Skip to content

Commit

Permalink
fix: cleanup client-landing-zone (#556)
Browse files Browse the repository at this point in the history 
* fix: cleanup client-landing-zone

* fix linting errors

* fix typo
  • Loading branch information
@alaincormier-ssc
alaincormier-ssc authored Oct 11, 2023
1 parent 8a2035f commit 0bf5cc3
Show file tree
Hide file tree
Showing 22 changed files with 440 additions and 80 deletions.
9 changes: 5 additions & 4 deletions solutions/client-landing-zone/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,13 @@ Package to create a client's folder hierarchy, logging resources and a network h
| allowed-os-update-source-ip-ranges | ["10.1.0.0/21", "10.1.8.0/21", "10.1.128.0/21", "10.1.136.0/21"] | array | 1 |
| client-billing-id | AAAAAA-BBBBBB-CCCCCC | str | 1 |
| client-folderviewer | group:client1@example.com | str | 1 |
| client-name | client1 | str | 185 |
| denied-sanctioned-countries | ["CU", "IR", "KP", "SY"] | array | 1 |
| client-name | client1 | str | 187 |
| denied-sanctioned-countries | ["XX"] | array | 1 |
| dns-name | client-name.example.com. | str | 2 |
| dns-nameservers | ["ns-cloud-a1.googledomains.com.", "ns-cloud-a2.googledomains.com.", "ns-cloud-a3.googledomains.com.", "ns-cloud-a4.googledomains.com."] | array | 1 |
| dns-project-id | dns-project-12345 | str | 2 |
| firewall-egress-allow-all-internal | [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 240.0.0.0/4] | array | 5 |
| host-project-id | net-host-project-12345 | str | 111 |
| firewall-internal-ip-ranges | [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 240.0.0.0/4] | array | 5 |
| host-project-id | net-host-project-12345 | str | 115 |
| logging-project-id | logging-project-12345 | str | 2 |
| project-allowed-restrict-vpc-peering | [under:projects/PROJECT_ID] | array | 0 |
| retention-in-days | 1 | int | 1 |
Expand Down Expand Up @@ -70,6 +70,7 @@ This package has no sub-packages.
| client-folder/standard/applications-infrastructure/host-project/network/dnspolicy.yaml | dns.cnrm.cloud.google.com/v1beta1 | DNSPolicy | host-project-id-standard-logging-dnspolicy | client-name-networking |
| client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewall | host-project-id-standard-egress-allow-all-internal-fwr | client-name-networking |
| client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewall | host-project-id-standard-default-egress-deny-fwr | client-name-networking |
| client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewall | host-project-id-standard-default-ingress-deny-fwr | client-name-networking |
| client-folder/standard/applications-infrastructure/host-project/network/nat.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeRouterNAT | host-project-id-nane1-nat | client-name-networking |
| client-folder/standard/applications-infrastructure/host-project/network/nat.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeRouter | host-project-id-nane1-router | client-name-networking |
| client-folder/standard/applications-infrastructure/host-project/network/nat.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeRouterNAT | host-project-id-nane2-nat | client-name-networking |
Expand Down
9 changes: 6 additions & 3 deletions solutions/client-landing-zone/client-folder/firewall-policy/policy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,14 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#########
# The following rules are automatically created when the firewall policy is created:
# The following rules are automatically created when policy is created to delegate traffic to/from VPC resources to shared VPC network within host project:
# 2147483644 default egress rule ipv6 Egress IPv6 ranges: ::/0 all Goto next
# 2147483645 default ingress rule ipv6 Ingress IPv6 ranges: ::/0 all Goto next
# 2147483646 default egress rule Egress IPv4 ranges: 0.0.0.0/0 all Goto next
# 2147483647 default ingress rule Ingress IPv4 ranges: 0.0.0.0/0 all Goto next
#########
# Client Compute Firewall Policy on folder client-folder
# Client Compute Firewall Policy to folder client-folder
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeFirewallPolicy
metadata:
Expand All @@ -31,12 +32,13 @@ spec:
# - uncomment 'resourceID' below
# - replace 1234567890 with the policy ID number (it can be found in the cloud console)
# resourceID: firewallPolicies/1234567890
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
folderRef:
name: clients.client-name # kpt-set: clients.${client-name}
namespace: hierarchy
description: "Firewall policy for client-name" # kpt-set: Firewall policy for ${client-name}
---
# firewall policy association to client's folder
# Firewall policy association to client-folder folder
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeFirewallPolicyAssociation
metadata:
Expand All @@ -49,5 +51,6 @@ spec:
kind: Folder
name: clients.client-name # kpt-set: clients.${client-name}
namespace: hierarchy
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
firewallPolicyRef:
name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol
17 changes: 11 additions & 6 deletions solutions/client-landing-zone/client-folder/firewall-policy/rules/defaults.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,8 @@
#########
# Rules 2147483541 to 2147483546 in are the suggested defaults by Google
#########
# Exclude communication with private IP ranges, leaving only Internet traffic to be inspected (EGRESS)
# Delegate to host project, egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeFirewallPolicyRule
metadata:
Expand All @@ -24,24 +25,25 @@ metadata:
config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-client-folder-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-client-folder-fwpol
spec:
action: "goto_next"
description: "Exclude communication with private IP ranges, leaving only Internet traffic to be inspected (EGRESS)"
description: "Delegate to host project, egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network"
direction: "EGRESS"
disabled: false
# logging not supported for goto_next rules
enableLogging: false
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
firewallPolicyRef:
name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol
match:
layer4Configs:
- ipProtocol: "all"
destIPRanges: # kpt-set: ${firewall-egress-allow-all-internal}
destIPRanges: # kpt-set: ${firewall-internal-ip-ranges}
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
- "240.0.0.0/4"
priority: 2147483541
---
# Exclude communication with private IP ranges, leaving only Internet traffic to be inspected (INGRESS)
# Delegate to the next folder.standard down in the hierarchy that has a network isolation rule that denies ingress from private IP ranges, ingress traffic from private IP ranges to VPC resources in shared VPC network
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeFirewallPolicyRule
metadata:
Expand All @@ -51,17 +53,18 @@ metadata:
config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-client-folder-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-client-folder-fwpol
spec:
action: "goto_next"
description: "Exclude communication with private IP ranges, leaving only Internet traffic to be inspected (INGRESS)"
description: "Delegate to the next folder.standard down in the hierarchy that has a network isolation rule that denies ingress from private IP ranges, ingress traffic from private IP ranges to VPC resources in shared VPC network"
direction: "INGRESS"
disabled: false
# logging not supported for goto_next rules
enableLogging: false
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
firewallPolicyRef:
name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol
match:
layer4Configs:
- ipProtocol: "all"
srcIPRanges: # kpt-set: ${firewall-egress-allow-all-internal}
srcIPRanges: # kpt-set: ${firewall-internal-ip-ranges}
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
Expand All @@ -83,6 +86,7 @@ spec:
direction: "INGRESS"
disabled: false
enableLogging: true
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
firewallPolicyRef:
name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol
match:
Expand Down Expand Up @@ -110,6 +114,7 @@ spec:
direction: "INGRESS"
disabled: false
enableLogging: true
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
firewallPolicyRef:
name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol
match:
Expand Down
6 changes: 4 additions & 2 deletions solutions/client-landing-zone/client-folder/firewall-policy/rules/iap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#########
# Goto next for IAP
# Delegate to host project, ingress IAP traffic (firewall) from IP range 35.235.240.0/20 to VPC resources in shared VPC network
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeFirewallPolicyRule
metadata:
Expand All @@ -22,11 +23,12 @@ metadata:
config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-client-folder-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-client-folder-fwpol
spec:
action: "goto_next"
description: "Goto next for IAP"
description: "Delegate to host project, ingress IAP traffic (firewall) from IP range 35.235.240.0/20 to VPC resources in shared VPC network"
direction: "INGRESS"
disabled: false
# logging not supported for goto_next rules
enableLogging: false
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
firewallPolicyRef:
name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol
match:
Expand Down
6 changes: 4 additions & 2 deletions solutions/client-landing-zone/client-folder/firewall-policy/rules/lb-health-checks.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#########
# Goto next for LB health checks
# Delegate to host project, ingress LB health checks traffic (firewall) from IP ranges 35.191.0.0/16, 130.211.0.0/22 to VPC resources in shared VPC network
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeFirewallPolicyRule
metadata:
Expand All @@ -22,11 +23,12 @@ metadata:
config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-client-folder-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-client-folder-fwpol
spec:
action: "goto_next"
description: "Goto next for LB health checks"
description: "Delegate to host project, ingress LB health checks traffic (firewall) from IP ranges 35.191.0.0/16, 130.211.0.0/22 to VPC resources in shared VPC network"
direction: "INGRESS"
disabled: false
# logging not supported for goto_next rules
enableLogging: false
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
firewallPolicyRef:
name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol
match:
Expand Down
6 changes: 4 additions & 2 deletions solutions/client-landing-zone/client-folder/firewall-policy/rules/os-updates.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#########
# allow os updates
# Allow os updates
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeFirewallPolicyRule
metadata:
Expand All @@ -22,10 +23,11 @@ metadata:
config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-client-folder-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-client-folder-fwpol
spec:
action: "allow"
description: "allow os updates"
description: "Allow os updates"
direction: "EGRESS"
disabled: false
enableLogging: true
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
firewallPolicyRef:
name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol
match:
Expand Down
3 changes: 2 additions & 1 deletion solutions/client-landing-zone/client-folder/folder-iam.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
# limitations under the License.
######
# Grant GCP role Folder Viewer on client's folder to client's user group
# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
# AC-3, AC-3(7), AC-16(2) - This IAM policy binding grants GCP Folder Viewer role on client's folder to client's user group based on least-privilege principle
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
Expand All @@ -27,5 +27,6 @@ spec:
kind: Folder
name: clients.client-name # kpt-set: clients.${client-name}
namespace: hierarchy
# AC-3, AC-3(7), AC-16(2)
role: roles/resourcemanager.folderViewer
member: client-folderviewer # kpt-set: ${client-folderviewer}
Loading

0 comments on commit 0bf5cc3

Please sign in to comment.