimeter egress policy names to the actual objects - vpc_sc_perimeter_egress_policies = { + _vpc_sc_perimeter_egress_policies = { for k, v in coalesce(var.vpc_sc_perimeter_egress_policies, {}) : k => [ for i in coalesce(v, []) : var.vpc_sc_egress_policies[i] @@ -30,15 +24,92 @@ locals { ] } # dereference perimeter ingress policy names to the actual objects - vpc_sc_perimeter_ingress_policies = { + _vpc_sc_perimeter_ingress_policies = { for k, v in coalesce(var.vpc_sc_perimeter_ingress_policies, {}) : k => [ for i in coalesce(v, []) : var.vpc_sc_ingress_policies[i] if lookup(var.vpc_sc_ingress_policies, i, null) != null ] } + # compute the number of projects in each perimeter to detect which to create + vpc_sc_counts = { + for k in ["dev", "landing", "prod"] : k => length( + coalesce(try(var.vpc_sc_perimeter_projects[k], null), []) + ) + } + # define dry run spec at file level for convenience + vpc_sc_explicit_dry_run_spec = false + # compute perimeter bridge resources (projects) + vpc_sc_p_bridge_resources = { + landing_to_dev = concat( + var.vpc_sc_perimeter_projects.landing, + var.vpc_sc_perimeter_projects.dev + ) + landing_to_prod = concat( + var.vpc_sc_perimeter_projects.landing, + var.vpc_sc_perimeter_projects.prod + ) + } + # computer perimeter regular specs / status + vpc_sc_p_regular_specs = { + dev = { + access_levels = coalesce( + try(var.vpc_sc_perimeter_access_levels.dev, null), [] + ) + resources = var.vpc_sc_perimeter_projects.dev + restricted_services = local.vpc_sc_restricted_services + egress_policies = try( + local._vpc_sc_perimeter_egress_policies.dev, null + ) + ingress_policies = try( + local._vpc_sc_perimeter_ingress_policies.dev, null + ) + vpc_accessible_services = null + # vpc_accessible_services = { + # allowed_services = ["RESTRICTED-SERVICES"] + # enable_restriction = true + # } + } + landing = { + access_levels = coalesce( + try(var.vpc_sc_perimeter_access_levels.landing, null), [] + ) + resources = var.vpc_sc_perimeter_projects.landing + restricted_services = local.vpc_sc_restricted_services + egress_policies = try( + local._vpc_sc_perimeter_egress_policies.landing, null + ) + ingress_policies = try( + local._vpc_sc_perimeter_ingress_policies.landing, null + ) + vpc_accessible_services = null + # vpc_accessible_services = { + # allowed_services = ["RESTRICTED-SERVICES"] + # enable_restriction = true + # } + } + prod = { + access_levels = coalesce( + try(var.vpc_sc_perimeter_access_levels.prod, null), [] + ) + # combine the security project, and any specified in the variable + resources = var.vpc_sc_perimeter_projects.prod + restricted_services = local.vpc_sc_restricted_services + egress_policies = try( + local._vpc_sc_perimeter_egress_policies.prod, null + ) + ingress_policies = try( + local._vpc_sc_perimeter_ingress_policies.prod, null + ) + vpc_accessible_services = null + # vpc_accessible_services = { + # allowed_services = ["RESTRICTED-SERVICES"] + # enable_restriction = true + # } + } + } # get the list of restricted services from the yaml file - vpcsc_restricted_services = yamldecode( + vpc_sc_restricted_services = yamldecode( file("${path.module}/vpc-sc-restricted-services.yaml") ) } @@ -58,24 +129,17 @@ module "vpc-sc" { # landing to dev, only we have projects in landing and dev perimeters local.vpc_sc_counts.landing * local.vpc_sc_counts.dev == 0 ? {} : { landing_to_dev = { - status_resources = null - spec_resources = concat( - var.vpc_sc_perimeter_projects.landing, - var.vpc_sc_perimeter_projects.dev - ) - use_explicit_dry_run_spec = true + spec_resources = local.vpc_sc_p_bridge_resources.landing_to_dev + status_resources = null + use_explicit_dry_run_spec = local.vpc_sc_explicit_dry_run_spec } }, # landing to prod, only we have projects in landing and prod perimeters local.vpc_sc_counts.landing * local.vpc_sc_counts.prod == 0 ? {} : { landing_to_prod = { - status_resources = null - spec_resources = concat( - var.vpc_sc_perimeter_projects.landing, - var.vpc_sc_perimeter_projects.prod - ) - # set to null and switch spec and status above to enforce - use_explicit_dry_run_spec = true + spec_resources = local.vpc_sc_p_bridge_resources.landing_to_prod + status_resources = null + use_explicit_dry_run_spec = local.vpc_sc_explicit_dry_run_spec } } ) @@ -84,84 +148,26 @@ module "vpc-sc" { # dev if we have projects in var.vpc_sc_perimeter_projects.dev local.vpc_sc_counts.dev == 0 ? {} : { dev = { - spec = { - access_levels = coalesce( - try(var.vpc_sc_perimeter_access_levels.dev, null), [] - ) - resources = var.vpc_sc_perimeter_projects.dev - restricted_services = local.vpcsc_restricted_services - egress_policies = try( - local.vpc_sc_perimeter_egress_policies.dev, null - ) - ingress_policies = try( - local.vpc_sc_perimeter_ingress_policies.dev, null - ) - # replace with commented block to enable vpc restrictions - vpc_accessible_services = null - # vpc_accessible_services = { - # allowed_services = ["RESTRICTED-SERVICES"] - # enable_restriction = true - # } - } - status = null - # set to null and switch spec and status above to enforce - use_explicit_dry_run_spec = true + spec = local.vpc_sc_p_regular_specs.dev + status = null + use_explicit_dry_run_spec = local.vpc_sc_explicit_dry_run_spec + } + }, + # landing if we have projects in var.vpc_sc_perimeter_projects.landing + local.vpc_sc_counts.landing == 0 ? {} : { + landing = { + spec = local.vpc_sc_p_regular_specs.landing + status = null + use_explicit_dry_run_spec = local.vpc_sc_explicit_dry_run_spec } }, # prod if we have projects in var.vpc_sc_perimeter_projects.prod local.vpc_sc_counts.prod == 0 ? {} : { prod = { - spec = { - access_levels = coalesce( - try(var.vpc_sc_perimeter_access_levels.prod, null), [] - ) - # combine the security project, and any specified in the variable - resources = var.vpc_sc_perimeter_projects.prod - restricted_services = local.vpcsc_restricted_services - egress_policies = try( - local.vpc_sc_perimeter_egress_policies.prod, null - ) - ingress_policies = try( - local.vpc_sc_perimeter_ingress_policies.prod, null - ) - # replace with commented block to enable vpc restrictions - vpc_accessible_services = null - # vpc_accessible_services = { - # allowed_services = ["RESTRICTED-SERVICES"] - # enable_restriction = true - # } - } - status = null - # set to null and switch spec and status above to enforce - use_explicit_dry_run_spec = true + spec = local.vpc_sc_p_regular_specs.prod + status = null + use_explicit_dry_run_spec = local.vpc_sc_explicit_dry_run_spec } }, - # prod if we have projects in var.vpc_sc_perimeter_projects.prod - local.vpc_sc_counts.landing == 0 ? {} : { - landing = { - spec = { - access_levels = coalesce( - try(var.vpc_sc_perimeter_access_levels.landing, null), [] - ) - resources = var.vpc_sc_perimeter_projects.landing - restricted_services = local.vpcsc_restricted_services - egress_policies = try( - local.vpc_sc_perimeter_egress_policies.landing, null - ) - ingress_policies = try( - local.vpc_sc_perimeter_ingress_policies.landing, null - ) - # replace with commented block to enable vpc restrictions - vpc_accessible_services = null - # vpc_accessible_services = { - # allowed_services = ["RESTRICTED-SERVICES"] - # enable_restriction = true - # } - } - status = null - # set to null and switch spec and status above to enforce - use_explicit_dry_run_spec = true - } - } ) } From d21304267b8436654fba9f7d1addcb259ff076c5 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Tue, 8 Feb 2022 13:43:37 +0100 Subject: [PATCH 3/5] revert dry-run to true as default --- fast/stages/02-security/vpc-sc.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fast/stages/02-security/vpc-sc.tf b/fast/stages/02-security/vpc-sc.tf index 45b99ce2..b3125541 100644 --- a/fast/stages/02-security/vpc-sc.tf +++ b/fast/stages/02-security/vpc-sc.tf @@ -38,7 +38,7 @@ locals { ) } # define dry run spec at file level for convenience - vpc_sc_explicit_dry_run_spec = false + vpc_sc_explicit_dry_run_spec = true # compute perimeter bridge resources (projects) vpc_sc_p_bridge_resources = { landing_to_dev = concat( From 085142f07d7ba60d84062460979dc013bc201765 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Tue, 8 Feb 2022 15:24:40 +0100 Subject: [PATCH 4/5] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7e6f53c1..f48fd653 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ All notable changes to this project will be documented in this file. - refactor project module in multiple files - add support for per-file option overrides to tfdoc - the `net-vpc` and `project` modules now use the beta provider for shared VPC-related resources +- new `iot-core` module ## [12.0.0] - 2022-01-11 From 9b746f00cc2978518a0358901f08ea906661467e Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Tue, 8 Feb 2022 15:25:15 +0100 Subject: [PATCH 5/5] Update CHANGELOG.md --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f48fd653..4361e8e9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,8 @@ All notable changes to this project will be documented in this file. - **incompatible change** removed `iam` key from logging sink configuration in the `project` and `organization` modules - remove GCS to BQ with Dataflow example, replace by GCS to BQ with least privileges +- the `net-vpc` and `project` modules now use the beta provider for shared VPC-related resources +- new `iot-core` module ## [13.0.0] - 2022-01-27 @@ -17,8 +19,6 @@ All notable changes to this project will be documented in this file. - support service dependencies for crypto key bindings in project module - refactor project module in multiple files - add support for per-file option overrides to tfdoc -- the `net-vpc` and `project` modules now use the beta provider for shared VPC-related resources -- new `iot-core` module ## [12.0.0] - 2022-01-11