24 KiB

Raw Permalink Blame History

Shared security resources

This stage sets up security resources and configurations which impact the whole organization, or are shared across the hierarchy to other projects and teams.

The design of this stage is fairly general, and provides a reference example for Cloud KMS and a VPC Service Controls configuration that sets up three perimeters (landing, development, production), their related bridge perimeters, and provides variables to configure their resources, access levels, and directional policies.

Expanding this stage to include other security-related services like Secret Manager, is fairly simple by using the provided implementation for Cloud KMS, and leveraging the broad permissions on the top-level Security folder of the automation service account used.

The following diagram illustrates the high-level design of created resources and a schema of the VPC SC design, which can be adapted to specific requirements via variables:

Security diagram

Design overview and choices
- Cloud KMS
- VPC Service Controls
How to run this stage
Customizations
- KMS keys
- VPC Service Controls configuration

Design overview and choices

Project-level security resources are grouped into two separate projects, one per environment. This setup matches requirements we frequently observe in real life and provides enough separation without needlessly complicating operations.

Cloud KMS is configured and designed mainly to encrypt GCP resources with a Customer-managed encryption key but it may be used to create cryptokeys used to encrypt application data too.

IAM for management-related operations is already assigned at the folder level to the security team by the previous stage, but more granularity can be added here at the project level, to grant control of separate services across environments to different actors.

Cloud KMS

A reference Cloud KMS implementation is part of this stage, to provide a simple way of managing centralized keys, that are then shared and consumed widely across the organization to enable customer-managed encryption. The implementation is also easy to clone and modify to support other services like Secret Manager.

The Cloud KMS configuration allows defining keys by name (typically matching the downstream service that uses them) in different locations. It then takes care internally of provisioning the relevant keyrings and creating keys in the appropriate location.

IAM roles on keys can be configured at the logical level for all locations where a logical key is created. Their management can also be delegated via delegated role grants exposed through a simple variable, to allow other identities to set IAM policies on keys. This is particularly useful in setups like project factories, making it possible to configure IAM bindings during project creation for team groups or service agent accounts (compute, storage, etc.).

VPC Service Controls

This stage also provisions the VPC Service Controls configuration on demand for the whole organization, implementing the straightforward design illustrated above:

one perimeter for each environment
one perimeter for centralized services and the landing VPC
bridge perimeters to connect the landing perimeter to each environment

The VPC SC configuration is set to dry-run mode, but switching to enforced mode is a simple operation involving modifying a few lines of code highlighted by ad-hoc comments. Variables are designed to enable easy centralized management of VPC Service Controls, including access levels and ingress/egress rules as described below.

Some care needs to be taken with project membership in perimeters, which can only be implemented here instead of being delegated (all or partially) to different stages, until the Google Provider feature request allowing using project-level association for both enforced and dry-run modes is implemented.

How to run this stage

This stage is meant to be executed after the resource management stage has run, as it leverages the automation service account and bucket created there, and additional resources configured in the bootstrap stage.

It's of course possible to run this stage in isolation, but that's outside the scope of this document, and you would need to refer to the code for the previous stages for the environmental requirements.

Before running this stage, you need to make sure you have the correct credentials and permissions, and localize variables by assigning values that match your configuration.

Provider and Terraform variables

As all other FAST stages, the mechanism used to pass variable values and pre-built provider files from one stage to the next is also leveraged here.

The commands to link or copy the provider and terraform variable files can be easily derived from the stage-links.sh script in the FAST root folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run.

../../stage-links.sh ~/fast-config

# copy and paste the following commands for '2-security'

ln -s ~/fast-config/providers/2-security-providers.tf ./
ln -s ~/fast-config/tfvars/0-globals.auto.tfvars.json ./
ln -s ~/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./
ln -s ~/fast-config/tfvars/1-resman.auto.tfvars.json ./

../../stage-links.sh gs://xxx-prod-iac-core-outputs-0

# copy and paste the following commands for '2-security'

gcloud alpha storage cp gs://xxx-prod-iac-core-outputs-0/providers/2-security-providers.tf ./
gcloud alpha storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./
gcloud alpha storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./
gcloud alpha storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json ./

Impersonating the automation service account

The preconfigured provider file uses impersonation to run with this stage's automation service account's credentials. The gcp-devops and organization-admins groups have the necessary IAM bindings in place to do that, so make sure the current user is a member of one of those groups.

Variable configuration

Variables in this stage -- like most other FAST stages -- are broadly divided into three separate sets:

variables which refer to global values for the whole organization (org id, billing account id, prefix, etc.), which are pre-populated via the 0-globals.auto.tfvars.json file linked or copied above
variables which refer to resources managed by previous stage, which are prepopulated here via the 0-bootstrap.auto.tfvars.json and 1-resman.auto.tfvars.json files linked or copied above
and finally variables that optionally control this stage's behaviour and customizations, and can to be set in a custom terraform.tfvars file

The latter set is explained in the Customization sections below, and the full list can be found in the Variables table at the bottom of this document.

Note that the outputs_location variable is disabled by default, you need to explicitly set it in your terraform.tfvars file if you want output files to be generated by this stage. This is a sample terraform.tfvars that configures it, refer to the bootstrap stage documentation for more details:

outputs_location = "~/fast-config"

Using delayed billing association for projects

This configuration is possible but unsupported and only exists for development purposes, use at your own risk:

temporarily switch billing_account.id to null in 0-globals.auto.tfvars.json
for each project resources in the project modules used in this stage (dev-sec-project, prod-sec-project)
- apply using -target, for example terraform apply -target 'module.prod-sec-project.google_project.project[0]'
- untaint the project resource after applying, for example terraform untaint 'module.prod-sec-project.google_project.project[0]'
go through the process to associate the billing account with the two projects
switch billing_account.id back to the real billing account id
resume applying normally

Running the stage

Once provider and variable values are in place and the correct user is configured, the stage can be run:

terraform init
terraform apply

Customizations

KMS keys

Cloud KMS configuration is controlled by kms_keys, which configures the actual keys to create, and also allows configuring their IAM bindings, labels, locations and rotation period. When configuring locations for a key, please consider the limitations each cloud product may have.

The additional kms_restricted_admins variable allows granting roles/cloudkms.admin to specified principals, restricted via delegated role grants so that it only allows granting the roles needed for encryption/decryption on keys. This allows safe delegation of key management to subsequent Terraform stages like the Project Factory, for example to grant usage access on relevant keys to the service agent accounts for compute, storage, etc.

To support these scenarios, key IAM bindings are configured by default to be additive, to enable other stages or Terraform configuration to safely co-manage bindings on the same keys. If this is not desired, follow the comments in the core-dev.tf and core-prod.tf files to switch to authoritative bindings on keys.

An example of how to configure keys:

# terraform.tfvars

kms_keys = {
  compute = {
    iam = {
      "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
        "user:user1@example.com"
      ]
    }
    labels          = { service = "compute" }
    locations       = ["europe-west1", "europe-west3", "global"]
    rotation_period = "7776000s"
  }
  storage = {
    iam             = null
    labels          = { service = "compute" }
    locations       = ["europe"]
    rotation_period = null
  }
}

The script will create one keyring for each specified location and keys on each keyring.

VPC Service Controls configuration

A set of variables allows configuring the VPC SC perimeters described above:

vpc_sc_perimeter_projects configures project membership in the three regular perimeters
vpc_sc_access_levels configures access levels, which can then be associated to perimeters by key using the vpc_sc_perimeter_access_levels
vpc_sc_egress_policies configures directional egress policies, which can then be associated to perimeters by key using the vpc_sc_perimeter_egress_policies
vpc_sc_ingress_policies configures directional ingress policies, which can then be associated to perimeters by key using the vpc_sc_perimeter_ingress_policies

This allows configuring VPC SC in a fairly flexible and concise way, without repeating similar definitions. Bridges perimeters configuration will be computed automatically to allow communication between regular perimeters: landing <-> prod and landing <-> dev.

Dry-run vs. enforced

The VPC SC configuration is set up by default in dry-run mode to allow easy experimentation, and detecting violations before enforcement. Once everything is set up correctly, switching to enforced mode needs to be done in code, by changing the vpc_sc_explicit_dry_run_spec local.

Access levels

Access levels are defined via the vpc_sc_access_levels variable, and referenced by key in perimeter definitions:

vpc_sc_access_levels = {
  onprem = {
    conditions = [{
      ip_subnetworks = ["101.101.101.0/24"]
    }]
  }
}

Ingress and Egress policies

Ingress and egress policy are defined via the vpc_sc_egress_policies and vpc_sc_ingress_policies, and referenced by key in perimeter definitions:

vpc_sc_egress_policies = {
  iac-gcs = {
    from = {
      identities = [
        "serviceAccount:xxx-prod-resman-security-0@xxx-prod-iac-core-0.iam.gserviceaccount.com"
      ]
    }
    to = {
      operations = [{
        method_selectors = ["*"]
        service_name     = "storage.googleapis.com"
      }]
      resources = ["projects/123456782"]
    }
  }
}
vpc_sc_ingress_policies = {
  iac = {
    from = {
      identities = [
        "serviceAccount:xxx-prod-resman-security-0@xxx-prod-iac-core-0.iam.gserviceaccount.com"
      ]
      access_levels = ["*"]
    }
    to = {
      operations = [{ method_selectors = [], service_name = "*" }]
      resources  = ["*"]
    }
  }
}

Perimeters

Regular perimeters are defined via the the vpc_sc_perimeters variable, and bridge perimeters are automatically populated from that variable.

Support for independently adding projects to perimeters outside of this Terraform setup is pending resolution of this Google Terraform Provider issue, which implements support for dry-run mode in the additive resource.

Access levels and egress/ingress policies are referenced in perimeters via keys.

vpc_sc_perimeters = {
  dev = {
    egress_policies  = ["iac-gcs"]
    ingress_policies = ["iac"]
    resources        = ["projects/1111111111"]
  }
  landing = {
    access_levels    = ["onprem"]
    egress_policies  = ["iac-gcs"]
    ingress_policies = ["iac"]
    resources        = ["projects/2222222222"]
  }
  prod = {
    egress_policies  = ["iac-gcs"]
    ingress_policies = ["iac"]
    resources        = ["projects/0000000000"]
  }
}

Notes

Some references that might be useful in setting up this stage:

VPC SC CSCC requirements.

Files

name	description	modules	resources
core-dev.tf	None	`kms` · `project`
core-prod.tf	None	`kms` · `project`
main.tf	Module-level locals and resources.	`folder`
outputs.tf	Module outputs.		`google_storage_bucket_object` · `local_file`
variables.tf	Module variables.
vpc-sc.tf	None	`vpc-sc`

Variables

name	description	type	required	default	producer
automation	Automation resources created by the bootstrap stage.	`object({…})`	✓		`0-bootstrap`
billing_account	Billing account id. If billing account is not part of the same org set `is_org_level` to false.	`object({…})`	✓		`0-bootstrap`
folder_ids	Folder name => id mappings, the 'security' folder name must exist.	`object({…})`	✓		`1-resman`
organization	Organization details.	`object({…})`	✓		`0-bootstrap`
prefix	Prefix used for resources that need unique names. Use 9 characters or less.	`string`	✓		`0-bootstrap`
service_accounts	Automation service accounts that can assign the encrypt/decrypt roles on keys.	`object({…})`	✓		`1-resman`
essential_contacts	Email used for essential contacts, unset if null.	`string`		`null`
kms_keys	KMS keys to create, keyed by name.	`map(object({…}))`		`{}`
outputs_location	Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable.	`string`		`null`
vpc_sc_access_levels	VPC SC access level definitions.	`map(object({…}))`		`{}`
vpc_sc_egress_policies	VPC SC egress policy definitions.	`map(object({…}))`		`{}`
vpc_sc_ingress_policies	VPC SC ingress policy definitions.	`map(object({…}))`		`{}`
vpc_sc_perimeters	VPC SC regular perimeter definitions.	`object({…})`		`{}`

Outputs

name	description	sensitive
kms_keys	KMS key ids.
stage_perimeter_projects	Security project numbers. They can be added to perimeter resources.
tfvars	Terraform variable files for the following stages.	✓

24 KiB Raw Permalink Blame History