Skip to content

Commit

Permalink
feat: distinct vpc remove legacy resources BREAKING CHANGE
Browse files Browse the repository at this point in the history
  • Loading branch information
alaincormier-ssc committed Apr 10, 2024
1 parent 8902bd0 commit 18cbea0
Show file tree
Hide file tree
Showing 4 changed files with 18 additions and 68 deletions.
14 changes: 6 additions & 8 deletions solutions/client-project-setup/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,15 +16,15 @@ Package to create a client's project, 2 project scoped namespaces for its resour
|------------------------------|-----------------------------------------|------|-------|
| classification | nonp | str | 4 |
| client-management-project-id | client-management-project-12345 | str | 1 |
| client-name | client1 | str | 63 |
| client-name | client1 | str | 59 |
| dns-project-id | dns-project-12345 | str | 2 |
| host-project-id | net-host-project-12345 | str | 5 |
| host-project-id | net-host-project-12345 | str | 3 |
| management-namespace | config-control | str | 8 |
| management-project-id | management-project-12345 | str | 2 |
| network-connectivity-profile | standard | str | 4 |
| org-id | 0000000000 | str | 4 |
| org-id | 0000000000 | str | 2 |
| project-billing-id | AAAAAA-BBBBBB-CCCCCC | str | 1 |
| project-id | client-project-12345 | str | 108 |
| project-id | client-project-12345 | str | 104 |
| repo-branch | main | str | 2 |
| repo-url | git-repo-to-observe | str | 2 |
| tier3-repo-dir | csync/tier3/configcontroller/deploy/env | str | 1 |
Expand All @@ -41,10 +41,9 @@ This package has no sub-packages.
| namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMServiceAccount | project-id-tier3-sa | client-name-config-control |
| namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-serviceaccountadmin-project-id-permissions | client-name-projects |
| namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-securityadmin-project-id-permissions | client-name-projects |
| namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-tier3-dnsrecord-admin-host-project-id-permissions | client-name-projects |
| namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-tier3-dnsrecord-admin-dns-project-id-permissions | client-name-projects |
| namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-compute-public-ip-admin-permissions | client-name-projects |
| namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-compute-security-admin-permissions | client-name-projects |
| namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-compute-public-ip-admin-project-id-permissions | client-name-projects |
| namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-compute-security-admin-project-id-permissions | client-name-projects |
| namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPartialPolicy | project-id-tier3-sa-workload-identity-binding | client-name-config-control |
| namespaces/project-id-tier3.yaml | v1 | Namespace | project-id-tier3 | |
| namespaces/project-id-tier3.yaml | core.cnrm.cloud.google.com/v1beta1 | ConfigConnectorContext | configconnectorcontext.core.cnrm.cloud.google.com | project-id-tier3 |
Expand All @@ -70,7 +69,6 @@ This package has no sub-packages.
| services.yaml | serviceusage.cnrm.cloud.google.com/v1beta1 | Service | project-id-serviceusage | client-name-projects |
| services.yaml | serviceusage.cnrm.cloud.google.com/v1beta1 | Service | project-id-logging | client-name-projects |
| services.yaml | serviceusage.cnrm.cloud.google.com/v1beta1 | Service | project-id-monitoring | client-name-projects |
| shared-vpc/namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions | client-name-hierarchy |
| shared-vpc/namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-tier3-firewallrule-admin-app-infra-class-folder-permissions | client-name-hierarchy |
| shared-vpc/namespaces/project-id-tier4.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier4-sa-networkuser-allowed-nane1-main-subnet-permissions | client-name-networking |
| shared-vpc/namespaces/project-id-tier4.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier4-sa-networkuser-allowed-nane2-main-subnet-permissions | client-name-networking |
Expand Down
20 changes: 0 additions & 20 deletions solutions/client-project-setup/namespaces/project-id-tier3.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -65,26 +65,6 @@ spec:
role: roles/iam.securityAdmin
member: "serviceAccount:[email protected]" # kpt-set: serviceAccount:tier3-sa@${project-id}.iam.gserviceaccount.com
---
# Grant GCP role Tier3 DNS Record Admin to GCP SA on Client Host Project
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: project-id-tier3-sa-tier3-dnsrecord-admin-host-project-id-permissions # kpt-set: ${project-id}-tier3-sa-tier3-dnsrecord-admin-${host-project-id}-permissions
namespace: client-name-projects # kpt-set: ${client-name}-projects
annotations:
cnrm.cloud.google.com/ignore-clusterless: "true"
config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id}
labels:
legacy: to-be-removed
spec:
resourceRef:
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
name: host-project-id # kpt-set: ${host-project-id}
# AC-1, AC-3(7), AC-3, AC-16(2)
role: organizations/org-id/roles/tier3.dnsrecord.admin # kpt-set: organizations/${org-id}/roles/tier3.dnsrecord.admin
member: "serviceAccount:[email protected]" # kpt-set: serviceAccount:tier3-sa@${project-id}.iam.gserviceaccount.com
---
# Grant GCP role Tier3 DNS Record Admin to GCP SA on Client DNS Project
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
Expand Down
32 changes: 12 additions & 20 deletions solutions/client-project-setup/securitycontrols.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,11 @@
|AC-1|./namespaces/project-id-tier3.yaml|cnrm-viewer-project-id-tier3|
|AC-1|./namespaces/project-id-tier3.yaml|cnrm-viewer-project-id-tier3|
|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa|
|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-public-ip-admin-permissions|
|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-security-admin-permissions|
|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-public-ip-admin-project-id-permissions|
|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-security-admin-project-id-permissions|
|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-securityadmin-project-id-permissions|
|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-serviceaccountadmin-project-id-permissions|
|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-dnsrecord-admin-dns-project-id-permissions|
|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-dnsrecord-admin-host-project-id-permissions|
|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-workload-identity-binding|
|AC-1|./namespaces/project-id-tier3.yaml|syncs-repo|
|AC-1|./namespaces/project-id-tier4.yaml|cnrm-viewer-project-id-tier4|
Expand All @@ -24,8 +23,7 @@
|AC-1|./project-iam.yaml|client-name-config-control-sa-iamserviceaccountadmin-project-id-permissions|
|AC-1|./project-iam.yaml|client-name-config-control-sa-iamserviceaccountadmin-project-id-permissions|
|AC-1|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-class-folder-permissions|
|AC-1|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions|
|AC-1|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions|
|AC-1|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-class-folder-permissions|
|AC-1|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane1-main-subnet-permissions|
|AC-1|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane1-main-subnet-permissions|
|AC-1|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane2-main-subnet-permissions|
Expand All @@ -36,12 +34,11 @@
|AC-16(2)|./namespaces/project-id-tier3.yaml|configconnectorcontext.core.cnrm.cloud.google.com|
|AC-16(2)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa|
|AC-16(2)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa|
|AC-16(2)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-public-ip-admin-permissions|
|AC-16(2)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-security-admin-permissions|
|AC-16(2)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-public-ip-admin-project-id-permissions|
|AC-16(2)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-security-admin-project-id-permissions|
|AC-16(2)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-securityadmin-project-id-permissions|
|AC-16(2)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-serviceaccountadmin-project-id-permissions|
|AC-16(2)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-dnsrecord-admin-dns-project-id-permissions|
|AC-16(2)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-dnsrecord-admin-host-project-id-permissions|
|AC-16(2)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-workload-identity-binding|
|AC-16(2)|./namespaces/project-id-tier3.yaml|syncs-repo|
|AC-16(2)|./namespaces/project-id-tier4.yaml|cnrm-viewer-project-id-tier4|
Expand All @@ -53,8 +50,7 @@
|AC-16(2)|./project-iam.yaml|client-name-config-control-sa-iamserviceaccountadmin-project-id-permissions|
|AC-16(2)|./project-iam.yaml|client-name-config-control-sa-iamserviceaccountadmin-project-id-permissions|
|AC-16(2)|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-class-folder-permissions|
|AC-16(2)|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions|
|AC-16(2)|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions|
|AC-16(2)|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-class-folder-permissions|
|AC-16(2)|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane1-main-subnet-permissions|
|AC-16(2)|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane1-main-subnet-permissions|
|AC-16(2)|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane2-main-subnet-permissions|
Expand All @@ -65,12 +61,11 @@
|AC-3|./namespaces/project-id-tier3.yaml|configconnectorcontext.core.cnrm.cloud.google.com|
|AC-3|./namespaces/project-id-tier3.yaml|project-id-tier3-sa|
|AC-3|./namespaces/project-id-tier3.yaml|project-id-tier3-sa|
|AC-3|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-public-ip-admin-permissions|
|AC-3|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-security-admin-permissions|
|AC-3|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-public-ip-admin-project-id-permissions|
|AC-3|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-security-admin-project-id-permissions|
|AC-3|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-securityadmin-project-id-permissions|
|AC-3|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-serviceaccountadmin-project-id-permissions|
|AC-3|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-dnsrecord-admin-dns-project-id-permissions|
|AC-3|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-dnsrecord-admin-host-project-id-permissions|
|AC-3|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-workload-identity-binding|
|AC-3|./namespaces/project-id-tier3.yaml|syncs-repo|
|AC-3|./namespaces/project-id-tier4.yaml|cnrm-viewer-project-id-tier4|
Expand All @@ -82,8 +77,7 @@
|AC-3|./project-iam.yaml|client-name-config-control-sa-iamserviceaccountadmin-project-id-permissions|
|AC-3|./project-iam.yaml|client-name-config-control-sa-iamserviceaccountadmin-project-id-permissions|
|AC-3|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-class-folder-permissions|
|AC-3|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions|
|AC-3|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions|
|AC-3|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-class-folder-permissions|
|AC-3|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane1-main-subnet-permissions|
|AC-3|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane1-main-subnet-permissions|
|AC-3|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane2-main-subnet-permissions|
Expand All @@ -94,12 +88,11 @@
|AC-3(7)|./namespaces/project-id-tier3.yaml|configconnectorcontext.core.cnrm.cloud.google.com|
|AC-3(7)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa|
|AC-3(7)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa|
|AC-3(7)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-public-ip-admin-permissions|
|AC-3(7)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-security-admin-permissions|
|AC-3(7)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-public-ip-admin-project-id-permissions|
|AC-3(7)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-security-admin-project-id-permissions|
|AC-3(7)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-securityadmin-project-id-permissions|
|AC-3(7)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-serviceaccountadmin-project-id-permissions|
|AC-3(7)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-dnsrecord-admin-dns-project-id-permissions|
|AC-3(7)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-dnsrecord-admin-host-project-id-permissions|
|AC-3(7)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-workload-identity-binding|
|AC-3(7)|./namespaces/project-id-tier3.yaml|syncs-repo|
|AC-3(7)|./namespaces/project-id-tier4.yaml|cnrm-viewer-project-id-tier4|
Expand All @@ -111,8 +104,7 @@
|AC-3(7)|./project-iam.yaml|client-name-config-control-sa-iamserviceaccountadmin-project-id-permissions|
|AC-3(7)|./project-iam.yaml|client-name-config-control-sa-iamserviceaccountadmin-project-id-permissions|
|AC-3(7)|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-class-folder-permissions|
|AC-3(7)|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions|
|AC-3(7)|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions|
|AC-3(7)|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-class-folder-permissions|
|AC-3(7)|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane1-main-subnet-permissions|
|AC-3(7)|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane1-main-subnet-permissions|
|AC-3(7)|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane2-main-subnet-permissions|
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,26 +15,6 @@
# GCP Service Account for tier3
# AC-1 - Implementation of access control
# AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required.
# Grant GCP role Tier3 Firewall Rule Admin to GCP SA on standard.applications-infrastructure folder
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: project-id-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions # kpt-set: ${project-id}-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions
namespace: client-name-hierarchy # kpt-set: ${client-name}-hierarchy
annotations:
cnrm.cloud.google.com/ignore-clusterless: "true"
config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id}
labels:
legacy: to-be-removed
spec:
resourceRef:
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Folder
name: standard.applications-infrastructure
# AC-1, AC-3(7), AC-3, AC-16(2)
role: organizations/org-id/roles/tier3.firewallrule.admin # kpt-set: organizations/${org-id}/roles/tier3.firewallrule.admin
member: "serviceAccount:[email protected]" # kpt-set: serviceAccount:tier3-sa@${project-id}.iam.gserviceaccount.com
---
# Grant GCP role Tier3 Firewall Rule Admin to GCP SA on {network-connectivity-profile}.applications-infrastructure.{classification} folder
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
Expand Down

0 comments on commit 18cbea0

Please sign in to comment.