Merge branch 'main' into gh766-script

.release-please-manifest.json

@@ -3,10 +3,10 @@
   "solutions/client-project-setup": "0.4.5",
   "solutions/client-setup": "0.7.1",
   "solutions/core-landing-zone": "0.7.1",
-  "solutions/experimentation/admin-folder": "0.1.0",
-  "solutions/experimentation/client-landing-zone": "0.1.2",
-  "solutions/experimentation/client-project": "0.1.2",
-  "solutions/experimentation/core-landing-zone": "0.5.0",
+  "solutions/experimentation/admin-folder": "0.1.2",
+  "solutions/experimentation/client-landing-zone": "0.1.4",
+  "solutions/experimentation/client-project": "0.1.4",
+  "solutions/experimentation/core-landing-zone": "0.5.3",
   "solutions/gatekeeper-policies": "0.2.1",
   "solutions/gke/configconnector/gke-admin-proxy": "0.1.4",
   "solutions/gke/configconnector/gke-cluster-autopilot": "0.2.5",

docs/landing-zone-v2/README.md

@@ -479,7 +479,7 @@ Optional
 1. Apply the hydrated kubernetes yaml to the cluster
 
     ```shell
-    kpt live apply core-landing-zone --reconcile-timeout=2m --output=table
+    kpt live apply core-landing-zone --reconcile-timeout=15m --output=table
     ```
 
 1. Check the status of the deployed resources

solutions/experimentation/admin-folder/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## [0.1.2](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/admin-folder/0.1.1...solutions/experimentation/admin-folder/0.1.2) (2024-02-05)
+
+
+### Bug Fixes
+
+* updating setters formatting and comments ([#815](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/815)) ([c105800](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/commit/c1058007aaa72b8ffbce000ef5575cc494db0e33))
+
+## [0.1.1](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/admin-folder/0.1.0...solutions/experimentation/admin-folder/0.1.1) (2024-02-05)
+
+
+### Bug Fixes
+
+* Removing securitycontrols.md and security control tags from experimentation ([#811](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/811)) ([f17ff29](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/commit/f17ff29a8ff5d3b0f5c955d5d1f8843ba0723829))
+
 ## [0.1.0](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/admin-folder-v0.0.1...solutions/experimentation/admin-folder/0.1.0) (2023-06-02)
 
 

solutions/experimentation/admin-folder/folder-iam.yaml

@@ -13,7 +13,6 @@
 # limitations under the License.
 #########
 # Grant GCP role Folder Admin on Admin's folder to admin
-# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
@@ -30,7 +29,6 @@ spec:
   member: admin-owner # kpt-set: ${admin-owner}
 ---
 # Grant GCP role Project Creator on Admin's folder to admin
-# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
@@ -47,7 +45,6 @@ spec:
   member: admin-owner # kpt-set: ${admin-owner}
 ---
 # Grant GCP role Owner on Admin's folder to admin
-# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:

solutions/experimentation/admin-folder/setters.yaml

@@ -24,8 +24,10 @@ data:
   ##########################
   #
   # Name for the Admin, lowercase only
+  # customization: required
   admin-name: 'admin1'
   # Group or User to grant permission on admin folder
+  # customization: required
   admin-owner: 'user:[email protected]'
   #
   ##########################

solutions/experimentation/client-landing-zone/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## [0.1.4](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/client-landing-zone/0.1.3...solutions/experimentation/client-landing-zone/0.1.4) (2024-02-05)
+
+
+### Bug Fixes
+
+* updating setters formatting and comments ([#815](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/815)) ([c105800](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/commit/c1058007aaa72b8ffbce000ef5575cc494db0e33))
+
+## [0.1.3](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/client-landing-zone/0.1.2...solutions/experimentation/client-landing-zone/0.1.3) (2024-02-05)
+
+
+### Bug Fixes
+
+* Removing securitycontrols.md and security control tags from experimentation ([#811](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/811)) ([f17ff29](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/commit/f17ff29a8ff5d3b0f5c955d5d1f8843ba0723829))
+
 ## [0.1.2](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/client-landing-zone/0.1.1...solutions/experimentation/client-landing-zone/0.1.2) (2023-11-23)
 
 

solutions/experimentation/client-landing-zone/client-folder/folder-iam.yaml

@@ -13,7 +13,6 @@
 # limitations under the License.
 #########
 # Grant GCP role Folder Viewer on client's folder to client's user group
-# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:

solutions/experimentation/client-landing-zone/client-folder/folder-sink.yaml

@@ -34,7 +34,6 @@ spec:
   description: Folder sink for client-name Platform and Component logs # kpt-set: Folder sink for ${client-name} Platform and Component logs
   # the log sink must be enabled (disabled: false) to meet the listed security controls
   disabled: false
-  # AU-2, AU-12(A), AU-12(C)
   # Includes the following types of logs:
   # Cloud DNS, Cloud NAT, Firewall Rules, VPC Flow, and HTTP(S) Load Balancer
   # These logs are not enabled by default. They are enabled inside the client-experimentation package:

solutions/experimentation/client-landing-zone/logging-project/cloud-logging-bucket.yaml

@@ -14,7 +14,6 @@
 ######
 # Cloud Logging bucket for client Platform and Component logs
 # Logs are routed using a log sink to a central logging project into a dedicated log bucket
-# AU-4(1), AU-9(2) - Log buckets are created in a logging project, isolating them from the source of the log entries in other projects
 apiVersion: logging.cnrm.cloud.google.com/v1beta1
 kind: LoggingLogBucket
 metadata:
@@ -29,6 +28,5 @@ spec:
   location: northamerica-northeast1
   description: Cloud Logging bucket for client-name Platform and Component logs # kpt-set: Cloud Logging bucket for ${client-name} Platform and Component logs
   # Implement retention policy and retention locking policy
-  # AU-9, AU-11 - RetentionDays sets the policy where existing log content cannot be changed/deleted for the specificied number of days (from setters.yaml), locked setting means policy cannot be changed, ensuring immutability.
   locked: false # kpt-set: ${retention-locking-policy}
   retentionDays: 1 # kpt-set: ${retention-in-days}

solutions/experimentation/client-landing-zone/logging-project/project-iam.yaml

@@ -26,7 +26,6 @@ spec:
     kind: Project
     name: logging-project-id # kpt-set: ${logging-project-id}
     namespace: projects
-  # AC-3(7) - Write access to the logging buckets is limited by IAM to just the identities of the log sinks configured to send logs to the buckets (set at the logging project level)
   bindings:
     - role: roles/logging.bucketWriter
       members:

solutions/experimentation/client-landing-zone/setters.yaml

@@ -39,25 +39,31 @@ data:
   ##########################
   #
   # Name for the client, lowercase only
+  # customization: required
   client-name: 'client1'
+  #
   # group to grant viewer permission on client folder
+  # customization: required
   client-folderviewer: 'group:[email protected]'
   #
   ##########################
   # Logging
   ##########################
   #
   # logging project id created in core-landing-zone
+  # customization: required
   logging-project-id: logging-project-12345
   #
   # LoggingLogBucket retention settings
   # Set the number of days to retain logs in Cloud Logging buckets
   # Set the lock mechanism on the bucket to: true or false
   # After a retention policy is locked (true), you can't delete the bucket until every log in the bucket has fulfilled the bucket's retention period
-  # AU-9 PROTECTION OF AUDIT INFORMATION
-  # AU-11 AUDIT RECORD RETENTION
-  # The values below must be modified to locked: true and retentionDays: 365 in a Production setting to implement above mentioned security controls.
+  # The values below must be modified to retention-locking-policy: true in a Production setting to implement above mentioned security controls.
+  # customization: required
   retention-locking-policy: "false"
+  #
+  # The values below must be modified to retention-in-days: 365 in a Production setting to implement above mentioned security controls.
+  # customization: required
   retention-in-days: "1"
   #
   ##########################

solutions/experimentation/client-project/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## [0.1.4](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/client-project/0.1.3...solutions/experimentation/client-project/0.1.4) (2024-02-05)
+
+
+### Bug Fixes
+
+* updating setters formatting and comments ([#815](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/815)) ([c105800](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/commit/c1058007aaa72b8ffbce000ef5575cc494db0e33))
+
+## [0.1.3](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/client-project/0.1.2...solutions/experimentation/client-project/0.1.3) (2024-02-05)
+
+
+### Bug Fixes
+
+* Removing securitycontrols.md and security control tags from experimentation ([#811](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/811)) ([f17ff29](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/commit/f17ff29a8ff5d3b0f5c955d5d1f8843ba0723829))
+
 ## [0.1.2](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/client-project/0.1.1...solutions/experimentation/client-project/0.1.2) (2023-12-19)
 
 

solutions/experimentation/client-project/network/dns.yaml

@@ -12,7 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #########
-# AU-12 - Enable logging for DNS
 apiVersion: dns.cnrm.cloud.google.com/v1beta1
 kind: DNSPolicy
 metadata:
@@ -24,7 +23,6 @@ metadata:
 spec:
   resourceID: logging-dnspolicy
   description: "DNS policy to enable logging"
-  # AU-12
   enableLogging: true
   networks:
     - networkRef:

solutions/experimentation/client-project/network/nat.yaml

@@ -13,7 +13,6 @@
 # limitations under the License.
 #########
 # Cloud NAT northamerica-northeast1
-# # AU-12 - Enable Logging for Cloud Nat
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeRouterNAT
 metadata:
@@ -29,7 +28,6 @@ spec:
   routerRef:
     name: project-id-nane1-router # kpt-set: ${project-id}-nane1-router
   sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES
-  # AU-12
   logConfig:
     enable: true
     filter: ALL
@@ -66,7 +64,6 @@ spec:
   routerRef:
     name: project-id-nane2-router # kpt-set: ${project-id}-nane2-router
   sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES
-  # AU-12
   logConfig:
     enable: true
     filter: ALL

solutions/experimentation/client-project/network/route.yaml

@@ -14,7 +14,6 @@
 #########
 # A Route to the internet that requires that the resources attached to the network
 # specify it's tag to access the internet
-# SC-7(5) BOUNDARY PROTECTION | DENY BY DEFAULT / ALLOW BY EXCEPTION
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeRoute
 metadata:

solutions/experimentation/client-project/network/subnet.yaml

@@ -13,15 +13,12 @@
 # limitations under the License.
 #########
 ##################################
-# AC-4 Information flow enforcement - Subnet creation to segregate and force through ZIP for access
 ##################################
 # All subnets have :
 # - logging enabled for flow logs https://cloud.google.com/vpc/docs/using-flow-logs
 # - private google access enabled https://cloud.google.com/vpc/docs/private-google-access
 ##################################
 # Subnet PAZ northamerica-northeast1
-# SC-7 BOUNDARY PROTECTION
-# AU-12 - Enable Logging for Subnet
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeSubnetwork
 metadata:
@@ -38,14 +35,12 @@ spec:
   privateIpGoogleAccess: true
   networkRef:
     name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc
-  # AU-12
   logConfig:
     aggregationInterval: INTERVAL_5_SEC
     flowSampling: 0.5
     metadata: INCLUDE_ALL_METADATA
 ---
 # Subnet APPRZ northamerica-northeast1
-# SC-7 BOUNDARY PROTECTION
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeSubnetwork
 metadata:
@@ -62,14 +57,12 @@ spec:
   privateIpGoogleAccess: true
   networkRef:
     name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc
-  # AU-12
   logConfig:
     aggregationInterval: INTERVAL_5_SEC
     flowSampling: 0.5
     metadata: INCLUDE_ALL_METADATA
 ---
 # Subnet DATARZ northamerica-northeast1
-# SC-7 BOUNDARY PROTECTION
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeSubnetwork
 metadata:
@@ -86,14 +79,12 @@ spec:
   privateIpGoogleAccess: true
   networkRef:
     name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc
-  # AU-12
   logConfig:
     aggregationInterval: INTERVAL_5_SEC
     flowSampling: 0.5
     metadata: INCLUDE_ALL_METADATA
 ---
 # Subnet PAZ northamerica-northeast2
-# SC-7 BOUNDARY PROTECTION
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeSubnetwork
 metadata:
@@ -110,14 +101,12 @@ spec:
   privateIpGoogleAccess: true
   networkRef:
     name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc
-  # AU-12
   logConfig:
     aggregationInterval: INTERVAL_5_SEC
     flowSampling: 0.5
     metadata: INCLUDE_ALL_METADATA
 ---
 # Subnet APPRZ northamerica-northeast2
-# SC-7 BOUNDARY PROTECTION
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeSubnetwork
 metadata:
@@ -134,14 +123,12 @@ spec:
   privateIpGoogleAccess: true
   networkRef:
     name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc
-  # AU-12
   logConfig:
     aggregationInterval: INTERVAL_5_SEC
     flowSampling: 0.5
     metadata: INCLUDE_ALL_METADATA
 ---
 # Subnet DATARZ northamerica-northeast2
-# SC-7 BOUNDARY PROTECTION
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeSubnetwork
 metadata:
@@ -158,7 +145,6 @@ spec:
   privateIpGoogleAccess: true
   networkRef:
     name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc
-  # AU-12
   logConfig:
     aggregationInterval: INTERVAL_5_SEC
     flowSampling: 0.5

solutions/experimentation/client-project/network/vpc.yaml

@@ -25,5 +25,5 @@ spec:
   resourceID: global-vpc1-vpc
   description: experimentation VPC
   routingMode: REGIONAL
-  autoCreateSubnetworks: false # SC-7
-  deleteDefaultRoutesOnCreate: true # AC-4, SC-7(5)
+  autoCreateSubnetworks: false
+  deleteDefaultRoutesOnCreate: true