From 747ebc6f39ede729654ba366c2a21412d6396de4 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Thu, 3 Nov 2022 13:07:27 +0100 Subject: [PATCH 1/2] Use org policy factory for resman stage --- fast/stages/01-resman/README.md | 19 ++--- .../01-resman/data/org-policies/compute.yaml | 73 +++++++++++++++++++ .../01-resman/data/org-policies/iam.yaml | 12 +++ .../data/org-policies/serverless.yaml | 21 ++++++ .../01-resman/data/org-policies/sql.yaml | 9 +++ .../01-resman/data/org-policies/storage.yaml | 6 ++ fast/stages/01-resman/organization.tf | 42 ++--------- fast/stages/01-resman/variables.tf | 6 ++ 8 files changed, 143 insertions(+), 45 deletions(-) create mode 100644 fast/stages/01-resman/data/org-policies/compute.yaml create mode 100644 fast/stages/01-resman/data/org-policies/iam.yaml create mode 100644 fast/stages/01-resman/data/org-policies/serverless.yaml create mode 100644 fast/stages/01-resman/data/org-policies/sql.yaml create mode 100644 fast/stages/01-resman/data/org-policies/storage.yaml diff --git a/fast/stages/01-resman/README.md b/fast/stages/01-resman/README.md index dbeb8afb..52e73c55 100644 --- a/fast/stages/01-resman/README.md +++ b/fast/stages/01-resman/README.md @@ -182,17 +182,18 @@ Due to its simplicity, this stage lends itself easily to customizations: adding |---|---|:---:|:---:|:---:|:---:| | [automation](variables.tf#L20) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 00-bootstrap | | [billing_account](variables.tf#L38) | Billing account id and organization id ('nnnnnnnn' or null). | object({…}) | ✓ | | 00-bootstrap | -| [organization](variables.tf#L191) | Organization details. | object({…}) | ✓ | | 00-bootstrap | -| [prefix](variables.tf#L215) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 00-bootstrap | +| [organization](variables.tf#L197) | Organization details. | object({…}) | ✓ | | 00-bootstrap | +| [prefix](variables.tf#L221) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 00-bootstrap | | [cicd_repositories](variables.tf#L47) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | | | [custom_roles](variables.tf#L129) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 00-bootstrap | -| [fast_features](variables.tf#L138) | Selective control for top-level FAST features. | object({…}) | | {…} | 00-bootstrap | -| [groups](variables.tf#L158) | Group names to grant organization-level permissions. | map(string) | | {…} | 00-bootstrap | -| [locations](variables.tf#L173) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {…} | 00-bootstrap | -| [organization_policy_configs](variables.tf#L201) | Organization policies customization. | object({…}) | | null | | -| [outputs_location](variables.tf#L209) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | string | | null | | -| [tag_names](variables.tf#L226) | Customized names for resource management tags. | object({…}) | | {…} | | -| [team_folders](variables.tf#L243) | Team folders to be created. Format is described in a code comment. | map(object({…})) | | null | | +| [data_dir](variables.tf#L138) | Relative path for the folder storing configuration data. | string | | "data" | | +| [fast_features](variables.tf#L144) | Selective control for top-level FAST features. | object({…}) | | {…} | 00-bootstrap | +| [groups](variables.tf#L164) | Group names to grant organization-level permissions. | map(string) | | {…} | 00-bootstrap | +| [locations](variables.tf#L179) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {…} | 00-bootstrap | +| [organization_policy_configs](variables.tf#L207) | Organization policies customization. | object({…}) | | null | | +| [outputs_location](variables.tf#L215) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | string | | null | | +| [tag_names](variables.tf#L232) | Customized names for resource management tags. | object({…}) | | {…} | | +| [team_folders](variables.tf#L249) | Team folders to be created. Format is described in a code comment. | map(object({…})) | | null | | ## Outputs diff --git a/fast/stages/01-resman/data/org-policies/compute.yaml b/fast/stages/01-resman/data/org-policies/compute.yaml new file mode 100644 index 00000000..0d27ac42 --- /dev/null +++ b/fast/stages/01-resman/data/org-policies/compute.yaml @@ -0,0 +1,73 @@ +# skip boilerplate check +# +# sample subset of useful organization policies, edit to suit requirements + +compute.disableGuestAttributesAccess: + enforce: true + +compute.requireOsLogin: + enforce: true + +compute.restrictLoadBalancerCreationForTypes: + allow: + values: + - in:INTERNAL + +compute.skipDefaultNetworkCreation: + enforce: true + +compute.vmExternalIpAccess: + deny: + all: true + + +# compute.disableInternetNetworkEndpointGroup: +# enforce: true + +# compute.disableNestedVirtualization: +# enforce: true + +# compute.disableSerialPortAccess: +# enforce: true + +# compute.restrictCloudNATUsage: +# deny: +# all: true + +# compute.restrictDedicatedInterconnectUsage: +# deny: +# all: true + +# compute.restrictPartnerInterconnectUsage: +# deny: +# all: true + +# compute.restrictProtocolForwardingCreationForTypes: +# deny: +# all: true + +# compute.restrictSharedVpcHostProjects: +# deny: +# all: true + +# compute.restrictSharedVpcSubnetworks: +# deny: +# all: true + +# compute.restrictVpcPeering: +# deny: +# all: true + +# compute.restrictVpnPeerIPs: +# deny: +# all: true + +# compute.restrictXpnProjectLienRemoval: +# enforce: true + +# compute.setNewProjectDefaultToZonalDNSOnly: +# enforce: true + +# compute.vmCanIpForward: +# deny: +# all: true diff --git a/fast/stages/01-resman/data/org-policies/iam.yaml b/fast/stages/01-resman/data/org-policies/iam.yaml new file mode 100644 index 00000000..4d83f827 --- /dev/null +++ b/fast/stages/01-resman/data/org-policies/iam.yaml @@ -0,0 +1,12 @@ +# skip boilerplate check +# +# sample subset of useful organization policies, edit to suit requirements + +iam.automaticIamGrantsForDefaultServiceAccounts: + enforce: true + +iam.disableServiceAccountKeyCreation: + enforce: true + +iam.disableServiceAccountKeyUpload: + enforce: true diff --git a/fast/stages/01-resman/data/org-policies/serverless.yaml b/fast/stages/01-resman/data/org-policies/serverless.yaml new file mode 100644 index 00000000..d0eb19d8 --- /dev/null +++ b/fast/stages/01-resman/data/org-policies/serverless.yaml @@ -0,0 +1,21 @@ +# skip boilerplate check +# +# sample subset of useful organization policies, edit to suit requirements + +run.allowedIngress: + allow: + values: + - is:internal + +# cloudfunctions.allowedIngressSettings: +# allow: +# values: +# - is:ALLOW_INTERNAL_ONLY + +# cloudfunctions.allowedVpcConnectorEgressSettings: +# allow: +# values: +# - is:PRIVATE_RANGES_ONLY + +# cloudfunctions.requireVPCConnector: +# enforce: true diff --git a/fast/stages/01-resman/data/org-policies/sql.yaml b/fast/stages/01-resman/data/org-policies/sql.yaml new file mode 100644 index 00000000..88b84d9d --- /dev/null +++ b/fast/stages/01-resman/data/org-policies/sql.yaml @@ -0,0 +1,9 @@ +# skip boilerplate check +# +# sample subset of useful organization policies, edit to suit requirements + +sql.restrictAuthorizedNetworks: + enforce: true + +sql.restrictPublicIp: + enforce: true diff --git a/fast/stages/01-resman/data/org-policies/storage.yaml b/fast/stages/01-resman/data/org-policies/storage.yaml new file mode 100644 index 00000000..6c0a673f --- /dev/null +++ b/fast/stages/01-resman/data/org-policies/storage.yaml @@ -0,0 +1,6 @@ +# skip boilerplate check +# +# sample subset of useful organization policies, edit to suit requirements + +storage.uniformBucketLevelAccess: + enforce: true diff --git a/fast/stages/01-resman/organization.tf b/fast/stages/01-resman/organization.tf index 40a789ee..34927c15 100644 --- a/fast/stages/01-resman/organization.tf +++ b/fast/stages/01-resman/organization.tf @@ -66,44 +66,12 @@ module "organization" { ) } : {} ) - # sample subset of useful organization policies, edit to suit requirements + # sample subset of useful organization policies, edit to suit requirements org_policies = { - "compute.disableGuestAttributesAccess" = { enforce = true } - "compute.requireOsLogin" = { enforce = true } - "compute.restrictLoadBalancerCreationForTypes" = { allow = { values = ["in:INTERNAL"] } } - "compute.skipDefaultNetworkCreation" = { enforce = true } - "compute.vmExternalIpAccess" = { deny = { all = true } } - "iam.allowedPolicyMemberDomains" = { allow = { values = local.all_drs_domains } } - "iam.automaticIamGrantsForDefaultServiceAccounts" = { enforce = true } - "iam.disableServiceAccountKeyCreation" = { enforce = true } - "iam.disableServiceAccountKeyUpload" = { enforce = true } - "run.allowedIngress" = { allow = { values = ["is:internal"] } } - "sql.restrictAuthorizedNetworks" = { enforce = true } - "sql.restrictPublicIp" = { enforce = true } - "storage.uniformBucketLevelAccess" = { enforce = true } - # "cloudfunctions.allowedIngressSettings" = { - # allow = { values = ["is:ALLOW_INTERNAL_ONLY"] } - # } - # "cloudfunctions.allowedVpcConnectorEgressSettings" = { - # allow = { values = ["is:PRIVATE_RANGES_ONLY"] } - # } - # "cloudfunctions.requireVPCConnector" = { enforce = true } - # "compute.disableInternetNetworkEndpointGroup" = { enforce = true } - # "compute.disableNestedVirtualization" = { enforce = true } - # "compute.disableSerialPortAccess" = { enforce = true } - # "compute.restrictCloudNATUsage" = { deny = { all = true }} - # "compute.restrictDedicatedInterconnectUsage" = { deny = { all = true }} - # "compute.restrictPartnerInterconnectUsage" = { deny = { all = true }} - # "compute.restrictProtocolForwardingCreationForTypes" = { deny = { all = true }} - # "compute.restrictSharedVpcHostProjects" = { deny = { all = true }} - # "compute.restrictSharedVpcSubnetworks" = { deny = { all = true }} - # "compute.restrictVpcPeering" = { deny = { all = true }} - # "compute.restrictVpnPeerIPs" = { deny = { all = true }} - # "compute.restrictXpnProjectLienRemoval" = { enforce = true } - # "compute.setNewProjectDefaultToZonalDNSOnly" = { enforce = true } - # "compute.vmCanIpForward" = { deny = { all = true }} - # "gcp.resourceLocations" = { + "iam.allowedPolicyMemberDomains" = { allow = { values = local.all_drs_domains } } + + #"gcp.resourceLocations" = { # allow = { values = local.allowed_regions } # } # "iam.workloadIdentityPoolProviders" = { @@ -116,6 +84,8 @@ module "organization" { # } # "run.allowedVPCEgress" = { allow = { values = ["is:private-ranges-only"] } } } + org_policies_data_path = "${var.data_dir}/org-policies" + tags = { (var.tag_names.context) = { description = "Resource management context." diff --git a/fast/stages/01-resman/variables.tf b/fast/stages/01-resman/variables.tf index 8da86967..6de9a7fa 100644 --- a/fast/stages/01-resman/variables.tf +++ b/fast/stages/01-resman/variables.tf @@ -135,6 +135,12 @@ variable "custom_roles" { default = null } +variable "data_dir" { + description = "Relative path for the folder storing configuration data." + type = string + default = "data" +} + variable "fast_features" { # tfdoc:variable:source 00-bootstrap description = "Selective control for top-level FAST features." From 8a20a14a0df331bf034a82b5f0b8074a4976729b Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Thu, 3 Nov 2022 14:50:53 +0100 Subject: [PATCH 2/2] Move policy to serverless.yaml --- fast/stages/01-resman/data/org-policies/serverless.yaml | 5 +++++ fast/stages/01-resman/organization.tf | 1 - 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/fast/stages/01-resman/data/org-policies/serverless.yaml b/fast/stages/01-resman/data/org-policies/serverless.yaml index d0eb19d8..de62e6c7 100644 --- a/fast/stages/01-resman/data/org-policies/serverless.yaml +++ b/fast/stages/01-resman/data/org-policies/serverless.yaml @@ -7,6 +7,11 @@ run.allowedIngress: values: - is:internal +# run.allowedVPCEgress: +# allow: +# values: +# - is:private-ranges-only + # cloudfunctions.allowedIngressSettings: # allow: # values: diff --git a/fast/stages/01-resman/organization.tf b/fast/stages/01-resman/organization.tf index 34927c15..7ecf7952 100644 --- a/fast/stages/01-resman/organization.tf +++ b/fast/stages/01-resman/organization.tf @@ -82,7 +82,6 @@ module "organization" { # ] # } # } - # "run.allowedVPCEgress" = { allow = { values = ["is:private-ranges-only"] } } } org_policies_data_path = "${var.data_dir}/org-policies"