diff --git a/solutions/client-project-setup/README.md b/solutions/client-project-setup/README.md index 4b55bf04..92829783 100755 --- a/solutions/client-project-setup/README.md +++ b/solutions/client-project-setup/README.md @@ -16,15 +16,15 @@ Package to create a client's project, 2 project scoped namespaces for its resour |------------------------------|-----------------------------------------|------|-------| | classification | nonp | str | 4 | | client-management-project-id | client-management-project-12345 | str | 1 | -| client-name | client1 | str | 63 | +| client-name | client1 | str | 59 | | dns-project-id | dns-project-12345 | str | 2 | -| host-project-id | net-host-project-12345 | str | 5 | +| host-project-id | net-host-project-12345 | str | 3 | | management-namespace | config-control | str | 8 | | management-project-id | management-project-12345 | str | 2 | | network-connectivity-profile | standard | str | 4 | -| org-id | 0000000000 | str | 4 | +| org-id | 0000000000 | str | 2 | | project-billing-id | AAAAAA-BBBBBB-CCCCCC | str | 1 | -| project-id | client-project-12345 | str | 108 | +| project-id | client-project-12345 | str | 104 | | repo-branch | main | str | 2 | | repo-url | git-repo-to-observe | str | 2 | | tier3-repo-dir | csync/tier3/configcontroller/deploy/env | str | 1 | @@ -41,10 +41,9 @@ This package has no sub-packages. | namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMServiceAccount | project-id-tier3-sa | client-name-config-control | | namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-serviceaccountadmin-project-id-permissions | client-name-projects | | namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-securityadmin-project-id-permissions | client-name-projects | -| namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-tier3-dnsrecord-admin-host-project-id-permissions | client-name-projects | | namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-tier3-dnsrecord-admin-dns-project-id-permissions | client-name-projects | -| namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-compute-public-ip-admin-permissions | client-name-projects | -| namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-compute-security-admin-permissions | client-name-projects | +| namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-compute-public-ip-admin-project-id-permissions | client-name-projects | +| namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-compute-security-admin-project-id-permissions | client-name-projects | | namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPartialPolicy | project-id-tier3-sa-workload-identity-binding | client-name-config-control | | namespaces/project-id-tier3.yaml | v1 | Namespace | project-id-tier3 | | | namespaces/project-id-tier3.yaml | core.cnrm.cloud.google.com/v1beta1 | ConfigConnectorContext | configconnectorcontext.core.cnrm.cloud.google.com | project-id-tier3 | @@ -70,7 +69,6 @@ This package has no sub-packages. | services.yaml | serviceusage.cnrm.cloud.google.com/v1beta1 | Service | project-id-serviceusage | client-name-projects | | services.yaml | serviceusage.cnrm.cloud.google.com/v1beta1 | Service | project-id-logging | client-name-projects | | services.yaml | serviceusage.cnrm.cloud.google.com/v1beta1 | Service | project-id-monitoring | client-name-projects | -| shared-vpc/namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions | client-name-hierarchy | | shared-vpc/namespaces/project-id-tier3.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-tier3-firewallrule-admin-app-infra-class-folder-permissions | client-name-hierarchy | | shared-vpc/namespaces/project-id-tier4.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier4-sa-networkuser-allowed-nane1-main-subnet-permissions | client-name-networking | | shared-vpc/namespaces/project-id-tier4.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier4-sa-networkuser-allowed-nane2-main-subnet-permissions | client-name-networking | diff --git a/solutions/client-project-setup/namespaces/project-id-tier3.yaml b/solutions/client-project-setup/namespaces/project-id-tier3.yaml index 1403612d..6ed2c4e8 100644 --- a/solutions/client-project-setup/namespaces/project-id-tier3.yaml +++ b/solutions/client-project-setup/namespaces/project-id-tier3.yaml @@ -65,26 +65,6 @@ spec: role: roles/iam.securityAdmin member: "serviceAccount:tier3-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:tier3-sa@${project-id}.iam.gserviceaccount.com --- -# Grant GCP role Tier3 DNS Record Admin to GCP SA on Client Host Project -apiVersion: iam.cnrm.cloud.google.com/v1beta1 -kind: IAMPolicyMember -metadata: - name: project-id-tier3-sa-tier3-dnsrecord-admin-host-project-id-permissions # kpt-set: ${project-id}-tier3-sa-tier3-dnsrecord-admin-${host-project-id}-permissions - namespace: client-name-projects # kpt-set: ${client-name}-projects - annotations: - cnrm.cloud.google.com/ignore-clusterless: "true" - config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} - labels: - legacy: to-be-removed -spec: - resourceRef: - apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 - kind: Project - name: host-project-id # kpt-set: ${host-project-id} - # AC-1, AC-3(7), AC-3, AC-16(2) - role: organizations/org-id/roles/tier3.dnsrecord.admin # kpt-set: organizations/${org-id}/roles/tier3.dnsrecord.admin - member: "serviceAccount:tier3-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:tier3-sa@${project-id}.iam.gserviceaccount.com ---- # Grant GCP role Tier3 DNS Record Admin to GCP SA on Client DNS Project apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember diff --git a/solutions/client-project-setup/securitycontrols.md b/solutions/client-project-setup/securitycontrols.md index faf40d8b..6ef939cd 100644 --- a/solutions/client-project-setup/securitycontrols.md +++ b/solutions/client-project-setup/securitycontrols.md @@ -8,12 +8,11 @@ |AC-1|./namespaces/project-id-tier3.yaml|cnrm-viewer-project-id-tier3| |AC-1|./namespaces/project-id-tier3.yaml|cnrm-viewer-project-id-tier3| |AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa| -|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-public-ip-admin-permissions| -|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-security-admin-permissions| +|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-public-ip-admin-project-id-permissions| +|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-security-admin-project-id-permissions| |AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-securityadmin-project-id-permissions| |AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-serviceaccountadmin-project-id-permissions| |AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-dnsrecord-admin-dns-project-id-permissions| -|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-dnsrecord-admin-host-project-id-permissions| |AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-workload-identity-binding| |AC-1|./namespaces/project-id-tier3.yaml|syncs-repo| |AC-1|./namespaces/project-id-tier4.yaml|cnrm-viewer-project-id-tier4| @@ -24,8 +23,7 @@ |AC-1|./project-iam.yaml|client-name-config-control-sa-iamserviceaccountadmin-project-id-permissions| |AC-1|./project-iam.yaml|client-name-config-control-sa-iamserviceaccountadmin-project-id-permissions| |AC-1|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-class-folder-permissions| -|AC-1|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions| -|AC-1|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions| +|AC-1|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-class-folder-permissions| |AC-1|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane1-main-subnet-permissions| |AC-1|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane1-main-subnet-permissions| |AC-1|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane2-main-subnet-permissions| @@ -36,12 +34,11 @@ |AC-16(2)|./namespaces/project-id-tier3.yaml|configconnectorcontext.core.cnrm.cloud.google.com| |AC-16(2)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa| |AC-16(2)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa| -|AC-16(2)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-public-ip-admin-permissions| -|AC-16(2)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-security-admin-permissions| +|AC-16(2)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-public-ip-admin-project-id-permissions| +|AC-16(2)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-security-admin-project-id-permissions| |AC-16(2)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-securityadmin-project-id-permissions| |AC-16(2)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-serviceaccountadmin-project-id-permissions| |AC-16(2)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-dnsrecord-admin-dns-project-id-permissions| -|AC-16(2)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-dnsrecord-admin-host-project-id-permissions| |AC-16(2)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-workload-identity-binding| |AC-16(2)|./namespaces/project-id-tier3.yaml|syncs-repo| |AC-16(2)|./namespaces/project-id-tier4.yaml|cnrm-viewer-project-id-tier4| @@ -53,8 +50,7 @@ |AC-16(2)|./project-iam.yaml|client-name-config-control-sa-iamserviceaccountadmin-project-id-permissions| |AC-16(2)|./project-iam.yaml|client-name-config-control-sa-iamserviceaccountadmin-project-id-permissions| |AC-16(2)|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-class-folder-permissions| -|AC-16(2)|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions| -|AC-16(2)|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions| +|AC-16(2)|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-class-folder-permissions| |AC-16(2)|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane1-main-subnet-permissions| |AC-16(2)|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane1-main-subnet-permissions| |AC-16(2)|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane2-main-subnet-permissions| @@ -65,12 +61,11 @@ |AC-3|./namespaces/project-id-tier3.yaml|configconnectorcontext.core.cnrm.cloud.google.com| |AC-3|./namespaces/project-id-tier3.yaml|project-id-tier3-sa| |AC-3|./namespaces/project-id-tier3.yaml|project-id-tier3-sa| -|AC-3|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-public-ip-admin-permissions| -|AC-3|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-security-admin-permissions| +|AC-3|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-public-ip-admin-project-id-permissions| +|AC-3|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-security-admin-project-id-permissions| |AC-3|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-securityadmin-project-id-permissions| |AC-3|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-serviceaccountadmin-project-id-permissions| |AC-3|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-dnsrecord-admin-dns-project-id-permissions| -|AC-3|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-dnsrecord-admin-host-project-id-permissions| |AC-3|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-workload-identity-binding| |AC-3|./namespaces/project-id-tier3.yaml|syncs-repo| |AC-3|./namespaces/project-id-tier4.yaml|cnrm-viewer-project-id-tier4| @@ -82,8 +77,7 @@ |AC-3|./project-iam.yaml|client-name-config-control-sa-iamserviceaccountadmin-project-id-permissions| |AC-3|./project-iam.yaml|client-name-config-control-sa-iamserviceaccountadmin-project-id-permissions| |AC-3|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-class-folder-permissions| -|AC-3|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions| -|AC-3|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions| +|AC-3|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-class-folder-permissions| |AC-3|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane1-main-subnet-permissions| |AC-3|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane1-main-subnet-permissions| |AC-3|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane2-main-subnet-permissions| @@ -94,12 +88,11 @@ |AC-3(7)|./namespaces/project-id-tier3.yaml|configconnectorcontext.core.cnrm.cloud.google.com| |AC-3(7)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa| |AC-3(7)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa| -|AC-3(7)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-public-ip-admin-permissions| -|AC-3(7)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-security-admin-permissions| +|AC-3(7)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-public-ip-admin-project-id-permissions| +|AC-3(7)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-security-admin-project-id-permissions| |AC-3(7)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-securityadmin-project-id-permissions| |AC-3(7)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-serviceaccountadmin-project-id-permissions| |AC-3(7)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-dnsrecord-admin-dns-project-id-permissions| -|AC-3(7)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-dnsrecord-admin-host-project-id-permissions| |AC-3(7)|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-workload-identity-binding| |AC-3(7)|./namespaces/project-id-tier3.yaml|syncs-repo| |AC-3(7)|./namespaces/project-id-tier4.yaml|cnrm-viewer-project-id-tier4| @@ -111,8 +104,7 @@ |AC-3(7)|./project-iam.yaml|client-name-config-control-sa-iamserviceaccountadmin-project-id-permissions| |AC-3(7)|./project-iam.yaml|client-name-config-control-sa-iamserviceaccountadmin-project-id-permissions| |AC-3(7)|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-class-folder-permissions| -|AC-3(7)|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions| -|AC-3(7)|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions| +|AC-3(7)|./shared-vpc/namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-class-folder-permissions| |AC-3(7)|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane1-main-subnet-permissions| |AC-3(7)|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane1-main-subnet-permissions| |AC-3(7)|./shared-vpc/namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane2-main-subnet-permissions| diff --git a/solutions/client-project-setup/shared-vpc/namespaces/project-id-tier3.yaml b/solutions/client-project-setup/shared-vpc/namespaces/project-id-tier3.yaml index e59965e7..7fa100f9 100644 --- a/solutions/client-project-setup/shared-vpc/namespaces/project-id-tier3.yaml +++ b/solutions/client-project-setup/shared-vpc/namespaces/project-id-tier3.yaml @@ -15,26 +15,6 @@ # GCP Service Account for tier3 # AC-1 - Implementation of access control # AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. -# Grant GCP role Tier3 Firewall Rule Admin to GCP SA on standard.applications-infrastructure folder -apiVersion: iam.cnrm.cloud.google.com/v1beta1 -kind: IAMPolicyMember -metadata: - name: project-id-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions # kpt-set: ${project-id}-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions - namespace: client-name-hierarchy # kpt-set: ${client-name}-hierarchy - annotations: - cnrm.cloud.google.com/ignore-clusterless: "true" - config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} - labels: - legacy: to-be-removed -spec: - resourceRef: - apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 - kind: Folder - name: standard.applications-infrastructure - # AC-1, AC-3(7), AC-3, AC-16(2) - role: organizations/org-id/roles/tier3.firewallrule.admin # kpt-set: organizations/${org-id}/roles/tier3.firewallrule.admin - member: "serviceAccount:tier3-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:tier3-sa@${project-id}.iam.gserviceaccount.com ---- # Grant GCP role Tier3 Firewall Rule Admin to GCP SA on {network-connectivity-profile}.applications-infrastructure.{classification} folder apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember